Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe

Overview

General Information

Sample name:d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
Analysis ID:1472593
MD5:d96267ad9812c133efeea9de18b14c02
SHA1:3644d30f5b43b59afaceaae7f6a1cba2393d938c
SHA256:38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f
Tags:exe
Infos:

Detection

PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe" MD5: D96267AD9812C133EFEEA9DE18B14C02)
    • powershell.exe (PID: 6832 cmdline: "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1813427869.0000000002420000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.1813136682.0000000000B50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
          • 0x3d14e:$s1: file:///
          • 0x3d05c:$s2: {11111-22222-10009-11112}
          • 0x3d0de:$s3: {11111-22222-50001-00000}
          • 0x3b325:$s4: get_Module
          • 0x3b63f:$s5: Reverse
          • 0x36352:$s6: BlockCopy
          • 0x3632c:$s7: ReadByte
          • 0x3d160:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.b50000.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                • 0x3b34e:$s1: file:///
                • 0x3b25c:$s2: {11111-22222-10009-11112}
                • 0x3b2de:$s3: {11111-22222-50001-00000}
                • 0x39525:$s4: get_Module
                • 0x3983f:$s5: Reverse
                • 0x34552:$s6: BlockCopy
                • 0x3452c:$s7: ReadByte
                • 0x3b360:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  Click to see the 3 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -Force, CommandLine: "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -Force, CommandLine|base64offset|contains: Jy, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe", ParentImage: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, ParentProcessId: 6984, ParentProcessName: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, ProcessCommandLine: "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -Force, ProcessId: 6832, ProcessName: powershell.exe

                  Snort Signatures

                  Timestamp:07/13/24-02:25:00.821757
                  SID:2856255
                  Source Port:49730
                  Destination Port:7702
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeAvira: detected
                  Multi AV Scanner detection for submitted file
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeReversingLabs: Detection: 42%
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeVirustotal: Detection: 41%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeJoe Sandbox ML: detected
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: costura.dotnetzip.pdb.compressed source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: costura.dotnetzip.pdb.compressed source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: Donexctvbl.pdb source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1823051520.000000001AF40000.00000004.08000000.00040000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000128A4000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1825575852.000000001BF50000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: costura.dotnetzip.pdb.compressed8 source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2856255 ETPRO TROJAN Win32/zgRAT CnC Checkin 192.168.2.4:49730 -> 185.125.50.121:7702
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 185.125.50.121:7702
                  Source: Joe Sandbox ViewIP Address: 185.125.50.121 185.125.50.121
                  Source: Joe Sandbox ViewASN Name: INPLATLABS-ASRU INPLATLABS-ASRU
                  Source: unknownDNS traffic detected: query: 233.75.3.0.in-addr.arpa replaycode: Name error (3)
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.50.121
                  Source: global trafficDNS traffic detected: DNS query: 233.75.3.0.in-addr.arpa
                  Source: cert9.db.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: cert9.db.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: cert9.db.0.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                  Source: cert9.db.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: cert9.db.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: cert9.db.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: cert9.db.0.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB819BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: cert9.db.0.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: cert9.db.0.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB80231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB80231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1825575852.000000001BF50000.00000004.08000000.00040000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000128A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip
                  Source: cert9.db.0.drString found in binary or memory: http://x1.c.lencr.org/0
                  Source: cert9.db.0.drString found in binary or memory: http://x1.i.lencr.org/0
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB80231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB80C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000002.00000002.1951081105.000001CB819BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://support.mozilla.org
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000013FF0000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012681000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000144D2000.00000004.00000800.00020000.00000000.sdmp, Joyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: Joyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016H
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000013FF0000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012681000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000144D2000.00000004.00000800.00020000.00000000.sdmp, Joyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17H
                  Source: Joyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://www.mozilla.org
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: Ajocmjvrr.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture screen (.Net source)
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, hu5jtJKG1agB7FrDKI3.cs.Net Code: z2TKaC5YIM
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B88BCF30_2_00007FFD9B88BCF3
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B8860780_2_00007FFD9B886078
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B960E940_2_00007FFD9B960E94
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B963AA00_2_00007FFD9B963AA0
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B965F7B0_2_00007FFD9B965F7B
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B9EDF520_2_00007FFD9B9EDF52
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B9E4EA30_2_00007FFD9B9E4EA3
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B9ED1A60_2_00007FFD9B9ED1A6
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B9F2CA80_2_00007FFD9B9F2CA8
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B9F60000_2_00007FFD9B9F6000
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B9F0F4A0_2_00007FFD9B9F0F4A
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B9F413C0_2_00007FFD9B9F413C
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1825575852.000000001BF50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZip.dll@ vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1823051520.000000001AF40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDonexctvbl.dll" vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000128A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDonexctvbl.dll" vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000000.1622602781.0000000000134000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMmndfmbaiif.exe" vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClassLibrary1.dll" vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeBinary or memory string: OriginalFilenameMmndfmbaiif.exe" vs d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, rAAgqlCucMcSNfoNWX.csCryptographic APIs: 'CreateDecryptor'
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, rAAgqlCucMcSNfoNWX.csCryptographic APIs: 'CreateDecryptor'
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, Program.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.12a129e8.7.raw.unpack, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.12a129e8.7.raw.unpack, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.12a129e8.7.raw.unpack, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bf50000.11.raw.unpack, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bf50000.11.raw.unpack, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bf50000.11.raw.unpack, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/24@1/1
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.logJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeMutant created: \Sessions\1\BaseNamedObjects\ff47b2f48f5e179d
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3916:120:WilError_03
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile created: C:\Users\user\AppData\Local\Temp\Jeoeqla.tmpdbJump to behavior
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Noqkscra.tmpdb.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeReversingLabs: Detection: 42%
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeVirustotal: Detection: 41%
                  Source: unknownProcess created: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe "C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe"
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -Force
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -ForceJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: napinsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: wshbth.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: winrnr.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: costura.dotnetzip.pdb.compressed source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: costura.dotnetzip.pdb.compressed source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: Donexctvbl.pdb source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1823051520.000000001AF40000.00000004.08000000.00040000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000128A4000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1825575852.000000001BF50000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: costura.dotnetzip.pdb.compressed8 source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, rAAgqlCucMcSNfoNWX.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, m989GcfHd7fhfdgggKZ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, cLxg1VivqXKPVdAKiHb.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  .NET source code contains potential unpacker
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, Program.cs.Net Code: Main System.AppDomain.Load(byte[])
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.128353a0.6.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.128353a0.6.raw.unpack, ListDecorator.cs.Net Code: Read
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.128353a0.6.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.128353a0.6.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.128353a0.6.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, aEgQZc5U75Q0FBnXiWh.cs.Net Code: weX8KVcUDy
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, BvK8wPBQakvfJfnIbN.cs.Net Code: OUtql2FQC4 System.Reflection.Assembly.Load(byte[])
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.b50000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.2420000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1813427869.0000000002420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1813136682.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe PID: 6984, type: MEMORYSTR
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: 0xAB4B04F1 [Mon Jan 24 19:26:41 2061 UTC]
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeCode function: 0_2_00007FFD9B887967 push ebx; retf 0_2_00007FFD9B88796A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B890E62 push eax; iretd 2_2_00007FFD9B890E9D
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeStatic PE information: section name: .text entropy: 7.9518487325127385
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, rAAgqlCucMcSNfoNWX.csHigh entropy of concatenated method names: 'lNUFXLG7nupZGPskQuc', 'DMlO45GL5kYhKnEP1US', 'uoBkXX565C', 'r7LHOWQ8TSidfd0EBXU', 'bFZmQiQG87h1LQIMVIL', 'PgD0IRQQ6W1hsIpyBkt', 'z7viuFQ3xfDsETNYyL6', 'E3X3PCQmILAJXKea7oQ', 'dnQyZ7Qro8QdgRgbIoG', 'UK4lBcQNOp2K7rI15em'
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, Program.csHigh entropy of concatenated method names: 'Main', 'R4VMWl6Ns', 'R1JHs9GblkB0ljb22wo', 'LJms5fGUZWm0nIaFoLT', 'fu6LEpGCtQPgcTQ7vjB', 'YpbK6QGOUF8840LO8Ny', 'te0wlDG09keGYxVKjA2', 'bZbVd6G43f9sav80cup', 'pEWNKwGfKTDBr2W48PT', 'Vu2fetGK22PeMeW4mYg'
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, fSOGZc8Meb9g4mXdZqk.csHigh entropy of concatenated method names: 'rAR8Fh3LWV', 'wxx8ErCUvJ', 'MoQ8iNRw94', 'j5X81MFjy2', 'VVB8cwEWBo', 'SIw8PZrlKZ', 'qw38RXnLWa', 'ErY8h4sLuc', 'Bus8BD4jaX', 'j0e8gYSdXc'
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, LQDXsP6KRxi7AFwWA9.csHigh entropy of concatenated method names: 'UU33NtR3Sm', 'WokxgdGujTfMjOK6IsA', 'Jr5UvLGS70eTg5h3qbo', 'yJRpagGXYaY9yha7Avg', 'l2hrGcGoTo67In5Pd9D', 'nDAEthGWZ0CbmW6lvJ5', 'dQUYgnG2CTdLyTnFMSf', 'VK0qayGZMNywU0ROduu', 'WSkpLyGD0NVPpyJ85Du'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, J9vOtIF4fsbe1AG2yT.csHigh entropy of concatenated method names: 'EiXmiCGZa', 'tZ1EKh9Ga', 'FdLTEFaZg', 'o76ZApccL', 'wMUvtBgO7', 'AK66j6fGh', 'JCqIDl0Nb', 'HUgGZyLa4', 'NOe5tGATQ80idImOuma', 'qcDHCjAZviCamI3exG9'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'l6kkS6B2hDPw2Wh5smh'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, VmD35Ja1Rdwn0rKgHj3.csHigh entropy of concatenated method names: 'v4d5Kqb5Vo', 'mNk5Xv7Emf', 'fHm5tjOdGm', 'q1o5fHGWeY', 'ICY5ONCm7j', 'H1E5aTNKZI', 'bGo55fJbIv', 'Osg5NZO9e1', 'iWA5DxhgtD', 'MIQ5hIvLJc'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, CPAUIwUvVWXmF5PQMy.csHigh entropy of concatenated method names: 'pbdcVZCgn', 'wD4ihlmD6', 'plEW3J7Kc', 'ohc7WOF4L', 'wK3SnPBMXCPqjoxIMdK', 'eABmONBj2CLXt7DHnct', 'TLyuAtBnx6i3Fpox31W', 'pJOfjWB4ihWr2ehiSvO', 'Rvm3TPBsjnPKnqSprym', 'Y7uZ6NByiAbwGY5xago'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, XVwsBvrse8a3uOtZx8.csHigh entropy of concatenated method names: 'GeeoiIo35', 'SZDV27y1s', 'QvRwew8UQ', 'MmfxL7Uk6', 'ncepHeAVxHpejkPX99k', 'hDfXpZAS8gwGM9ZK60b', 'tXnyHyAo6BYLIMntS1x', 'NAY8N3Awl96FHbFUduQ', 'oVfpaXAxwZogXqvr6n3', 'QLo7YDAFWOJRQecGAp7'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, aEgQZc5U75Q0FBnXiWh.csHigh entropy of concatenated method names: 'o6Xc9Zebch', 'buqcRVtaOb', 'dpgcunetxU', 'IU8cCVAT1s', 'FTGc0QZwnj', 'Ctjc4Db6JI', 'FNVcsxWle4', 'Mgq5G9rKVh', 'rVCcMqscTn', 'YDJcjei7VN'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, VExBS7fCq01nqbLigLT.csHigh entropy of concatenated method names: 'aAUf4Vgjdf', 'uLGfs6iIRp', 'WMLQuroPltQ8m34Oxcp', 'r01ADDo15jQZILI1EsV', 'pOCX6ooLNyTX924bJ3B', 'NIb4kgo2uPylLGuDgeD', 'klNKnfoHIJM30EZoASb', 'JFUFC3og0do84uQS15j', 'eXo8YhozxqLaAMuC6ni', 'Fdk6yJoy0vDUIkSQehK'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, CcZm7q2ySbV7Qt5hx3.csHigh entropy of concatenated method names: 'xpBgxqiYR', 'QhRzIC1xs', 'E3U3YthdnY', 'gB1332S7nm', 'F4B3J1rn23', 'KFa3e9XKSs', 'M4D3dTVYWu', 'IQU3l5AyOB', 'A043KbpK1L', 'aLA3XJjMDm'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, m989GcfHd7fhfdgggKZ.csHigh entropy of concatenated method names: 'cEgPvTVA4XxvMWAeejM', 'nOA8UlVrrEyRNVx0sl9', 'UeZaxFYNO9', 'Qh82N1Vwg1J4gseEpPn', 'ohS880VxBbNNn24HjyF', 'jQnP4kVF45BaJ9lQjCa', 'uIsw40VQVpAmZ8AKIdx', 'rhPaJLVmQLWQsVAeWOy', 'WCwYwfVEhP951fQ2L19', 'EWFtu3VTtXGdW8CPUhm'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, eak4rFMMoTXo3YGp42.csHigh entropy of concatenated method names: 'zQ1nXJAiV', 'fYZyaULw9', 'uZ9qnMxUa', 'iGDPZAJgD', 'fpk1wiFwK', 'JMwL5RPcV', 'MWP9MxA2YqVcqnsl95Z', 'PSNJTFAHtHoopaT49Yt', 'g1aXSZAgLhNKrelR2iq', 'O9fHG3Aza9OatsY9VSY'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, Die8INfM5brR1nT1dys.csHigh entropy of concatenated method names: 'qwIfnPHIqS', 'xn1fy7qV82', 'FXqCu4VdsAFKj9I4ETy', 'qkA4egVl8m8f2VO6njE', 'aAxy0PVKTC8VPmjlTwF', 'fPpJ0KVJLRsJjUKfcNi', 'NoekqsVephmet1kCwiZ', 'JXcWn6VXffWT5t3uCBP', 'sZMSVSVtLUuo9sXyi2x', 'h6TGTbVfV5S8XQISfC5'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, XbamWifV8cgU3clN88H.csHigh entropy of concatenated method names: 'UySfxAwKeA', 'O8efFX0VVV', 'eDUfQ84e0w', 'cbrfmJsJm4', 'IIsfElostd', 'B7Nf56ofX3s2MymjHOI', 'dngadAoO4KWOJGLQh9o', 'NpPNB2oaGv0wb1jgNtI', 'nCLpcXo5lKlI40IyZ7X', 'puepDMoN3FnWKHQY6EL'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, TOgd9xNDvYgaV60Csv.csHigh entropy of concatenated method names: 'CqChQxk3u', 'qaeOSTBojdjYZRpVGLQ', 'Hgo6WBBVu6XAw33pwo0', 'MoZmqWBwSPhPnAqyhWg', 'ib9I7cBxZxxyI6tydeQ', 'VLlOySBFDoLSijV79NP', 'rOxluYBQp3JcR5jnx05', 'tT1VhNBmTxU1Yp6K6H5', 'lxljFgBESDhE9N1S1AV', 'Ae7nPpBTrss6WZsbutm'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1af40000.9.raw.unpack, wQLbAhfGtlktEjfO95O.csHigh entropy of concatenated method names: 'yZ0fRyyWTd', 'tDjfugOaED', 's82RceoCVNfbGK8pABM', 'cDLn6Zo017ityUpSSdt', 'KkUJE4o4OJIJbN83RTk', 'HJ7sTFosZTKYXM4jret', 'jmSoyUoMMNqQftfjgAH', 'U7EAEyojSAnwIMY9E36', 'l09cJooRtuhcCd5w6qA', 'AvB4mXoum1fWxbAkchw'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, fjjqGO0hvSRjxJxcUeI.csHigh entropy of concatenated method names: 'AF20x1YmIB', 'wsZ0taVnKm', 'xbH0J6RXP7', 'Y4t0W2AgSG', 'S1H0L2l8pg', 'Rpc0EiHn6i7klJ8lFk3', 'SoMMBJHCqZdWefTJ1ai', 'xO9sKqHEj0qoaUwVNWw', 'zSe0NdHN0VMTUoFnRKK', 'EG9CmjH7QVioNuFmcHO'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, c76rLuc1OPxJNrkrpt4.csHigh entropy of concatenated method names: 'keAcv8DI2S', 'VJqcrmNP4P', 'v2XcoWpK4C', 'F67cpAE39U', 'ln9cQ6AqHt', 'Lmtc8nNuvd', 'zrfrcPVQITEYEwYMurR', 'CIU0Q3V86qxuaXBOkGa', 'g8HtwVVSy0O1gIBscMM', 'OLYwydVHFE15H7ikuPF'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, KVctFT4fKsCBP9YdbF1.csHigh entropy of concatenated method names: 'VDkO2KEDY9', 'Mrey0BSyl0KUPrCEJqR', 'PQMykiSmea7nKZnd3nc', 'Os0OleVK2y', 'zXsOqPFu4b', 'mhsO5SYJK6', 'PM3OAqAXns', 'S9YOGrF8oZ', 'etoOXNM2fw', 'PI6OaY2a1V'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, LWicU8cUFDjquI2bNSm.csHigh entropy of concatenated method names: 'i8jctrmqyh', 'cAccJfZV5e', 'I4ecWd2eAv', 'mR7cL8Mq3f', 'G9W0SRVEIAydilT8RWH', 'CG028hVND7k2q7vm85T', 'Uj3oQMV928muJGp9AfO', 'DYvHcAVBYEVFy0AesqZ', 'RnwQ4fVnUnZrVadaGFi', 'b9g7G0VCOmfur5CYTPx'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, capBNy2GiHYRX4XiCVP.csHigh entropy of concatenated method names: 'atc2ab3cZA', 'F3A2kQSAkO', 'c3H22PYfPM', 'hgn6E4QRQb9J5k3WDBL', 'VRyBJGQyEUGsB5N4iIj', 'ei7qGdQmpRElcGIMXyg', 'jiws5fQgYujAI40bmHG', 'R1PtvqQikPAlI0J663o'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, QTS7vvOYTtKRPZYqZ6A.csHigh entropy of concatenated method names: 'aKrOb2ldHD', 'VRuORfiiCU', 'gTJOyHBlAl', 'B7rOmrQ58V', 'peCOgFoTOf', 'Fy5OiqAhlq', 'iAhBbhSoFBIwQ7eZvg8', 'beWHlLSpAlnW63Hhc1V', 'eL5XI1SQOTQufbpSnT7', 'jEgcWMS81YvkK30nWyT'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, qweCvpqeoUr8cKH2XNm.csHigh entropy of concatenated method names: 'IhbqUwoVHD', 'YgO0xmvB33tAr3oxLHT', 'bdQEjZvLlbbgsBL46Iy', 'Q1jauOv9nWJWb6OpFaP', 'nVbtZsvEqp1OKu7H4XX', 'O6UpefvNJCIarRdkNfp'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, Y6eVC24FQ8H9gXRSZrT.csHigh entropy of concatenated method names: 'nvc4rsFRKL', 'HYqqif8VFHW7pJrpKCk', 'tuqhaI8PVdl2Tp3PTAa', 'H549e78jwTcjhtE1xd3', 'XgE1x98I5MwKQeHup3Z', 'jqXbHd8M7QUoyB2rgKY'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, GADkTJGjt66Zhh45eWP.csHigh entropy of concatenated method names: 'vhYGMaoZlQ', 'DCjGdVI5Ou', 'CDeGuqTbTc', 'LsdGeaKurB', 'gvRGh3utUS', 'uf5GUReBLu', 'e5UGx63nGa', 'ia0GtkAfL6', 'mcyGJqOQFy', 'oBeGW3k25q'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, lsLDSyAHWOyIGYCoPFq.csHigh entropy of concatenated method names: 'Mi1AVIkNUd', 'Cn4APaFTI5', 'IbEAjZRtid', 'Sj0AIIcF6m', 'W80AMsZy7P', 'SohAd3X2NR', 'DBtAuIHTRd', 'MRgtBYoFTWyoZcwpJbv', 'aYbZwJovwV99W5Jp7Xk', 'AAnWt6orjFoOvdE76sK'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, dHooNxRvjakWUVogZLS.csHigh entropy of concatenated method names: 'VFaRoK7FOQ', 'a9GRpELIJ7', 'sRUrMWjoKq5LXS12hdj', 'i6GNZRjpYr1uhriVWJx', 'CO6RI6jQ7NTYtB4RRqI', 'n84FpNjvxa4XHurbLIc', 'PnyAnsjr4juUyJhhNTP', 'pxsLT0j8glPdfa3EeCE'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, gQEQoo2VcsIuCsZJLev.csHigh entropy of concatenated method names: 'PjK2jQmhWI', 'vvr2IwBejI', 'CMK2MaSywn', 'XZN2doM9bc', 'svC2u3T3ds', 'r8X2eixIVy', 'hb42hIvCCO', 'ddo2UQisur', 'rU22xhdFkl', 'aSJ2ty6ZCQ'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, sG4wt3YlZNNtpsfVAHe.csHigh entropy of concatenated method names: 'wTsYayCV7O', 'dPlYkYtZwb', 'S2EY23V3Zw', 'kRgYKAa4K5', 'zSCY4eUUMc', 'apW4E0P01TCE10leSTd', 'e7tOeNP3WgHvQ6cIQC4', 'sw1Y5pN8dE', 'GL1YAqxEOM', 'NJvYGkVPwM'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, RQaSWVOoOVrpvJ7k2mi.csHigh entropy of concatenated method names: 'oEoOQGnUGx', 'JZpO8e2Zc2', 'NsCOSNgHBr', 'a78OHgXYGZ', 'tTROD1NmCe', 'z60OVAsa8D', 'EGJj4rSd88ge2fwqxeN', 'ebwo1WSuD2Es4xAkS3o', 'uH9Bs5Se4PdZ5rHy5Bv', 'oeksrDShdoLlqmqaalr'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, BvK8wPBQakvfJfnIbN.csHigh entropy of concatenated method names: 'F11NuHd5K', 'uSenOUUWP', 'C9DCxVlsp', 'Qq47TaSfr', 'Vq9fsKi2q', 'skwzYHmMj', 'OUtql2FQC4', 'jLjqqiHC5t', 'Nqyq5jxaxX', 'Y9KURtvZcSB4OPWRhtp'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, brNUMWZI1ElyPmCgnRu.csHigh entropy of concatenated method names: 'i1GZdH0Avl', 'dqnC2bDfGtBT4BE99uu', 'YcJJ7eDzTcAw8h9LEdZ', 'JjZjU5VldrRIBMSuhCo', 'PZ01fOVqkafjy3O2wlv', 'HBk1lHV5t8YNkFfiKKk', 'TGxnAVVA4S5GyGBbThG'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, IrLmSMG0fWWgKF2TQDw.csHigh entropy of concatenated method names: 'opRGs3jyJv', 'iDAqBhplRSoH1TYDnLj', 'bJrh4spqk8AnstK7WcS', 'svcdcqof1Bo7kSJUK0M', 'es1ZYmozgwgiZJ1w3eb', 'j7QIOgp5lFpNwXXkVvn'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, RnY12TA5klXPLyiySWo.csHigh entropy of concatenated method names: 'beqAGma09m', 'eZ7OHJrUQ9CjlHskXuA', 'AOHyn8rxiuTc1VL3V6B', 'uk5ICRrtpO1ggnvZBQJ', 'hqFfMZrJ5cywgZNg8nu', 'd1d0JlrWMyAfNcLOntG'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, wpDAL1bFuWcemcdRqgf.csHigh entropy of concatenated method names: 'Dispose', 'i9sQ4xPLcpWsW1xeLRR', 'fRcMgkP9iaql0yVLpAA', 'hi0vKPPJqVtCrakcvFA', 'ktf2FjPWyNYn5gD3Znv', 'aAEqCjPBDkEnComCrNU', 'Fcr5rvP750hR2NqcMIu', 'K440g9Pf89ixy2w0RxY', 'XjsoV6jlQSq2cX13C14', 'bp5wpljqVN9ML7GMRAb'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, uycrb3qxQqQjSqdftZo.csHigh entropy of concatenated method names: 'XvHqNM8i4m', 'xkoskJrAuc4kQLMGMVj', 'qtn4sNrGS1gLLhIx9dm', 'bgrGX5rXHYrZB96kHEG', 'wmBqCda7RA', 'uqwq7y98uN', 'G0f6YgrkCiugKys1GG4', 'QvWUEpr2cg1jZ5Xr2wf', 'BFCfCsrK3L0NB4JXkoG', 'jnS5qmcacK'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, EjD3KIZhYgXxF43EgY5.csHigh entropy of concatenated method names: 'qEbZnAs6M4', 'GvKZCIodE8', 'ExcZ7EQK3l', 'mHJZf8yhkC', 'ctxZztLcjd', 'daPclw0mhE', 'pBHcqNFDfp', 'njbc5mJeQq', 'WWjcAgsXxA', 'jAycG17NjV'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, cLxg1VivqXKPVdAKiHb.csHigh entropy of concatenated method names: 'imhGt1I1Im3ufkwam41', 'PlTJGYIFh6TVNxujhVr', 'nLE1lFTMhl', 'BsqWOhIpECspVDi6fCq', 'OBfv2cIQtBukdT01ZJv', 'aukMsnI8EdPArDyUrvM', 'eMrp0sISmRmTMgBsk7y', 'g38PJ8K3c0', 'MAI1kVyT98', 'tir12s4ZQk'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, qXwNvgTDO5S0rFRG02E.csHigh entropy of concatenated method names: 'k5MTPTwBYj', 'trmTjIt6bc', 'AGEYk1H5N0i5J63YLqk', 'qumGAWHALTl1Mxp8nvB', 'FsoKxMHGg9OFwmdSFZ9', 'IatPhFHXwcyKWv9NbQV'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, w5VySpAKsAdWEyeyh1L.csHigh entropy of concatenated method names: 'vrcAgrkF6Y', 'DdH7oroAx4Ppccson9c', 'W2KNUQoGHhDJSw0KUJi', 'Ne3LyQoXnxIgvZ99OUN', 'BeyAOeJyrt', 'ABxATHyJRj', 'xqGA0krbeu', 'SaeA3l4aub', 'dTxAsIYxYy', 'h4vAZjAJma'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, TkyIPcTNhQ8Ovm9sZYS.csHigh entropy of concatenated method names: 'Dispose', 'y9YgafHQpjmGKFNspOe', 'rFiEGxHo4W1nhuEmSKM', 'WbvFqeHphbXrEhLNFjq', 'Paf2rfH81MWd0rpiu2m', 'I4MWZcHSGJqpw4VopnR', 'l6bXxBHjILZdecy1MRE', 'IqjBObHIU0jeo61ejhY', 'uVFwmIHdLT8Q2hEDn2l', 'n4BRSGHukFJU70Jl5Ph'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, EyUmHpZDAWAhWQsv4H.csHigh entropy of concatenated method names: 'kTTYgxC8A', 'hIxwQiU4H', 'p1ubTB1J5', 'aFXRLhwMe', 'i1YymCTq4', 'acqmXkc9w', 'tyygjXBgU', 'PWDiBxGL4', 'MisQgdFL5SrD4rj9naF', 'snv6vqF92g7BFBUM994'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, bydUEn1gUAnWL8Sm347.csHigh entropy of concatenated method names: 'oNX1HjqGxN', 'AYT1DJ7UPw', 'YMX1VstA8C', 'gBK1PBi2rO', 'rIQ1jGPqD2', 'vlq1I91W2f', 'gco1MENaQu', 'nyc1d7U8sY', 'ELc1uYyGYB', 'YvC1ePxDVd'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, ixlaSY2QcGIF0ZrQ9oo.csHigh entropy of concatenated method names: 'JaZ2SO2X7e', 'WAH4FmQ9joH5YHsHG7j', 'B8QnH2QBjbAoAjWMuvZ', 'w07JPvQELkVWdYsBoAv', 'm9kGYWQNkEuHC1SB86v', 'B1jMFcQnh6KA3va8YTx', 'R2N8iqQCssag00ptMpB', 'pW7Z4CQ7j6ILKNdcxji', 'PSLlQ3QfJP7EICD4dhK', 'Wohc4rQzH0OaPEfc2qh'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, WlMuBdkKbKfnmwLWtGp.csHigh entropy of concatenated method names: 'me1k12vXlD', 'NyBkFaulHD', 'SFDkvrRDRh', 'yPmkr33ZVp', 'mYckoq9URi', 'OaTkpZvcAj', 'c3tkQA5Z2D', 'n7rm1AQq83T7ss7mQYp', 'fLy9ctQ5F0ouCqWBvw3', 'xZAkOUFnA0'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, jUitfU32YZ4hZJ2eSoH.csHigh entropy of concatenated method names: 'NyqYwND3lVsYr1ku6Jf', 'EOxSXkDTlWomfSjLLyH', 'vpsi7WD0npQ7kgL9ZY9', 'xNP3b6undG', 'blgna1DZY8oX1kt9YAR', 'fuRI3dDctJUsIyacGdw', 'KRc3gNchLj', 'd6cn9DDwJ6jN1ahg4nN', 'IwLYktDbSOvQmRfuP09', 'utxMWADRAf3NeZD23CO'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, IBj3d7ZpmxOtqvjDy0U.csHigh entropy of concatenated method names: 'OPuZ8hvP8C', 'qAMZSXaPH7', 'cmgZHvrxis', 'sQcZDccxrV', 'aAOZV924k8', 'niEcnPDLFoYJUZXmZso', 'gbI44LD9Tj3ycnZABaH', 'sFer3nDBefsvHbAv7g2', 'vuSW3ZDEJsrpaLXyr7c', 'wWCXpTDNsR1y1Utn1cs'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, YJAGZ7icGnV2a4pdkrT.csHigh entropy of concatenated method names: 'TeyiwiH278', 'Xh0ibgLdmI', 'voSiR1XnEu', 'Rhtiy2wAIx', 'i2Kimce972', 't3OFepIXEm1CLjZofvn', 'yOab3jIaZnLuGdpUIJe', 'ebAkkQIk2goJ00IEAv5', 'aSEF3wI2Bcsi6UiDwrf', 'nhbGxnIKQ8xpn1cCxmQ'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, p2HRsp3Q0I4hnP6bNEB.csHigh entropy of concatenated method names: 'ifm3SANe8l', 'YVd3Hl8yrl', 'M2B3DQ82pX', 'K2orncDofFyK7VBiahG', 'jZaVOKDvkTunX7h5ATK', 'qgh8bDDrI2MCYGrbiZP', 'MvowXDDpkrnp48uws3F', 'DIoCS0DQHopsrKnPt7Y', 'snt9wZD8cAPxqsh4YWa'
                  Source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, vwocD72mPkO9LGGkJbE.csHigh entropy of concatenated method names: 'F3Z21O50Sg', 'FcFWKBQutD8RLLVMWxm', 'BvCB46Qe6DjYxoMpT5H', 'KRNgELQhVThLQRkxZNG', 'UqphZiQUHIp4dmUrgex', 'nuGoWJQx9q29reswBlS', 'SUS2iW3sqK', 'MVx9dCQPUC31sYpl6LZ', 'cfq1jmQjnMXJBxOyhB2', 'uti2l7QIOKWqRmJ7c0H'

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Deletes itself after installation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: c:\users\user\desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeMemory allocated: 5A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeMemory allocated: 1A680000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWindow / User API: threadDelayed 794Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWindow / User API: threadDelayed 3292Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6368Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3454Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe TID: 6280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe TID: 7052Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep count: 6368 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep count: 3454 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2652Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1812064525.0000000000683000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -ForceJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeQueries volume information: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1823700345.000000001B393000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.00000000028DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.00000000028DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.00000000028DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.00000000028DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.00000000028DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.00000000028DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1823700345.000000001B3CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletses
                  Source: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.00000000028DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe PID: 6984, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.1bc50000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts41
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		44
                  System Information Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Credentials in Registry                  		141
                  Security Software Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                  Obfuscated Files or Information                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                  Software Packing                  		NTDS51
                  Virtualization/Sandbox Evasion                  		Distributed Component Object Model1
                  Email Collection                  		1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets1
                  Application Window Discovery                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Masquerading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt51
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe42%ReversingLabsByteCode-MSIL.Trojan.ZgRAT
                  d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe42%VirustotalBrowse
                  d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe100%AviraHEUR/AGEN.1323341
                  d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                  http://x1.c.lencr.org/00%URL Reputationsafe
                  http://x1.i.lencr.org/00%URL Reputationsafe
                  https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                  https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  https://support.mozilla.org0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17H0%Avira URL Cloudsafe
                  https://github.com/mgravell/protobuf-net0%Avira URL Cloudsafe
                  http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                  https://github.com/mgravell/protobuf-netJ0%Avira URL Cloudsafe
                  https://github.com/mgravell/protobuf-neti0%Avira URL Cloudsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016H0%Avira URL Cloudsafe
                  http://www.codeplex.com/DotNetZip0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  233.75.3.0.in-addr.arpa
                  		unknown
                  		unknownfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabd80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFAjocmjvrr.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1951081105.000001CB819BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Hd80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackoverflow.com/q/14436606/23354d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mgravell/protobuf-netJd80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icod80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1951081105.000001CB80231000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1951081105.000001CB80231000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://go.micropowershell.exe, 00000002.00000002.1951081105.000001CB80C31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mgravell/protobuf-netd80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.rootca1.amazontrust.com/rootca1.crl0cert9.db.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.rootca1.amazontrust.com0:cert9.db.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000013FF0000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012681000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000144D2000.00000004.00000800.00020000.00000000.sdmp, Joyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000013FF0000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012681000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000144D2000.00000004.00000800.00020000.00000000.sdmp, Joyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.ecosia.org/newtab/d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brAjocmjvrr.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1951081105.000001CB80231000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mgravell/protobuf-netid80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://x1.c.lencr.org/0cert9.db.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.i.lencr.org/0cert9.db.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://stackoverflow.com/q/11564914/23354;d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://stackoverflow.com/q/2152978/23354d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.0000000012835000.00000004.00000800.00020000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814191075.00000000025E0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallJoyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchd80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1951081105.000001CB819BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1977594636.000001CB901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crt.rootca1.amazontrust.com/rootca1.cer0?cert9.db.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.codeplex.com/DotNetZipd80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1825575852.000000001BF50000.00000004.08000000.00040000.00000000.sdmp, d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000128A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.1951081105.000001CB80001000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.orgAjocmjvrr.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesJoyenaltcq.tmpdb.0.dr, Lnwup.tmpdb.0.dr, Szfgnervp.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Hd80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1951081105.000001CB80001000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, 00000000.00000002.1818512526.00000000127A5000.00000004.00000800.00020000.00000000.sdmp, Jeoeqla.tmpdb.0.dr, Urvabq.tmpdb.0.dr, Prhrzzwbhe.tmpdb.0.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.125.50.121
                    		unknownRussian Federation
                    		207064INPLATLABS-ASRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1472593
                    Start date and time:2024-07-13 02:24:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 25s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@4/24@1/1
                    EGA Information:Failed
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240s for sample based on specific behavior

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe, PID 6984 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 6832 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    20:25:13API Interceptor42x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.125.50.121SecuriteInfo.com.Variant.MSILHeracles.172068.27755.23666.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                      4FkYkTt9dE.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                        SecuriteInfo.com.Trojan.DownLoaderNET.987.29728.6216.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                          SecuriteInfo.com.Win32.RATX-gen.24946.23294.exeGet hashmaliciousPureLog StealerBrowse
                            SecuriteInfo.com.Trojan.DownLoad4.16337.3540.9873.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                              SecuriteInfo.com.Win32.CrypterX-gen.8664.12357.exeGet hashmaliciousPureLog StealerBrowse
                                SecuriteInfo.com.Trojan.Inject5.3917.9683.3142.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                  ka0UKl7202.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    INPLATLABS-ASRUSecuriteInfo.com.Variant.MSILHeracles.172068.27755.23666.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                    • 185.125.50.121
                                    4FkYkTt9dE.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                    • 185.125.50.121
                                    SecuriteInfo.com.Trojan.DownLoaderNET.987.29728.6216.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                    • 185.125.50.121
                                    SecuriteInfo.com.Win32.RATX-gen.24946.23294.exeGet hashmaliciousPureLog StealerBrowse
                                    • 185.125.50.121
                                    SecuriteInfo.com.Trojan.DownLoad4.16337.3540.9873.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                    • 185.125.50.121
                                    SecuriteInfo.com.Win32.CrypterX-gen.8664.12357.exeGet hashmaliciousPureLog StealerBrowse
                                    • 185.125.50.121
                                    SecuriteInfo.com.Trojan.Inject5.3917.9683.3142.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                    • 185.125.50.121
                                    ka0UKl7202.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                    • 185.125.50.121
                                    https://steamcommunlty.duckdns.org/br-redeemSteamGiftCard=481928385858/IP:Get hashmaliciousUnknownBrowse
                                    • 185.125.50.1
                                    El7TD9RYMH.exeGet hashmaliciousRedLineBrowse
                                    • 185.125.50.19

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1588
                                    Entropy (8bit):5.361611429115807
                                    Encrypted:false
                                    SSDEEP:48:MxHKQwYHKGSI6oRAHKKkKtHTH0HNp51qHGIs0HKjJHj:iqbYqGSI6ouqKkKtzH0tp5wmj0qVD
                                    MD5:08D1E98E461529AC58F03EAC39380B0C
                                    SHA1:E43B5DC69EA79C54E7C766A7C375A3B2D5572730
                                    SHA-256:EC60B10475F1FB65EFADA5B907A093D92B4FFD135B8F77A89E21FED28874CA2C
                                    SHA-512:B195941C3A4C5ACF9718D663CC8E9778A869F86B9EDF321D320B86DDBFA0A8B682FFCF9CBBDBCC49AFEA7CAF1558736A98ED58F47593AAB28A822284FA8B194B
                                    Malicious:true
                                    Reputation:low
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Managemen

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1510207563435464
                                    Encrypted:false
                                    SSDEEP:3:NlllulTkklh:NllUokl
                                    MD5:8F489B5B8555D6E9737E8EE991AA32FD
                                    SHA1:05B412B1818DDB95025A6580D9E1F3845F6A2AFC
                                    SHA-256:679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
                                    SHA-512:97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:@...e................................................@..........

                                    C:\Users\user\AppData\Local\Temp\Ajocmjvrr.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):5242880
                                    Entropy (8bit):0.037963276276857943
                                    Encrypted:false
                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Bjahzhlqzmx\fqs92o4p.default-release\cert9.db

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                    Category:dropped
                                    Size (bytes):229376
                                    Entropy (8bit):0.64343788909108
                                    Encrypted:false
                                    SSDEEP:384:A1zkVmvQhyn+Zoz67dNlIMMz333JGN8j/LKXYj5kuv:AUUMXCyIr
                                    MD5:B6787B79D64948AAC1D6359AC18AB268
                                    SHA1:0831EB15AB2B330BE95975A24F8945ED284D0BA4
                                    SHA-256:9D6FD3B8AB8AA7934C75EDE36CEB9CF4DDAD06C5031E89872B4E814D7DB674E2
                                    SHA-512:9296866380EF966F1CB6E69B7B84D1A86CD5AE8D9A7332C57543875FAA4FC7F1387A4CF83B7D662E4BAB0381E4AFC9CB9999075EBB497C6756DF770454F3530E
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Bjahzhlqzmx\fqs92o4p.default-release\key4.db

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):294912
                                    Entropy (8bit):0.08436842005578409
                                    Encrypted:false
                                    SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n
                                    MD5:2CD2840E30F477F23438B7C9D031FC08
                                    SHA1:03D5410A814B298B068D62ACDF493B2A49370518
                                    SHA-256:49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
                                    SHA-512:DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Dttac.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Fjecfivni.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Fphqq.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.08235737944063153
                                    Encrypted:false
                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Fpsft.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Jeoeqla.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Joyenaltcq.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Jtscvyqg.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):2.5793180405395284
                                    Encrypted:false
                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Lnwup.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Noqkscra.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Prhrzzwbhe.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qdobozw.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qqhzaxmmb.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Szfgnervp.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Urvabq.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Voeqjgaxw.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):2.5793180405395284
                                    Encrypted:false
                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Zabrf.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Zmdgcacqs.tmpdb

                                    Download File
                                    Process:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):49152
                                    Entropy (8bit):0.8180424350137764
                                    Encrypted:false
                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                    MD5:349E6EB110E34A08924D92F6B334801D
                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jjrbuj2.y5d.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b04zhwz5.pqb.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.9470814544219905
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    File size:921'088 bytes
                                    MD5:d96267ad9812c133efeea9de18b14c02
                                    SHA1:3644d30f5b43b59afaceaae7f6a1cba2393d938c
                                    SHA256:38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f
                                    SHA512:8b202ef2e3c094b61101ee7c56f5a394de27da58cab266f3b4669ef98a4d83bb15ec3fc401ecb3af11bcdc7f43586e9f43f5719d6278bfbbdcbf376975cc5020
                                    SSDEEP:24576:pdZvmA/hqoZGYqDehsKTywPVpoPSTCcvplMEyk7ltK6P:pd1muqbYq3KPpoPSTCcvLauBP
                                    TLSH:E81522433AE54B15D2B8AF74C0E7492007E1DA8776B3CA89BD4447DE4E123E5CE9CB1A
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K...............0.............."... ...@....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x4e22ee
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0xAB4B04F1 [Mon Jan 24 19:26:41 2061 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe22a00x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x570.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xe02f40xe0400929dd9eb9c211943b8ba0c564ed43462False0.962219986761427data7.9518487325127385IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xe40000x5700x6004034a87ff40ba33352f741ae465e8a3dFalse0.4055989583333333data3.953482291680498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xe60000xc0x200cff8b49a08f167784f9934c84c08d8faFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xe40a00x2e4data0.4297297297297297
                                    RT_MANIFEST0xe43840x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    07/13/24-02:25:00.821757TCP2856255ETPRO TROJAN Win32/zgRAT CnC Checkin497307702192.168.2.4185.125.50.121

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 13, 2024 02:24:55.765038013 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:24:55.770646095 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:24:55.770792007 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:00.816149950 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:00.821583986 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:00.821757078 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:00.826881886 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088618040 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088673115 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088726997 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088757038 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088790894 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088825941 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088859081 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088887930 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.088895082 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.088888884 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.088888884 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.089000940 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.089065075 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.089104891 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.089167118 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.094052076 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.094142914 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.094180107 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.094211102 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.094214916 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.094274044 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.171068907 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.171499014 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.171586037 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.176522970 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.176572084 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.176608086 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.176629066 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.177135944 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.177169085 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.177196980 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.179517031 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.179552078 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.179579020 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.179584980 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.179637909 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.185345888 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.185379982 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.185416937 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.185436964 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.191222906 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.191273928 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.191301107 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.191312075 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.191369057 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.197005033 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.197055101 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.197091103 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.197114944 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.202464104 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.202507973 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.202543020 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.202543974 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.202583075 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.202600956 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.207907915 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.207942963 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.207978964 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.208060980 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.215301037 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.215351105 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.215387106 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.215439081 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.219584942 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.219669104 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.219731092 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.258804083 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.258855104 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.258886099 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.258893013 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.258966923 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.264170885 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264219999 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264255047 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264283895 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.264288902 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264326096 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264349937 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.264360905 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264413118 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.264565945 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264596939 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.264648914 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.266912937 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.267178059 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.267206907 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.267237902 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.267239094 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.267298937 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.273051023 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.273101091 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.273138046 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.273165941 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.278897047 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.278940916 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.278960943 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.278979063 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.279092073 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.284209013 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.284240007 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.284274101 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.284291983 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.284321070 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.284348965 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.290229082 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.290263891 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.290297985 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.290297985 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.290358067 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.295679092 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.295713902 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.295747042 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.295778990 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.301908970 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.301956892 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.301989079 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.301995039 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.302033901 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.302054882 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.307008982 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.307059050 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.307070971 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.307097912 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.307162046 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.312206030 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.312254906 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.312309027 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.312314987 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.316421032 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.316457033 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.316498041 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.316513062 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.316570997 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.321512938 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.321562052 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.321599007 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.321625948 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.325690985 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.325752020 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.325756073 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.325812101 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.325841904 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.325872898 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.330056906 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.330131054 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.330199003 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.330229998 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.330262899 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.330286026 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.334595919 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.334625006 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.334671974 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.336019039 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.336070061 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.336090088 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.339909077 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.339972973 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.340058088 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.345824003 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.345876932 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.345890045 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.345910072 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.345968962 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.346585989 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.346617937 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.346652031 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.346668005 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.346718073 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.346750975 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.346774101 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.349565029 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.349596977 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.349627972 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.351191998 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.351244926 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.351258993 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.352092981 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.352144957 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.352145910 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.352178097 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.352229118 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.354913950 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.354964972 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.355012894 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.355031013 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.357827902 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.357867956 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.357891083 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.357935905 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.357974052 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.357999086 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.360421896 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.360465050 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.360507965 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.360538006 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.360600948 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.362948895 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.362982035 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.363002062 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.363030910 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.365828037 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.365844965 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.365860939 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.365885973 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.365923882 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.368223906 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.368278980 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.368295908 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.368339062 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.371892929 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.371906042 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.371921062 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.371934891 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.371951103 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.371992111 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.377728939 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.377769947 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.377775908 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.377819061 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.377857924 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.383358002 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.383382082 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.383397102 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.383411884 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.383426905 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.383439064 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.383481026 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.389483929 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.389507055 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.389522076 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.389534950 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.389544964 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.389549971 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.389580965 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.389609098 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.394182920 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.394237041 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.394252062 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.394289017 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.395369053 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.395395041 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.395409107 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.395426989 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.395464897 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.399432898 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.399458885 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.399491072 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.399529934 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.400809050 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.400825977 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.400881052 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.400885105 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.400932074 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.401226044 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.404124975 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.404187918 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.423814058 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:01.430350065 CEST770249730185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:01.430425882 CEST497307702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:04.574702978 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:04.580400944 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:04.580588102 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.601841927 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.601841927 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.608866930 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.608908892 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.608938932 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.608968019 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.609004021 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.609031916 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.609060049 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.609060049 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.609113932 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.609123945 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.609204054 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.609231949 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.609304905 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.615700006 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.615885973 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.616208076 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.616249084 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.616358042 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.618089914 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.618120909 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.618146896 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.618149042 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.618175983 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.618191004 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.618773937 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.618803978 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.618874073 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.623125076 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.623153925 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.623181105 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.623213053 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.623260975 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:09.626580954 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.626610994 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.626638889 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.626666069 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.626692057 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.631290913 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.631331921 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.631360054 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.631386995 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.631414890 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.631493092 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.631520987 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:09.934919119 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.544280052 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.698656082 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.699073076 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.907684088 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.908000946 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.908310890 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.908513069 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.909286022 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.909471035 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.909497976 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.909667969 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.909811020 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.909840107 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.909869909 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.913427114 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.913856983 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.913909912 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.913938999 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.914109945 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.914601088 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.914628983 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.914657116 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.914794922 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.915057898 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.915086985 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.915113926 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.915144920 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.915184975 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.918853998 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.918896914 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.918924093 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.918925047 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.918953896 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.918982983 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.919009924 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.919068098 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.919095993 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.919159889 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.919260025 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.919332027 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.920025110 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.920068979 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.920094967 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.920104027 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.920121908 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.920161963 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.920340061 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.920403004 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.924352884 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.924396038 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.924423933 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.924429893 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.924453020 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.924455881 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.924474955 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.924514055 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.924704075 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.924734116 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.924761057 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.924871922 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.925060987 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.925092936 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.925124884 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.925127983 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.925159931 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.925179958 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.925379992 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.925443888 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.929769039 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.929811001 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.929838896 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.929867029 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.929991007 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.930372953 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.930444956 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.930474043 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.930500984 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.930529118 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.930557013 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.930560112 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.930584908 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.930640936 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.935695887 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935724974 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935751915 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935780048 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935786009 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.935806036 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935825109 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.935849905 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.935856104 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935883999 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935910940 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935934067 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.935937881 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935966969 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.935978889 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.935995102 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.936019897 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.936022997 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.936043978 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.936078072 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.941297054 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941339016 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941366911 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941395044 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941422939 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941450119 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941478014 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941504955 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941531897 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941529989 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.941564083 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941591978 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941620111 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.941622972 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.941657066 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.941679001 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.946822882 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.946865082 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.946893930 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.946922064 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.946949959 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.946979046 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.947006941 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.947036982 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:10.947061062 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.947088957 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.947115898 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.947144032 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.947170973 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.947196960 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.952744961 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.952788115 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:10.952816963 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:11.076383114 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:11.082191944 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:11.082598925 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:11.087913990 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:13.553988934 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:13.554003000 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:13.554207087 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:13.554207087 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:13.554445028 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:13.554591894 CEST770249731185.125.50.121192.168.2.4
                                    Jul 13, 2024 02:25:13.554651022 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:13.554651976 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:13.556293011 CEST497317702192.168.2.4185.125.50.121
                                    Jul 13, 2024 02:25:13.561631918 CEST770249731185.125.50.121192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 13, 2024 02:25:01.877300024 CEST6132853192.168.2.41.1.1.1
                                    Jul 13, 2024 02:25:01.888118029 CEST53613281.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jul 13, 2024 02:25:01.877300024 CEST192.168.2.41.1.1.10xe82Standard query (0)233.75.3.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jul 13, 2024 02:25:01.888118029 CEST1.1.1.1192.168.2.40xe82Name error (3)233.75.3.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:20:24:53
                                    Start date:12/07/2024
                                    Path:C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe"
                                    Imagebase:0x50000
                                    File size:921'088 bytes
                                    MD5 hash:D96267AD9812C133EFEEA9DE18B14C02
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1813427869.0000000002420000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1813136682.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.1825178875.000000001BC50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1814432047.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:20:25:12
                                    Start date:12/07/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\Desktop\d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe' -Force
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:20:25:12
                                    Start date:12/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FFD9B960E94 Relevance: 3.8, Strings: 1, Instructions: 2503COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H
                                      • API String ID: 0-2852464175
                                      • Opcode ID: 431fa14aaf47d422a7179b95532698cb2059c26e8ca32a191ce0eb118440ade4
                                      • Instruction ID: 97063bbf490169f68e5aa364ece40f8fa49c93916027603b0b7e489b8be70979
                                      • Opcode Fuzzy Hash: 431fa14aaf47d422a7179b95532698cb2059c26e8ca32a191ce0eb118440ade4
                                      • Instruction Fuzzy Hash: FEE2C552B2EE4E5FEBF5A76C047563827D2EFD8644B5A41BAD44DC32E6ED28ED024300
                                      Function 00007FFD9B88BCF3 Relevance: 3.0, Strings: 1, Instructions: 1755COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L
                                      • API String ID: 0-2909332022
                                      • Opcode ID: 4ce06a8a9f4267d400807ac1ed0e8e779c07cb9330ffbfdc7c71a9f01a3f7a56
                                      • Instruction ID: e9e3f55291f5fd9cd852f01fe5b11823a3f94bd0d1c2cbb09a478e04982dfe8c
                                      • Opcode Fuzzy Hash: 4ce06a8a9f4267d400807ac1ed0e8e779c07cb9330ffbfdc7c71a9f01a3f7a56
                                      • Instruction Fuzzy Hash: D7C27270B1990D8FDFA8EB5CC4A5AA877E2FF98340B1541B9D01EC72A6DE35AC42C741
                                      Function 00007FFD9B9E4EA3 Relevance: .6, Instructions: 564COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 798467bf47c3cce2c6db8a0ef3d48eef147ec4b458ac86a120bbf70bcae82826
                                      • Instruction ID: 16a43f14801a5f6803fbb6e9e5a9ecddcad41545ce1b36d781fa08d9bd9d8966
                                      • Opcode Fuzzy Hash: 798467bf47c3cce2c6db8a0ef3d48eef147ec4b458ac86a120bbf70bcae82826
                                      • Instruction Fuzzy Hash: 5EF1A121B2D78A0FE31D8A684CA21B57791EF93305B1942BED9DBCB197DD14B90783C1
                                      Function 00007FFD9B9ED1A6 Relevance: .5, Instructions: 475COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81f1a6cd5c15ca39e63a6c7923ecfd8af2802c1534b620264f78b9ba7c1fb875
                                      • Instruction ID: 5b9119173577f1ec81494c66ec571b86c4a4765d3d16ee697d46ad5b3df03f06
                                      • Opcode Fuzzy Hash: 81f1a6cd5c15ca39e63a6c7923ecfd8af2802c1534b620264f78b9ba7c1fb875
                                      • Instruction Fuzzy Hash: B7F1B730A19A8D8FEBA8DF28C8557E937E1FF54310F04426EE85DC7295DF34AA458B81
                                      Function 00007FFD9B9EDF52 Relevance: .5, Instructions: 460COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4efa98193d9d11d7896ef705e1cb646a9f10fec3ea687b1e0be47d5bf106266b
                                      • Instruction ID: b8b813583ab7594d1a8da9de6e15b60f697173bec1fc79ac58aaa45b538907bb
                                      • Opcode Fuzzy Hash: 4efa98193d9d11d7896ef705e1cb646a9f10fec3ea687b1e0be47d5bf106266b
                                      • Instruction Fuzzy Hash: E2E1C530A19E4E8FEBA8DF28C8557E977D1FF54310F04426AE84DC7295DE38AA458B81
                                      Function 00007FFD9B9F2CA8 Relevance: .3, Instructions: 329COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7301001719dbe4c5e9c3ad0b3b51822e5b914a30b1fa7f5ea239b8c5cf403651
                                      • Instruction ID: d28bcd9b350bed080aa8a308476c6d1d7a1a3fca20fadebe84be18f73ae1507c
                                      • Opcode Fuzzy Hash: 7301001719dbe4c5e9c3ad0b3b51822e5b914a30b1fa7f5ea239b8c5cf403651
                                      • Instruction Fuzzy Hash: A9A17430F2D61E9BE738DE98C4955BDBBA1FF55320F21423AC05B8B1A5DE34BD428681
                                      Function 00007FFD9B963AA0 Relevance: .2, Instructions: 236COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8011000e169244aaab411feb0c694d21b0df5cf56c3be53b339b936e3595f3c4
                                      • Instruction ID: 489f32248724edd12bb6f7ca92b7cd26a8ea795f709f3c0524f16a8bb1c65900
                                      • Opcode Fuzzy Hash: 8011000e169244aaab411feb0c694d21b0df5cf56c3be53b339b936e3595f3c4
                                      • Instruction Fuzzy Hash: B5610F00B3A92F5AF6B973ED04B637D41C2AFCC740F964439E50EC22E7DD5CAA466281
                                      Function 00007FFD9B880550 Relevance: 9.2, Strings: 7, Instructions: 461COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: <O_^$O_^$O_^?$O_^T$O_^V$O_^X$O_^Z
                                      • API String ID: 0-3393956178
                                      • Opcode ID: c2a7e45e91a4584d7ad97190c6ce35f7691b723779752455ace507a356b4e8fb
                                      • Instruction ID: 89a7c19fc508fd9c9a64420d740ecd80771d4f2bbe3d3c7788fcd9175cbbdbf4
                                      • Opcode Fuzzy Hash: c2a7e45e91a4584d7ad97190c6ce35f7691b723779752455ace507a356b4e8fb
                                      • Instruction Fuzzy Hash: 82D13767B0956A8AE31677BDB8655E83B40DFC073AB0905B7D1ADCB0D3DC18248B82A5
                                      Function 00007FFD9B9F156D Relevance: 1.4, Instructions: 1409COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1750470e5e78b6ebef7dd41334948a8c07a92b26b3df664e1cc18fbce1d3fe2d
                                      • Instruction ID: e961b89cdced50796f6ad7f98622d04ace9d9b08b010a4dc511c964aff4850d0
                                      • Opcode Fuzzy Hash: 1750470e5e78b6ebef7dd41334948a8c07a92b26b3df664e1cc18fbce1d3fe2d
                                      • Instruction Fuzzy Hash: 27D2DC30E1552D9FDBA8EF688865BE9B7B1FF58700F9100E9D00DE3696DE346A818F41
                                      Function 00007FFD9B9F4390 Relevance: .6, Instructions: 631COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 59db9a8339793ac9ae8e45e4de256ed9eb2d33a5b055ed0c029bbce9de32eb68
                                      • Instruction ID: be48b6fe7fd81e908b0758cb8ead7e049e792f49719c556e48f31c54d2138c2f
                                      • Opcode Fuzzy Hash: 59db9a8339793ac9ae8e45e4de256ed9eb2d33a5b055ed0c029bbce9de32eb68
                                      • Instruction Fuzzy Hash: 7912E631B2994E5BEB5CE7689470BB9B7E1FF94310F0541BAD01EC32E6DE28AD428741
                                      Function 00007FFD9B9625A7 Relevance: .5, Instructions: 463COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce1315d510b79ace70312e72c448cdbc731585a882377d35b4beb97c00c63d36
                                      • Instruction ID: d6f1f60ffeb6c1f8c77fa4ed4e8fe91ac72d65203c1f11b97662ceedef353338
                                      • Opcode Fuzzy Hash: ce1315d510b79ace70312e72c448cdbc731585a882377d35b4beb97c00c63d36
                                      • Instruction Fuzzy Hash: 32C13652B2EE1F5EFAB5A3EC057127C22D3EFD8290B560179D45DC22F7DD28AA424342
                                      Function 00007FFD9B9ECCA9 Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b76cdb2da0f2aee0f77f54e448815f95180850f128862592988d91e3661f2ed0
                                      • Instruction ID: 0ff5c356bb1497eb502ee3bd613a839b827cd812f00244490913e13b3ba451a1
                                      • Opcode Fuzzy Hash: b76cdb2da0f2aee0f77f54e448815f95180850f128862592988d91e3661f2ed0
                                      • Instruction Fuzzy Hash: 69D1C830A18A8D8FEBA8DF28C8557E977E1FF55310F14426EE84DC7295CF74AA418782
                                      Function 00007FFD9B8806E8 Relevance: .4, Instructions: 401COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4450ce68b356763439d60dcc9c42864944e3a23cae9d54a592ef908a93847327
                                      • Instruction ID: 5f6f10383c81c4cb07f9a3a50042f86c2c23282fb6c5f07ab50eeb2ceeb6ca94
                                      • Opcode Fuzzy Hash: 4450ce68b356763439d60dcc9c42864944e3a23cae9d54a592ef908a93847327
                                      • Instruction Fuzzy Hash: 83C18471B18A0D8FDB98EB5CD8A5A7973E1FF98314F514179E01EC32D6DE34A8428B81
                                      Function 00007FFD9B966B8A Relevance: .4, Instructions: 399COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d930f154cdaf31c010c0c01758e5a1bcf74f2181faf024af8b8c81389b352616
                                      • Instruction ID: 734030632315a930abc2ff6f4e34d15bfa49679c5b5ff95a81ebc13d9642ea6d
                                      • Opcode Fuzzy Hash: d930f154cdaf31c010c0c01758e5a1bcf74f2181faf024af8b8c81389b352616
                                      • Instruction Fuzzy Hash: 68C14010B2AE5E5BE7A9A7DC88B27B962C5EF9C700F514479D10CC32E6CD58FE064391
                                      Function 00007FFD9B8B1D20 Relevance: .4, Instructions: 393COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eed3db9154e7f6239a195d35e2e8daec287f7b17aa7398131c39251c7a534970
                                      • Instruction ID: 07c5baf67eb1f299ff64c4035c8505e18a393aa26ed035eab8f997b645b89af7
                                      • Opcode Fuzzy Hash: eed3db9154e7f6239a195d35e2e8daec287f7b17aa7398131c39251c7a534970
                                      • Instruction Fuzzy Hash: 71C19331B1891D8FDB58EF68D895AB977E1FF98310B110179D05EC72A6DF34A842CB81
                                      Function 00007FFD9B9E1778 Relevance: .4, Instructions: 382COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c6c51e5be9a32daba6ca2d75d761132d432baa713270338db9a618cb11ac5779
                                      • Instruction ID: be2acb381ddbbee5641ac85ab6ea7fa8b598904929f6ac96c7d5aafef302d06d
                                      • Opcode Fuzzy Hash: c6c51e5be9a32daba6ca2d75d761132d432baa713270338db9a618cb11ac5779
                                      • Instruction Fuzzy Hash: 7EC1B431B189199FEB58EF68C4A5AB973E1FF98314B150179D01EC72E6DF34A942CB40
                                      Function 00007FFD9B9E93BD Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7243b7daa020ea643a7d20e8e4a79e7b58d28887504a427ec5840d9d7926d02
                                      • Instruction ID: 4e0ef48341f8f6f48b84408ad53884572598e72e2659a66804b71d5078b7c6a7
                                      • Opcode Fuzzy Hash: e7243b7daa020ea643a7d20e8e4a79e7b58d28887504a427ec5840d9d7926d02
                                      • Instruction Fuzzy Hash: 03B13B11F3E98B2BEB29B7B844B95B97790EF64340B0501FAD45D870DBED38BA058352
                                      Function 00007FFD9B9EDB66 Relevance: .3, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 188c7d0fe5113062cc518d477cd800a1185d5cf3c48026a05c2345e92af5c098
                                      • Instruction ID: b3975c5ff0fe5d1f75744c513a70a2f9485fc6475d127931e6284bc04891104c
                                      • Opcode Fuzzy Hash: 188c7d0fe5113062cc518d477cd800a1185d5cf3c48026a05c2345e92af5c098
                                      • Instruction Fuzzy Hash: DBB1F830619A4D4FDB68DF28C8557E93BE1FF59310F04426EE84DC7292CB74AA45CB82
                                      Function 00007FFD9B9F2FF4 Relevance: .3, Instructions: 313COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5014eac560e8bca7a4c34bf31ab934ca4776bec2ad76dd73b74eff70e8497631
                                      • Instruction ID: aaf346ddd7ce8158f50f3dc26f8a8e04e394cbc5792336a01ddc972843806b45
                                      • Opcode Fuzzy Hash: 5014eac560e8bca7a4c34bf31ab934ca4776bec2ad76dd73b74eff70e8497631
                                      • Instruction Fuzzy Hash: 61916972B1E50D6AE730AA958815AEABFA4EF51374F01017ED40DC72A1EE296F46C780
                                      Function 00007FFD9B9EFC35 Relevance: .3, Instructions: 303COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23632800003b4d1b7587cdd81e0a232982a9e3d1905f187dd46f1d4a2c5e0f57
                                      • Instruction ID: 67d5f71d2cc7468cedb7693d7b8a27108260c4cb780b05f178eb69216c9b5926
                                      • Opcode Fuzzy Hash: 23632800003b4d1b7587cdd81e0a232982a9e3d1905f187dd46f1d4a2c5e0f57
                                      • Instruction Fuzzy Hash: 17916912B2EE8E1BFB6A9A5844A46647B91FF9574072540BFD058C31F7EF14BA028340
                                      Function 00007FFD9B883681 Relevance: .3, Instructions: 301COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb21a8dbe6357c0761146f02f2f9ef12a3b42bfaf70ea56e844f46e04eda1dcc
                                      • Instruction ID: d14d20b32d2961785fbe5281e51afc6300456e941ac86adea7e056f23fe30945
                                      • Opcode Fuzzy Hash: fb21a8dbe6357c0761146f02f2f9ef12a3b42bfaf70ea56e844f46e04eda1dcc
                                      • Instruction Fuzzy Hash: 9DA1B530B19D0D4FDB94EB58D4A4A7977E1FF98310F5201B9E02EC72E6DA34AC428780
                                      Function 00007FFD9B9E7BFA Relevance: .3, Instructions: 275COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f790cf0501589c369c310d8424c9dda893e0517732f7857fab795e707c9271a
                                      • Instruction ID: 6cf50d2598c77c5ce294a3be370014d01d8bca15ba4d4b262242a40c05d96ae2
                                      • Opcode Fuzzy Hash: 4f790cf0501589c369c310d8424c9dda893e0517732f7857fab795e707c9271a
                                      • Instruction Fuzzy Hash: 73913A21B2E69D5FE769E76898752F87BA1FF45300F0501BAD04DC32E3DE2C6A418352
                                      Function 00007FFD9B887EE8 Relevance: .3, Instructions: 273COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07b7d80cf1608a231c583268db5a2aec714549f60c8d3712346d3e0edef75aa9
                                      • Instruction ID: 0cad65f368c2394f877533249a5cd92853e5ba81142b1f200b9b503025e74cd5
                                      • Opcode Fuzzy Hash: 07b7d80cf1608a231c583268db5a2aec714549f60c8d3712346d3e0edef75aa9
                                      • Instruction Fuzzy Hash: 45918131B1891E8FDB94EB68D495AB977E1FF98310B150179D01EC72A6DF34AC42CB80
                                      Function 00007FFD9B965D1E Relevance: .3, Instructions: 263COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9015e4b5ea7c652c9301a425e1cdd195f26915040a68f9a50ebfb0dba2b1d235
                                      • Instruction ID: ee388c972fccb2c87d8c6fae55a435aa589036053f2a77068ca35a8bcc2ecd3e
                                      • Opcode Fuzzy Hash: 9015e4b5ea7c652c9301a425e1cdd195f26915040a68f9a50ebfb0dba2b1d235
                                      • Instruction Fuzzy Hash: 9181383172EB895FE756CB6C8869675BBE1EF89300F0545BFD088C72B2DE24E9028741
                                      Function 00007FFD9B9E1780 Relevance: .3, Instructions: 258COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f837d0de2ea851efdaf3dfed971420a5d62a02986a0209efb0552a8d7ff499d0
                                      • Instruction ID: c4ceb649624d4b0f009bc013041733d1aa3abb4f15d36d158e77873e28038098
                                      • Opcode Fuzzy Hash: f837d0de2ea851efdaf3dfed971420a5d62a02986a0209efb0552a8d7ff499d0
                                      • Instruction Fuzzy Hash: F081AF31B189199FEB98EF58C494AB973E2FF98314B550279D01EC72A6DF34B942CB40
                                      Function 00007FFD9B963664 Relevance: .2, Instructions: 250COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7594edae27ae07d7d39d6ad62d7aee9f40b57e1cf90723ac73d54be555f0a99a
                                      • Instruction ID: 590c4398c8be479737c9e7604ea19d25c3de8a66de3134ef7bff72cb1bf4768a
                                      • Opcode Fuzzy Hash: 7594edae27ae07d7d39d6ad62d7aee9f40b57e1cf90723ac73d54be555f0a99a
                                      • Instruction Fuzzy Hash: 63619351F2EE8F5EE6BA93AC043527817D2DFD9250B5A02BBC04DC72E6DD199A024341
                                      Function 00007FFD9B8882FB Relevance: .2, Instructions: 241COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 629d7c19aef2139d7b24e89e7fb32d0342fc73da047a9a7b990d39c7faa9bc97
                                      • Instruction ID: 0227fc32b5783cbd5d7aa38b87f1657495c49729fdf6f3efefaf4f90e0e0e1ee
                                      • Opcode Fuzzy Hash: 629d7c19aef2139d7b24e89e7fb32d0342fc73da047a9a7b990d39c7faa9bc97
                                      • Instruction Fuzzy Hash: B2712831F0E66E4BEB75A7A8D8607F977A0EF44310F0541B6D04CC71A6CE286A878BC1
                                      Function 00007FFD9B9E9485 Relevance: .2, Instructions: 233COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2dcff25c9c62cdbf4702b63e27d834e2664e3cbb6ef7356d0abb95e124a1a970
                                      • Instruction ID: 24aad9723fb4853e14bdf6515e2c97766e47b94b7cdec43bb6ad7840e1874b5b
                                      • Opcode Fuzzy Hash: 2dcff25c9c62cdbf4702b63e27d834e2664e3cbb6ef7356d0abb95e124a1a970
                                      • Instruction Fuzzy Hash: 6C71E521F3D94A1AEB5CBBB854B59FA6391EF64340B4041F6D41EC31DBED38BA068342
                                      Function 00007FFD9B9EF2B5 Relevance: .2, Instructions: 219COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f8e0ab81ae361d283d6e86f9da7a6a6081e29c28d4c9aecc3c40258b53d020bd
                                      • Instruction ID: df4b21fddbc231ca90e0b126e6e5dc01187ba7c01135309dd465c3cd9d2c11d6
                                      • Opcode Fuzzy Hash: f8e0ab81ae361d283d6e86f9da7a6a6081e29c28d4c9aecc3c40258b53d020bd
                                      • Instruction Fuzzy Hash: 5F612731A19A4D9FEB55DB98D861AECBBF0FF4A310F05417BD00DD72A2CA396A42C741
                                      Function 00007FFD9B9E5751 Relevance: .2, Instructions: 217COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e7f9fbf77b876f820a63dbb011b813bd024d52890cd2ba8a10ebef25765249c
                                      • Instruction ID: d4e112c51b116317ea271b2cf84d1738fb647c2839b2a5ed513fb6c50905e5c3
                                      • Opcode Fuzzy Hash: 9e7f9fbf77b876f820a63dbb011b813bd024d52890cd2ba8a10ebef25765249c
                                      • Instruction Fuzzy Hash: 0E712230F2940EDFEB54DB98C4A0ABDB7A2FF54310F514175D00ADB2E5DA38AA81CB40
                                      Function 00007FFD9B9F4AC8 Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 62d413ffeec1acea3cb705291b21401d16a7c14dcbaf1ce5fec72f6b0843a2c1
                                      • Instruction ID: 834a1a48d4a647dea224e000fab81dcc2e2a090d276add9f66f288226dbff0e0
                                      • Opcode Fuzzy Hash: 62d413ffeec1acea3cb705291b21401d16a7c14dcbaf1ce5fec72f6b0843a2c1
                                      • Instruction Fuzzy Hash: 30511620B2D90E5FE758EB6C84247B977D1EF89310F55417AE00ECB2EADD68AD418341
                                      Function 00007FFD9B9E5B71 Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86270eed70c90f43aa6bc779499ebdc7ed0b7aedede00d3e0b47ebb9d5739aa8
                                      • Instruction ID: 2ee36f56250ec22821ccb5ff6f3d9449d39d7be7fc3cba7859bd707db036b2ee
                                      • Opcode Fuzzy Hash: 86270eed70c90f43aa6bc779499ebdc7ed0b7aedede00d3e0b47ebb9d5739aa8
                                      • Instruction Fuzzy Hash: E251F631B2E94E5FE7B4A768847957877E0FF14300F4A04BAD05ECB1B2DE28AA818741
                                      Function 00007FFD9B9EF026 Relevance: .2, Instructions: 194COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1f8ca504825904b335c80789e937274fec183ce4b76c8aa6877c96662e1f4c5
                                      • Instruction ID: 15f3434713a03979a327e93fe0125bdd321dbddb457479b7f3f246b82063fa41
                                      • Opcode Fuzzy Hash: a1f8ca504825904b335c80789e937274fec183ce4b76c8aa6877c96662e1f4c5
                                      • Instruction Fuzzy Hash: 2051B431F2995E5FEBA4AB6884217BD73E1FF49300F5141B6E40DD32E6DE28AA418781
                                      Function 00007FFD9B9EAA9C Relevance: .2, Instructions: 194COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a623c634880f97592079f4210461d2c96f396a6ba088cadb205df05b66976043
                                      • Instruction ID: 9a1c0a2dcaeb1189ba7cf8bc67beed41a55ecc34657219902ed6a3645e28b070
                                      • Opcode Fuzzy Hash: a623c634880f97592079f4210461d2c96f396a6ba088cadb205df05b66976043
                                      • Instruction Fuzzy Hash: FE51A430918A1C8FDB68DF58D855BE9BBF1FF59310F0082AAD04DD3252DE34A9858F81
                                      Function 00007FFD9B88B0F2 Relevance: .2, Instructions: 192COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f1d8d8ce2044f4a803d9d0a9430c7c8fbc96bef75c0d289e63b08ce6a92ccab0
                                      • Instruction ID: f296b957c34566d4641d3eef93a12a2b0cf7cfa45a8305ff485f6c53cd1d7e3a
                                      • Opcode Fuzzy Hash: f1d8d8ce2044f4a803d9d0a9430c7c8fbc96bef75c0d289e63b08ce6a92ccab0
                                      • Instruction Fuzzy Hash: 2A518F57B0A6B24BD71BA76CFCBA5D57BA0DE8212930C01F3D199CF1E7EC09644A8391
                                      Function 00007FFD9B9E53A9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 476db4590608b6ff7a004cefe7a4b04a0c5e4aa028aabe4fbf9e66bed08c77bd
                                      • Instruction ID: 20b998389c0cfeec2360f31fd561ad3af05a4b12587448a3c054c3079be77f14
                                      • Opcode Fuzzy Hash: 476db4590608b6ff7a004cefe7a4b04a0c5e4aa028aabe4fbf9e66bed08c77bd
                                      • Instruction Fuzzy Hash: 48512830A1E64E8FD7A5DBA8C4A52B83BF0FF45311F0501B7D05DCB1E2EA28AA85C751
                                      Function 00007FFD9B88B2F2 Relevance: .2, Instructions: 165COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f13f1aaa3cc6fbc3296c4ebd6dbfa4e35840f188fd8a5b509f5829bacd075682
                                      • Instruction ID: 2cb718bfee92935dea2b46af74fc749b43971d4150926d235256fb4d2cb0a8ba
                                      • Opcode Fuzzy Hash: f13f1aaa3cc6fbc3296c4ebd6dbfa4e35840f188fd8a5b509f5829bacd075682
                                      • Instruction Fuzzy Hash: AE412A2270AA760BD71AB76CECB55E47B90EF8112A34C42F7C199CF1A3EC15A44B8391
                                      Function 00007FFD9B963481 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 28d85ad8fdfe804ef2219b48cabe724264e2f90f119e293e4fef1372ecebf8db
                                      • Instruction ID: 20fdb15c57aae069aa08e599f7e8e2ad3d4338dfa603e1d875f7e979ae2deb1a
                                      • Opcode Fuzzy Hash: 28d85ad8fdfe804ef2219b48cabe724264e2f90f119e293e4fef1372ecebf8db
                                      • Instruction Fuzzy Hash: 32419551B2FB8E1FE3A763AC08752755BE29F9A610F4A01BBD04CC71E7DD199D068341
                                      Function 00007FFD9B8973C4 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c8c96fb0b66224d6494c535929c7777f96ce4c6d508382d75909926f04d7222
                                      • Instruction ID: eaa5f5442b151907cb12eaab95c4b46dca9eeea2d1a97a5d9d360baac722ddad
                                      • Opcode Fuzzy Hash: 4c8c96fb0b66224d6494c535929c7777f96ce4c6d508382d75909926f04d7222
                                      • Instruction Fuzzy Hash: 7451897694F3C95FE71747745C624A17FB0EE07224B0A05EBD4C8CB0A3E669294AC762
                                      Function 00007FFD9B9EED8F Relevance: .2, Instructions: 153COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c0633f2f9afe4127724306d6a41cc5ae1070ed7d300b95f86828180ded7e7132
                                      • Instruction ID: 1fc7114cd7f15c9765a20ed6cee074f2ea10942bbda3923fe5ecd8b0a5576b1d
                                      • Opcode Fuzzy Hash: c0633f2f9afe4127724306d6a41cc5ae1070ed7d300b95f86828180ded7e7132
                                      • Instruction Fuzzy Hash: 8541D831F1990E9FEBE8EB688865BB9B7E1EF58300F150179D01DC32E6DE286D408381
                                      Function 00007FFD9B8829A5 Relevance: .2, Instructions: 152COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 90e7cbe15e28c6669154498af88f991cddc572fe89f5083971decf9f8bee50f3
                                      • Instruction ID: fe71253bb7feeaef83791d36224abf5bb80d23bb7c4335dc30467be763db3435
                                      • Opcode Fuzzy Hash: 90e7cbe15e28c6669154498af88f991cddc572fe89f5083971decf9f8bee50f3
                                      • Instruction Fuzzy Hash: 4E416130B1992E8FDBA4EBA8D465BBD77E1FF5C301F41007AD40ED32A1CE24A9418B81
                                      Function 00007FFD9B9F2CD8 Relevance: .2, Instructions: 150COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be5c278e6ff91b4f6394e117d74c61536bf6b4b9707860c32e35aa4fc1196a33
                                      • Instruction ID: 43eec2d794c2280f0c255d052f82b8a0b0d15e279f19fb4edb366727e70f520c
                                      • Opcode Fuzzy Hash: be5c278e6ff91b4f6394e117d74c61536bf6b4b9707860c32e35aa4fc1196a33
                                      • Instruction Fuzzy Hash: 63418221F2990E9EEB74EBD994253BD7BD1EF88320F62057AD50EC32A1DD286E414781
                                      Function 00007FFD9B880568 Relevance: .1, Instructions: 144COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c111563147a56e826f065dde05e25723fc97520a99510f0a1bbf4b9c8722d33a
                                      • Instruction ID: 3f1af6587b873b424fbcee070b57ee78d3a4ee2c35393dda0dde8f3d2de2491b
                                      • Opcode Fuzzy Hash: c111563147a56e826f065dde05e25723fc97520a99510f0a1bbf4b9c8722d33a
                                      • Instruction Fuzzy Hash: 41417C22B0D5AD4FD756A77CB8A05E83BD1EF85328B0A02F6C09CCB0D3D91868878791
                                      Function 00007FFD9B9F2D40 Relevance: .1, Instructions: 143COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6db5764ec4b59647c8e1afd19446f747ef6fd6c8ca0dbd005ed45136631c321f
                                      • Instruction ID: a97a9182d9a25efa76d38014fef565e5a6d8d39d1e84d618fae79bdce4b678c1
                                      • Opcode Fuzzy Hash: 6db5764ec4b59647c8e1afd19446f747ef6fd6c8ca0dbd005ed45136631c321f
                                      • Instruction Fuzzy Hash: 7741D721F2981E9BEBF8BBA844756BD67D2EF88350F520176D41EC32D5DE28AD014782
                                      Function 00007FFD9B9E9CE0 Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 667008aa4154ef14370ca2397b81fcf19cb71528208612eda7cfe73909d47ef3
                                      • Instruction ID: 234ce400c877b0cbc47f21d8a511a2ad476836fd25774d588030dbd876540f8b
                                      • Opcode Fuzzy Hash: 667008aa4154ef14370ca2397b81fcf19cb71528208612eda7cfe73909d47ef3
                                      • Instruction Fuzzy Hash: AA41C831B2991DAFEBA4EB9C94696FC77E1FF88311F51013AE00DD32A1DE395A808751
                                      Function 00007FFD9B9EF579 Relevance: .1, Instructions: 137COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f79e367932aff47021e0f377c829d7a33e0b3c8991162522924290019333963
                                      • Instruction ID: ef1b416b97f97e902cc02576fc6065311e9f0d273a7589b886fff33f447207be
                                      • Opcode Fuzzy Hash: 4f79e367932aff47021e0f377c829d7a33e0b3c8991162522924290019333963
                                      • Instruction Fuzzy Hash: E741E511A5F7CA1FE76397B488745A97FE1EF53210B0941FBC089CB0A7C909594AC352
                                      Function 00007FFD9B9EECC5 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f03d2dcc37136ca1d604161be07d905c85e9da77dd6b719cabdc461e9f87c718
                                      • Instruction ID: fecbbfa67d9572545949a03ac97c3cdb75fdb668a992046ed6c4b18e929c4c7d
                                      • Opcode Fuzzy Hash: f03d2dcc37136ca1d604161be07d905c85e9da77dd6b719cabdc461e9f87c718
                                      • Instruction Fuzzy Hash: 0241C331E1AA1D5FE7A4EBB844252F97BE2FF48200F4505BAD40DD32E2EE296A418751
                                      Function 00007FFD9B966F71 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1a5b96aedd767c69635ddfdba08a817cac8940a848746c1b28c04e472a1879c
                                      • Instruction ID: 5a6e74608835dc5fb88f4986beb8d4a42bfa0b38f3b6ed08e74f6e5c2b4745ae
                                      • Opcode Fuzzy Hash: c1a5b96aedd767c69635ddfdba08a817cac8940a848746c1b28c04e472a1879c
                                      • Instruction Fuzzy Hash: 7E31D521B2EB8A0FE36793A848712B17BA19F87210F0A00F7C448CB1E3DD5DAD458352
                                      Function 00007FFD9B9EF6D1 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5de6f3fa734b75c635392ad03f5b6634fec4e295184aa28c1dd160806626147f
                                      • Instruction ID: 4f160123c0ef86e4b099d200b735fb16703f08c523da29413ad04c82b995de41
                                      • Opcode Fuzzy Hash: 5de6f3fa734b75c635392ad03f5b6634fec4e295184aa28c1dd160806626147f
                                      • Instruction Fuzzy Hash: EC31482295F6CD2FD712A7B05C219EA7FA4EF47350B0501E7E098C78E3D91D57468392
                                      Function 00007FFD9B9E9C6D Relevance: .1, Instructions: 121COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 85173308e91108a8c9691aa3590c8c21e65c85c049dbe471b5c2ef74330e79ca
                                      • Instruction ID: 0c15536e7899204aa2523dea3388e1e8515c1fc2e5f43f8a2066b922f20ded12
                                      • Opcode Fuzzy Hash: 85173308e91108a8c9691aa3590c8c21e65c85c049dbe471b5c2ef74330e79ca
                                      • Instruction Fuzzy Hash: AD41533191A64A9FD751DBA4C8596EDBBF0FF46210B0A81FEE048C71A2DB3C9545C721
                                      Function 00007FFD9B961567 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 73d666881b63aeb013aab382b6e76e3316d2d2c796f64d28b04185a4aa734769
                                      • Instruction ID: 19f63b8099b4b3159da156ffa67f7d81a7b77c03aa87e6e64717d1c576e1c353
                                      • Opcode Fuzzy Hash: 73d666881b63aeb013aab382b6e76e3316d2d2c796f64d28b04185a4aa734769
                                      • Instruction Fuzzy Hash: 9831A561B2AE4E5FF7E5E76C047563963C2EFD8641B5A017AD40EC33E6ED28E9024300
                                      Function 00007FFD9B961F47 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 77e994605ace8a10f7d155936df772441edd7a61c28222c870d3e8cc96190420
                                      • Instruction ID: 5e2927c1ab43aa029681cd2b74d7427ce5e154e48864f9ad80f1d32abfdfa1a2
                                      • Opcode Fuzzy Hash: 77e994605ace8a10f7d155936df772441edd7a61c28222c870d3e8cc96190420
                                      • Instruction Fuzzy Hash: F131A461B2AE4E5FF7E5E36C047563926D2EFD8640B6A417AD00DC32E6EE28ED024301
                                      Function 00007FFD9B96181F Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c50a8cf8c1cde0afcfa7cb42a99f3c5aa8521a726b382f43399a6f56f0ee44c1
                                      • Instruction ID: b00f3473cac3147d35ccaca10bea66f220b1dda6daf396e04cb7197cb91bfe7d
                                      • Opcode Fuzzy Hash: c50a8cf8c1cde0afcfa7cb42a99f3c5aa8521a726b382f43399a6f56f0ee44c1
                                      • Instruction Fuzzy Hash: B7318151B2AE4E5FFBE9E36C047563923D2EFD8640B5A017AD40DC33E6EE28E9024301
                                      Function 00007FFD9B96202C Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 64554bbe8ec3970c604dd7402c1dcab3f201bf1f4657382c58dd108f6de37734
                                      • Instruction ID: 2bc47a009eb48697aec18e9f06a0d85ce9e01445220b0986de4ad861ab0bb462
                                      • Opcode Fuzzy Hash: 64554bbe8ec3970c604dd7402c1dcab3f201bf1f4657382c58dd108f6de37734
                                      • Instruction Fuzzy Hash: EF31B751F2AD4E5FE7E5E7AC047563927D2EFD8640B5A017AD40DC32E6ED28E9028301
                                      Function 00007FFD9B96173A Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1180674199c2a97f9888cde7ccbcd223d112180ca9c63a12100d335e1091c7d5
                                      • Instruction ID: 1f16f147853fbfab7a4f6a6da020197d1e9369ee04c6fd690946d6b417255322
                                      • Opcode Fuzzy Hash: 1180674199c2a97f9888cde7ccbcd223d112180ca9c63a12100d335e1091c7d5
                                      • Instruction Fuzzy Hash: 87319551B2AD4E5FEBE9E3AC047523963D2EFD8640B5A01BAD41DC33F6ED28E9024301
                                      Function 00007FFD9B9F0010 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d98f97180a0a354d96456a0ce211d94b1be032f5bb6a2461c239a8121e0f1da
                                      • Instruction ID: edd0e2dd8cf533f9515a0b617c2c4d749dc9196b6c36eec2cb55da0dcab171f4
                                      • Opcode Fuzzy Hash: 1d98f97180a0a354d96456a0ce211d94b1be032f5bb6a2461c239a8121e0f1da
                                      • Instruction Fuzzy Hash: B331E520B2EA9E5FD7A5ABB844212B97FE0EF49210F4605BAE04DC31E3DD2C5E418391
                                      Function 00007FFD9B88BD15 Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9beb232daf19e0f64ee690dc06c0dc7cfed7b5832aa2c51d25cfe582b75ad33c
                                      • Instruction ID: 50cc34a609748a4795f3f3e15dd3b8f9e306a5a03e170f5a352d4bcf49f97905
                                      • Opcode Fuzzy Hash: 9beb232daf19e0f64ee690dc06c0dc7cfed7b5832aa2c51d25cfe582b75ad33c
                                      • Instruction Fuzzy Hash: 9741F93190E7969FE717EB7898B54D5BFB0FF01218B0942FBC0A48B0A3ED2965568385
                                      Function 00007FFD9B88B81D Relevance: .1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39464ceb5d45269677d5a118317a04a3207b846d1fcb7a694a8696ea3979db42
                                      • Instruction ID: ba839893c9e10dac5a79ab2ea455ce943eec1adb82969f9c4c8517c3d2287f59
                                      • Opcode Fuzzy Hash: 39464ceb5d45269677d5a118317a04a3207b846d1fcb7a694a8696ea3979db42
                                      • Instruction Fuzzy Hash: 44312C2770ABA547C71DAB5CECE64E57790FF8662974801BBD09ACB093ED156446C340
                                      Function 00007FFD9B9F0018 Relevance: .1, Instructions: 113COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 257862598491ea4dcfe7704bf6b77173028a1425dc214f0aba917eb916fa8a44
                                      • Instruction ID: c91061ca66ca4747eab8be5bd89d04c5471050774db75ccc65406662e9d04c44
                                      • Opcode Fuzzy Hash: 257862598491ea4dcfe7704bf6b77173028a1425dc214f0aba917eb916fa8a44
                                      • Instruction Fuzzy Hash: D031E620B2EA8E5FD7A5DBB844212B97FE0EF49310F4605BAE04DC32E2DD2C5E418791
                                      Function 00007FFD9B9E6848 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 50d71d027681fa170fcb63239e2aab03b45766b2c87ce192268beb8550ffea1d
                                      • Instruction ID: 4abe08ddc18def87a2376eaff47d0c71cb90e895b3126c6369046f5926cca94b
                                      • Opcode Fuzzy Hash: 50d71d027681fa170fcb63239e2aab03b45766b2c87ce192268beb8550ffea1d
                                      • Instruction Fuzzy Hash: 0F414171B2D64E9BEBB8CF58C4606B93791BF58304F220579D41E872E2CE39AB11D741
                                      Function 00007FFD9B960F80 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 888d5df0e3ff1bb5dc2fbc3db38759b3e385e066cb707e44f0037647228d57fb
                                      • Instruction ID: af8dd99d27beba95aee0ce6307adbed460b7a48e26e2e84d5f38886cd3e8b07b
                                      • Opcode Fuzzy Hash: 888d5df0e3ff1bb5dc2fbc3db38759b3e385e066cb707e44f0037647228d57fb
                                      • Instruction Fuzzy Hash: 9931B622B2EBC99FD7A2936848B55653FF1AFDA240B1A01F7D088CB1F3DD299905C311
                                      Function 00007FFD9B88B895 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eaf64a061aaf562121c2ed41f7ddc502a4e0de349c8a70c27aa36a9ddd78727a
                                      • Instruction ID: d3bff89af70a96dfe6cd59a160f16527f06525670da890e2302c2cf409f4f523
                                      • Opcode Fuzzy Hash: eaf64a061aaf562121c2ed41f7ddc502a4e0de349c8a70c27aa36a9ddd78727a
                                      • Instruction Fuzzy Hash: 83217C32B06A6547C71DA76CECA68E477D0EF8A36974800BBC09ACB1E3DD15A4468740
                                      Function 00007FFD9B8868C5 Relevance: .1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ff15121a692ec30246125679645f2c9e65b27d7abbfc45206a8b842bfaa7bd37
                                      • Instruction ID: 51f1ad5dc322be4906f4639fa1e2ae9f0a423705932ce69c2695491852329124
                                      • Opcode Fuzzy Hash: ff15121a692ec30246125679645f2c9e65b27d7abbfc45206a8b842bfaa7bd37
                                      • Instruction Fuzzy Hash: 0F313931E1E55E8FE776EB9888766BD77B0EF48310F06057AD00DDB1E2CE2869418381
                                      Function 00007FFD9B9E9A44 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5de78f0dfc2cbc5526bd89ded4ac146a5359179472f5d42b0166fcb01c9e0eb
                                      • Instruction ID: da2d15d0c9320b1916693abae089bd0d2cb613ff3061de197d2dbd96b0f7a5b6
                                      • Opcode Fuzzy Hash: e5de78f0dfc2cbc5526bd89ded4ac146a5359179472f5d42b0166fcb01c9e0eb
                                      • Instruction Fuzzy Hash: 2C310110F2981E6BE7A8F7B844396BD52D2EF98201FD10075D40ED36EBDD2C6E425742
                                      Function 00007FFD9B9F05A1 Relevance: .1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f943f8225b4ffda4cfba7e0b63196e6c9eaeffe113b2352f387f3305b0bab73
                                      • Instruction ID: b371242d5e6a8206b842802d9949ec330efe6304a072113cfd743819c2700ffa
                                      • Opcode Fuzzy Hash: 0f943f8225b4ffda4cfba7e0b63196e6c9eaeffe113b2352f387f3305b0bab73
                                      • Instruction Fuzzy Hash: C921F771B2E6892FEB795B6458364F93F99EF42720B0501ABE04D830E3DD592E43C751
                                      Function 00007FFD9B9F2A10 Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ab18597901b84a9f01b3bdc4a0a61e9243ae8969216cfcf920bf6c428ab31489
                                      • Instruction ID: e5fc91b05761e5c04435a0478bbb781ca6e6639d99a7171da4fffc9ff4442ace
                                      • Opcode Fuzzy Hash: ab18597901b84a9f01b3bdc4a0a61e9243ae8969216cfcf920bf6c428ab31489
                                      • Instruction Fuzzy Hash: 7A218521F1D91E5FDBA4EBAC54216BD77E1FF48314F420579E01ED32D2DE28AA414781
                                      Function 00007FFD9B88BB0D Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1627539e8011608c6a40cd8731e76d675c4149d93eeff7c6a5a0f3fc8c6929fb
                                      • Instruction ID: f0961fa8b7bc9cc3afcf0d71839d66c1ca1087931370053c245ef07311ca797d
                                      • Opcode Fuzzy Hash: 1627539e8011608c6a40cd8731e76d675c4149d93eeff7c6a5a0f3fc8c6929fb
                                      • Instruction Fuzzy Hash: 5421BF226092A14BC70BB7ACF8BA9D43BA0EF0212D34D41F7D09DCF0A7EC09544A9295
                                      Function 00007FFD9B882DDC Relevance: .1, Instructions: 90COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bcdfeac2e5caafa699be3c1fb0f91bb5710c5d8bedf000a26cecddbedbf11522
                                      • Instruction ID: 8ca3c45ddc2106fe9815617001fdf2a746f8a25452c4b840b41c067f3a3ebafa
                                      • Opcode Fuzzy Hash: bcdfeac2e5caafa699be3c1fb0f91bb5710c5d8bedf000a26cecddbedbf11522
                                      • Instruction Fuzzy Hash: 51315030B19A0D8FE7A9DB9884A47B87392FB98311F560539D11EC72D6CE396982C744
                                      Function 00007FFD9B88BA6D Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e36b968e3192e8222ec0d4c019385ae17f6b6daba887bc2a7e202eb1e1838041
                                      • Instruction ID: 943826258e125ca85dec4c29c755778cdf85178283bfa6f13f762bf9fbc7d2f3
                                      • Opcode Fuzzy Hash: e36b968e3192e8222ec0d4c019385ae17f6b6daba887bc2a7e202eb1e1838041
                                      • Instruction Fuzzy Hash: 9A21F82270A6A147C70AB76CFCB65E47BE0EF4612D70C00F7D19DCA093ED09944AD391
                                      Function 00007FFD9B9E7860 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a32d5e67d343c2ddce2408a07c78728d492381edea278bfa5e6071aea5fd56f1
                                      • Instruction ID: 372485b66b7727197c97d1a71e6962277c2a7e8fcb792e805e809086ef3dd0d7
                                      • Opcode Fuzzy Hash: a32d5e67d343c2ddce2408a07c78728d492381edea278bfa5e6071aea5fd56f1
                                      • Instruction Fuzzy Hash: 2521F731F2A92EAFE774B7AC546D5FD7791EF44314F110177E00EC21A2DE3826818261
                                      Function 00007FFD9B9E5732 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4d2790e9e13601e2c10ba35ddc8f4a8403ec0185c2ce0325502361eae4b0243
                                      • Instruction ID: d5600d71253f833f0291440789abb507c385f3e81a910a9f582f10bf25cb743a
                                      • Opcode Fuzzy Hash: e4d2790e9e13601e2c10ba35ddc8f4a8403ec0185c2ce0325502361eae4b0243
                                      • Instruction Fuzzy Hash: FC212130F1D419EFE754EB58D8649BC77A2EF98301B214171E019DB2EACD38BE818751
                                      Function 00007FFD9B9F0480 Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 173d927499d648bb421aa5a81e964db7bfd136935411738838040a8a46c22153
                                      • Instruction ID: 7c8370e329483d55daa675b5a628fd678864ad1c00b7278a957357465825defe
                                      • Opcode Fuzzy Hash: 173d927499d648bb421aa5a81e964db7bfd136935411738838040a8a46c22153
                                      • Instruction Fuzzy Hash: DB217120B1F68E5FEB66ABB844242BD7FB0AF46310F5601B7D04DD71E3DE685A488352
                                      Function 00007FFD9B88B7A3 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2cd692c0cf8051e52993a123c9e4248773dc6116028f759581a81c2b92b65094
                                      • Instruction ID: 5071e1c8d4030853af9d509ced9f4bea7ef2683d708c869e019152c4139e5fac
                                      • Opcode Fuzzy Hash: 2cd692c0cf8051e52993a123c9e4248773dc6116028f759581a81c2b92b65094
                                      • Instruction Fuzzy Hash: 3B11DD27605AA18BC719B76CE8B65E57790EF4622970800F7D19ACB093ED15A447C781
                                      Function 00007FFD9B9EFAF2 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30fd8f2f0fc93ffcc9f12d624c4d9ba290f1dd7bef0cb74830514eafa4b14a90
                                      • Instruction ID: 449d5131371f1f52f5d23699592027639e1a347cb620993dc651a6e53520658d
                                      • Opcode Fuzzy Hash: 30fd8f2f0fc93ffcc9f12d624c4d9ba290f1dd7bef0cb74830514eafa4b14a90
                                      • Instruction Fuzzy Hash: 7721F83061E68A9FE7A68B7484742A47FE1EF57310B5D41FBD04DCB0A3DA199A06C741
                                      Function 00007FFD9B897380 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f1c591df101ad02447d4ead6d867e3625657258b6a0e08cb03921ccafffbc956
                                      • Instruction ID: 5e03853961bc390899a6d230e6f10526c2268b4ca781ae8ec4be1bb13ed5e64f
                                      • Opcode Fuzzy Hash: f1c591df101ad02447d4ead6d867e3625657258b6a0e08cb03921ccafffbc956
                                      • Instruction Fuzzy Hash: D101087264E64C1EF72CAA54BC435F97794FB86230F00013FE08E82053E66639938355
                                      Function 00007FFD9B9E6475 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f39fc45ffcb1bd97ea35cc85d0acfba0d39ad76c15c2353efb601996307b9b0a
                                      • Instruction ID: 71ef86fe9cc120792ce0ff9d7db8e861d3a9d57db731461af68f4bbf9619f51b
                                      • Opcode Fuzzy Hash: f39fc45ffcb1bd97ea35cc85d0acfba0d39ad76c15c2353efb601996307b9b0a
                                      • Instruction Fuzzy Hash: C5112C22B1A68C1FE7959B7C84295A977D2EF9524030740F2D449CB2B3FE189E038351
                                      Function 00007FFD9B9F2C88 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ab22a52fa229058144e8d2fd51148d0ee2d400020cf4933ae24a446d2f2373eb
                                      • Instruction ID: 4015b5a9847ba475683320405bd74f3116fe8b29e7098f1e37db75e79d81ff71
                                      • Opcode Fuzzy Hash: ab22a52fa229058144e8d2fd51148d0ee2d400020cf4933ae24a446d2f2373eb
                                      • Instruction Fuzzy Hash: 5311B120B3990E9BE768A7AC90207A9BBD2EF58310F55417AE00EC76D6DDB8AD414741
                                      Function 00007FFD9B9F14D4 Relevance: .1, Instructions: 67COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cc0017723f3522b7dce656ffc1c0b6aa946676e263de6128c7605d7443aedc12
                                      • Instruction ID: c1b14b642954bff5cc334a29e93b28e4d09dd15e1f309bf8a97f303e06a5a992
                                      • Opcode Fuzzy Hash: cc0017723f3522b7dce656ffc1c0b6aa946676e263de6128c7605d7443aedc12
                                      • Instruction Fuzzy Hash: 20117A52B5E7EE79F332667898211E13F80AF03228F1901BAC1DA860E3CD05665AC3C1
                                      Function 00007FFD9B9F0631 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39190f05305beae7b85fb0f15468f5c27c0c2b35205203a89a16b5070dfb6cff
                                      • Instruction ID: 5878247bd9468f7f89d8d8996c2ae662143944fa4134f45703e080d95e6e4e6d
                                      • Opcode Fuzzy Hash: 39190f05305beae7b85fb0f15468f5c27c0c2b35205203a89a16b5070dfb6cff
                                      • Instruction Fuzzy Hash: 2A21D43021D7884FE7229F6E8818754BFE0EF15725F0446BED0EAC35A2C7786408CB11
                                      Function 00007FFD9B9E9BB7 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24285ff3f9d0610e6ed9af1a0944ca0ae2ea0656b247717f9dd8bed643da9030
                                      • Instruction ID: 26b3cb54dd041970c603fbd0962eadc4f31635474e2de81387d9131284dbae3f
                                      • Opcode Fuzzy Hash: 24285ff3f9d0610e6ed9af1a0944ca0ae2ea0656b247717f9dd8bed643da9030
                                      • Instruction Fuzzy Hash: 04111210F2981E6BE7A8FBB844396FD52D1EF88301F910075D40ED36EBDD2C6A425742
                                      Function 00007FFD9B9F5070 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e009b9ed72540273301295943795da8297299a2554823d0dc4f2fac396edfcbc
                                      • Instruction ID: 44b40a139e2f9aa09f69c4dcb3b8f2a91f531c13f911b22c6d1233c17ddc819a
                                      • Opcode Fuzzy Hash: e009b9ed72540273301295943795da8297299a2554823d0dc4f2fac396edfcbc
                                      • Instruction Fuzzy Hash: F101AD11F2A90F5AF6B8B7B904B96BC16C2EF89259B560479E00EC72E7DC2C9D824251
                                      Function 00007FFD9B9F7AC4 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 93a2d913e624467bf3f7f9a94b93b558313fa7ff736610dcc3805ce7f4d0c2d6
                                      • Instruction ID: afbd8574007d4f999c255eb398499532a4beb18810fb5b778c5d2f924e09575b
                                      • Opcode Fuzzy Hash: 93a2d913e624467bf3f7f9a94b93b558313fa7ff736610dcc3805ce7f4d0c2d6
                                      • Instruction Fuzzy Hash: 39019232558A0C5BCF50FF99DC109C63BA8EB59368F01025BE81CC31A1E622EAA5C785
                                      Function 00007FFD9B9F2DF2 Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a5f5a3db1273eca6d1da128f08151a67cda565d2ca9736e3f43980debc00682
                                      • Instruction ID: 3ac03a32532aa223627a7394df3140dbbd218dc11eadad8e3a68988324ab49e6
                                      • Opcode Fuzzy Hash: 3a5f5a3db1273eca6d1da128f08151a67cda565d2ca9736e3f43980debc00682
                                      • Instruction Fuzzy Hash: 75118411F2E68E5AE77967F448352B97FA1EF45300FA604B6E05E871EBDC1C6E054342
                                      Function 00007FFD9B9E6872 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b8ff473a382d1460c9676a69b8a090a3818ee3302e09bbeb6b6f7e1b7d18ab4
                                      • Instruction ID: f0a85fdb17f36294646fa9fc1275f11788e440de2a853c0edf22131af45af63b
                                      • Opcode Fuzzy Hash: 5b8ff473a382d1460c9676a69b8a090a3818ee3302e09bbeb6b6f7e1b7d18ab4
                                      • Instruction Fuzzy Hash: 57118F31B19A4E9FDBA8DF5884745B93391FF98304B25057AD46EC32E6CE35EA028741
                                      Function 00007FFD9B9F4B68 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 487d1f4ff214fa1a338cc05dce1ef63f86da832ce30d86b7dbad0bb5bee27571
                                      • Instruction ID: efc6233f8830d2e0bbb46682f7501fce19637fccd1c1f241b4c823a1b9a4e669
                                      • Opcode Fuzzy Hash: 487d1f4ff214fa1a338cc05dce1ef63f86da832ce30d86b7dbad0bb5bee27571
                                      • Instruction Fuzzy Hash: 55018430B1CA0D5BDB64DB68C010AAA7BE1EBD9361F10463ED00DC3264CA79DD468781
                                      Function 00007FFD9B9E56CC Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c8e2e78afeabd0287bbe44da686e670f343235a94e2b2732cc20499ab1451732
                                      • Instruction ID: aea59ae8a6b506c3ddaff40dd80f835828b13c83f7d1a616a9aef7a5e91ebe6c
                                      • Opcode Fuzzy Hash: c8e2e78afeabd0287bbe44da686e670f343235a94e2b2732cc20499ab1451732
                                      • Instruction Fuzzy Hash: F201A120F1C41AAFE360EB59CC609BC2B93AFC4311F654571F05A9B2EBCC2C3A428321
                                      Function 00007FFD9B882F2B Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 032bca47483e7712b8a1f63cfd898dcad385b3aec396389b89b00b50439929a3
                                      • Instruction ID: 15be1dec8fa56f1f2653f87e36a436a51b832af83034d66fc47648a2ab0618c4
                                      • Opcode Fuzzy Hash: 032bca47483e7712b8a1f63cfd898dcad385b3aec396389b89b00b50439929a3
                                      • Instruction Fuzzy Hash: 19012130B5AD0D4FEAB9AB98807237C71919F4C701F52507DE42ED21E6CD7E6A418341
                                      Function 00007FFD9B880570 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8abecbb6525c1a0778923fcf69e1503b7a6864a58891bd03d9a8b9e561c8b8f3
                                      • Instruction ID: 2a8dbf7767c03751f9ab427a4da2dc4832b702b9fd1222968ad017ee01ba207a
                                      • Opcode Fuzzy Hash: 8abecbb6525c1a0778923fcf69e1503b7a6864a58891bd03d9a8b9e561c8b8f3
                                      • Instruction Fuzzy Hash: 3A01F930B0952D4EE760D36DA8A03B43391EF98314F4602B5C04DC30D6CA287CC38B81
                                      Function 00007FFD9B888350 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aed3529cdfb212a89234339e194955c976731b96a4f4d8f8f618c35f1d0d6921
                                      • Instruction ID: b6b99850a04972ff5836c5bda21583f7feadc45390ffec10debb5f6d757d5dfa
                                      • Opcode Fuzzy Hash: aed3529cdfb212a89234339e194955c976731b96a4f4d8f8f618c35f1d0d6921
                                      • Instruction Fuzzy Hash: EB01F130B0D92E5AE7B1E368A8B47B53391EF88314F5601B9D04DC70B6DA286CC38BC1
                                      Function 00007FFD9B9E9BB2 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6774b5f3e4c2b9e533eb744834a2697e6dacec65a4ecbd3edaa727e46d65674a
                                      • Instruction ID: 0133e888eddd5be7fe3a93809e138b6401650d493f578778b6f1995a3db6cd2c
                                      • Opcode Fuzzy Hash: 6774b5f3e4c2b9e533eb744834a2697e6dacec65a4ecbd3edaa727e46d65674a
                                      • Instruction Fuzzy Hash: FF012521F2981E5BE7A8FBB844396FD6291EF88301F910075D40EC32EADD386A465742
                                      Function 00007FFD9B882C0D Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c290a72765a696a6a80855ba2f0f938622b451f463cf39be9c4ef7ca3b757070
                                      • Instruction ID: a80452b1a137325f7cbe4f3cdbf4703e37704e23e5f9725f996f202d5c742178
                                      • Opcode Fuzzy Hash: c290a72765a696a6a80855ba2f0f938622b451f463cf39be9c4ef7ca3b757070
                                      • Instruction Fuzzy Hash: 8E01423960891C8FDB84EF9CC8A8EA873F2FB69311B1641A5E409DB275DA64ED41CB00
                                      Function 00007FFD9B9F14CF Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 72d611869be9bf3a7768100df955b6563b050651160239060fd4dfdc38da17f1
                                      • Instruction ID: 0aec2bad98ec33415f70954343b6f779e0213de85deeae9b2fe0abcacef23f72
                                      • Opcode Fuzzy Hash: 72d611869be9bf3a7768100df955b6563b050651160239060fd4dfdc38da17f1
                                      • Instruction Fuzzy Hash: 4E012651B6EBDDBDF732667888321B23F84AF07218F1A00B9D0DA8B1B2CD156A1586C1
                                      Function 00007FFD9B882D67 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4ddd2d4017987adeb21144071ca66eb451a5420b6dd651e64a7cc54f04f75ef
                                      • Instruction ID: c1030432424e916b00ed5d9ab07ef7d4ba999f7c1df169111b345b53b6322ec9
                                      • Opcode Fuzzy Hash: e4ddd2d4017987adeb21144071ca66eb451a5420b6dd651e64a7cc54f04f75ef
                                      • Instruction Fuzzy Hash: 8F01DB62F09E4D4FE768DF98656556467D2EFAC30070541BFE05EC32D7DE2428464781
                                      Function 00007FFD9B883BB3 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 404ea4688409d6ba527f14f358ced218c11c3e7c75310bbb9479e6240a07131d
                                      • Instruction ID: 634cafeffad48856cb22158cc2e86e7489c9e6c45a0ed40fbe86d1a0cab37a52
                                      • Opcode Fuzzy Hash: 404ea4688409d6ba527f14f358ced218c11c3e7c75310bbb9479e6240a07131d
                                      • Instruction Fuzzy Hash: 3001FF31759E098FEBA4DB5CC465A7973E2EB98740F120538E45AC32B5DA34FD418B81
                                      Function 00007FFD9B8823F0 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cde307908e2c6f0ac6339da63028d29bf7777036747293c26b11ed2fea77ee53
                                      • Instruction ID: e658a5aed00c670b61d07d7cf48f543dc768ab2832bf98c971467be0dbf45c17
                                      • Opcode Fuzzy Hash: cde307908e2c6f0ac6339da63028d29bf7777036747293c26b11ed2fea77ee53
                                      • Instruction Fuzzy Hash: 3D01D670A48A098FD798CF48C4A8B6977E1FB5C301F51043EE05EE77A1CB769981CB01
                                      Function 00007FFD9B9E9955 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc5e69cdb157629c08bbdb02b3c36659bcfd1c67f519a5d0094f6dd50c6dfaab
                                      • Instruction ID: 2898f7ff9a51c1482f3dd84104fcdd3114a664e79ea2ea943c953513e567e092
                                      • Opcode Fuzzy Hash: fc5e69cdb157629c08bbdb02b3c36659bcfd1c67f519a5d0094f6dd50c6dfaab
                                      • Instruction Fuzzy Hash: 3BF0962549F3D96FC7134BA48C249EA3FB4AE87140B0E01D7E0D5CB0A3C55C565AC762
                                      Function 00007FFD9B882C56 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ce408f56c849b0a8b9089f29a8e1b961770441f0874b7671298b5a3b1fcc302
                                      • Instruction ID: 4b8bf79d430bdbfd4cdf9d665efc191284af12b08d11a774bf3219bb8bd2612d
                                      • Opcode Fuzzy Hash: 9ce408f56c849b0a8b9089f29a8e1b961770441f0874b7671298b5a3b1fcc302
                                      • Instruction Fuzzy Hash: D0F01D34705A098FD754EF98C8A8A6933E1FF58310B520579D51ACB2F5DE74A885CB00
                                      Function 00007FFD9B88245C Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ec80005f97975767c69efe4e683e4ed14ab828b593bbcf70928d91552dd20b4
                                      • Instruction ID: b121a6a585175f3413e07a25f1da8a5990bfadac6e40fb67912c5146a93fa9c6
                                      • Opcode Fuzzy Hash: 9ec80005f97975767c69efe4e683e4ed14ab828b593bbcf70928d91552dd20b4
                                      • Instruction Fuzzy Hash: D5F0BD35A0991D8FDF54EF88C864AA873A1EB59310F064175D42DEB2E5D938E9419B40
                                      Function 00007FFD9B882679 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37088870660a5c389b050b70e4eb1494e1da1c25de0d1ef2618d05ea6018b063
                                      • Instruction ID: 47d94dcae0d55309899099b50e9667a5d4e92cfa6ed321fa5379803137bf74e0
                                      • Opcode Fuzzy Hash: 37088870660a5c389b050b70e4eb1494e1da1c25de0d1ef2618d05ea6018b063
                                      • Instruction Fuzzy Hash: BDF0A751A0FB890FEB629BA889741A43FA0EF57360B8A02F7C055CB1E7D81D54074301
                                      Function 00007FFD9B9EF677 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ae31effc28bf943dc04e4b055f28ae4857d44f1637432bfb90d8a750a6b74d4
                                      • Instruction ID: c27f88dc54905685dd8cfc7b717cd6b1248dd553c2ce04dc8754f242d4a8750b
                                      • Opcode Fuzzy Hash: 2ae31effc28bf943dc04e4b055f28ae4857d44f1637432bfb90d8a750a6b74d4
                                      • Instruction Fuzzy Hash: 3CE06D21B1880E5FEB94F76E50719BDA392EFD8214B1840B6E12DC32DACE28A8515341
                                      Function 00007FFD9B9E468B Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 198f456415b1b27f16204cbf56855e92f36c63c49f762c634701046433133d7a
                                      • Instruction ID: 746da786e6d03dd545a40d30f948a41266000d3be4a01b23289ab9e3324a16f1
                                      • Opcode Fuzzy Hash: 198f456415b1b27f16204cbf56855e92f36c63c49f762c634701046433133d7a
                                      • Instruction Fuzzy Hash: 80F0E57162DB898BF765974C8466BA9B3D1FF98700F42012DE44A832A2C914BC43C682
                                      Function 00007FFD9B9F06D2 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e9b2af1ba8651017de95243c38cf328f24c8f3a599e0d281165cdf49beb8a45
                                      • Instruction ID: 0497c0e20d1c295c09178a7460a686db34d33a968f9d4829dd973581ebce23dc
                                      • Opcode Fuzzy Hash: 7e9b2af1ba8651017de95243c38cf328f24c8f3a599e0d281165cdf49beb8a45
                                      • Instruction Fuzzy Hash: 12F0E92061D7854FDB619F7D4819708BFE0AF25724F04477DD0BA876E2C7B86904CB11
                                      Function 00007FFD9B9EF4DA Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3aa61ec8913393bd64ac81fbea55648d6aeb617867f64b4782edcd485313ead
                                      • Instruction ID: 85d07a8a9fe36ade190ed8f9f2dd298a557f6be6a057f656c6795c63dc23f65d
                                      • Opcode Fuzzy Hash: f3aa61ec8913393bd64ac81fbea55648d6aeb617867f64b4782edcd485313ead
                                      • Instruction Fuzzy Hash: 7EE0263354EA4C5FCB60AA9A7C949863BA8FB8A328F41025AE44CC6241E2215641C301
                                      Function 00007FFD9B883BA6 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20c3ab6ad462ec60e21c5c8de78200e9909853799b88bc5a8f7bc64a4dffe45d
                                      • Instruction ID: 8fab4ef4e3fd56b693fd83d173fc21bf15019737d966b548dad8e59912539004
                                      • Opcode Fuzzy Hash: 20c3ab6ad462ec60e21c5c8de78200e9909853799b88bc5a8f7bc64a4dffe45d
                                      • Instruction Fuzzy Hash: 23E06D3171DA494BE764D79CC86197A73E1DB99741F21053DE05AC32B6DA21FD024782
                                      Function 00007FFD9B894220 Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f80c145a52226f2d2f7cc5c7bf667574a19f7a3488335cccb6a91be1ab685fb
                                      • Instruction ID: 01213d6131c2670a18faec00efdd44157bf34941f3bd4d9424779220e1c8d633
                                      • Opcode Fuzzy Hash: 0f80c145a52226f2d2f7cc5c7bf667574a19f7a3488335cccb6a91be1ab685fb
                                      • Instruction Fuzzy Hash: 10E06520B19A0D4BDB94F7A898B667822D1FB8C210F510038E41DC32E5DD29A8D04700
                                      Function 00007FFD9B882379 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 492b5de473091371a9f70b07399acd549ddbe79e2b54c5d749c85114301179e1
                                      • Instruction ID: 0264d96da1e5dceb2051c4aa73a583d3a62fbbe64d331ebcc0437332a0697feb
                                      • Opcode Fuzzy Hash: 492b5de473091371a9f70b07399acd549ddbe79e2b54c5d749c85114301179e1
                                      • Instruction Fuzzy Hash: 1BE0ED31A08D1C8FDF54EF4CC894E9873B1EB68310B060165D419D72A1DA34E9408B80
                                      Function 00007FFD9B9E7EDC Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d357ccc9d8faf1fba6144bce3ff65b84b7facfa48d579160b9b179a1fc42a525
                                      • Instruction ID: 42d6718410bad06f65e58212989ce1ab5b22a4f34f688e0290271426cd556d8c
                                      • Opcode Fuzzy Hash: d357ccc9d8faf1fba6144bce3ff65b84b7facfa48d579160b9b179a1fc42a525
                                      • Instruction Fuzzy Hash: 2CE09B31B1A54999F77592A494643F83B61EF05320F460279E11D511F2CF2D2F40C753
                                      Function 00007FFD9B88AE28 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e9c50c97026cb8016a671efd4be87ea386cb7472d513d87751b9bc0905f0c5f3
                                      • Instruction ID: b93883e8aee582081cd629014f0b23bb640fcf19824a830137d5068057b53547
                                      • Opcode Fuzzy Hash: e9c50c97026cb8016a671efd4be87ea386cb7472d513d87751b9bc0905f0c5f3
                                      • Instruction Fuzzy Hash: 2ED05E30B20E0D4B8B0CA62D886D430B3D1E7A96027945669940AC22A1ED65ECC58780
                                      Function 00007FFD9B8808C8 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ba8036a0f88ff8811f632f7d7668832d05f90ea83b5aa0545250b20cd518dbed
                                      • Instruction ID: 00947ff1d41ef4723e59925d498a6e13709ac31b90e72f7cdd3415837733f58c
                                      • Opcode Fuzzy Hash: ba8036a0f88ff8811f632f7d7668832d05f90ea83b5aa0545250b20cd518dbed
                                      • Instruction Fuzzy Hash: 33D05E3285FACD4BEB225B645C610D47F20AE0A500F051297E4AC96063E85856588382
                                      Function 00007FFD9B8ABDE0 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                      Function 00007FFD9B882479 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c57df1069980fc827ba1564110fcadab96acb287559ab5dc74388978bafc20c0
                                      • Instruction ID: 0994609f76674f941d6fe04264601cc375a3a288acd24c2b2f43dba9cf4a66e1
                                      • Opcode Fuzzy Hash: c57df1069980fc827ba1564110fcadab96acb287559ab5dc74388978bafc20c0
                                      • Instruction Fuzzy Hash: 03E09230E09A1D8FDB94EB6CD054B6CB7E1EF18301B1600B5E41DE72A6DA38E881CB40
                                      Function 00007FFD9B9E5658 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7fc05be39e4c71b0c69f4f3eb3afd042f3bfc8a602d3ece81658e1d3602e396f
                                      • Instruction ID: da1ac0ae825de9bc29a0652563f0839468cb7c04d4f9a7eb42569bf9c2f6e1de
                                      • Opcode Fuzzy Hash: 7fc05be39e4c71b0c69f4f3eb3afd042f3bfc8a602d3ece81658e1d3602e396f
                                      • Instruction Fuzzy Hash: 91E04F30F7E91EAEE275A79444A12BD3391AF59750F960036C00EAF2A1CE28BF009780
                                      Function 00007FFD9B882B9B Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd676ae3deb2c27bdc40dceb84d31ee9b7d09e900cd9fa3c459eee2022892148
                                      • Instruction ID: 92ccf86a9e91d13d6413dd17b266d90d37cb05536ce1ea525ff5e9ddc8cf5e49
                                      • Opcode Fuzzy Hash: dd676ae3deb2c27bdc40dceb84d31ee9b7d09e900cd9fa3c459eee2022892148
                                      • Instruction Fuzzy Hash: DAE01A3060AA09CFD320EFD8C4987A933A2FB54311F45427AD416D62F8DB789994DB40
                                      Function 00007FFD9B8823C6 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce28d6d523fdcdc8a8148f066de15e3b0978b0d644d06105803c1cc026343315
                                      • Instruction ID: ddc5ecbb27ef4f003c0c334c9100fed5284e9196d5c4638e4fff9b417ece8c77
                                      • Opcode Fuzzy Hash: ce28d6d523fdcdc8a8148f066de15e3b0978b0d644d06105803c1cc026343315
                                      • Instruction Fuzzy Hash: A0E09231E49A0D8BE764DB88C464BA83290EB04320F460179C42DDB1E1DA38A9818780
                                      Function 00007FFD9B882995 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3fde66c2dad680e923389c753426c1693f7ab68f4c8580b012408859d7f4a6b0
                                      • Instruction ID: e501f2d1bd348ca24457d5bf75b33222d5f7c2eda628975de8724e9b25890636
                                      • Opcode Fuzzy Hash: 3fde66c2dad680e923389c753426c1693f7ab68f4c8580b012408859d7f4a6b0
                                      • Instruction Fuzzy Hash: 05D02B03F1A90D4BC9301BECDC51CA93750DFDE220B8A12F2C02482061C42C135B5682
                                      Function 00007FFD9B96300E Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c061ed3bd977ac8dc39f2de69623e5fff401da577480d3e871b6c22ba033ee5
                                      • Instruction ID: c603747d1251134cfae62190fb362c0696bc2e7703205858a17f41dde889f6a9
                                      • Opcode Fuzzy Hash: 4c061ed3bd977ac8dc39f2de69623e5fff401da577480d3e871b6c22ba033ee5
                                      • Instruction Fuzzy Hash: B4D0C901B2E51A47F32422CCA8723B8B286CB9C654F510277E00DC27EAC95EAE864292
                                      Function 00007FFD9B882EF3 Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 197efae57ecf16bbcec91f6c440a0b5cc747b792b5cff624b6be4d2a2b9b1369
                                      • Instruction ID: 6cd84d798bd4a92b26c2ab8532003e35c0cb006b044b39d57b6d6fabf8742a8e
                                      • Opcode Fuzzy Hash: 197efae57ecf16bbcec91f6c440a0b5cc747b792b5cff624b6be4d2a2b9b1369
                                      • Instruction Fuzzy Hash: 00E08630B0990E8BD721DFD4C8D06ADB391EB48310F118736C015C2299DE3856014640
                                      Function 00007FFD9B882A15 Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c8312997f8f729d2954581a659c0127b7038cbd9be6d4042dea4b579396e6519
                                      • Instruction ID: 6a6ab5d13659cb7bb6935dfce5b061d024368e295cfd0cde155db8f800674d18
                                      • Opcode Fuzzy Hash: c8312997f8f729d2954581a659c0127b7038cbd9be6d4042dea4b579396e6519
                                      • Instruction Fuzzy Hash: 04E0C232A0690A8BC610EFBCCCE6898B7A1FF8C3107890262C44486542DB29A1668641
                                      Function 00007FFD9B88AE00 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 65656f837d42651f9a7c3c1a445c70992631738f95eaac4e242cbf4e8b945774
                                      • Instruction ID: 09d8a93d9e4f4efd334a9a7771294da3bd6e8526d1d42a49982e19417bb95655
                                      • Opcode Fuzzy Hash: 65656f837d42651f9a7c3c1a445c70992631738f95eaac4e242cbf4e8b945774
                                      • Instruction Fuzzy Hash: 60D0C930B619084F8B5CB73C885996076D1EB6E21679540A9D00AC76B1E96AD989CB81
                                      Function 00007FFD9B88AD68 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 386729ac771fd045a9d4878cbd22a6c981c7f2b80493e0266db0e73058a32360
                                      • Instruction ID: 058bd29a02ea427a24035162fee3b0594a0ed5a608b4d2b275e3a9683d3d9d37
                                      • Opcode Fuzzy Hash: 386729ac771fd045a9d4878cbd22a6c981c7f2b80493e0266db0e73058a32360
                                      • Instruction Fuzzy Hash: A9D0A930B208084F8B4CA73C885892032D0EBAD202B9500A8D00AC32B1E92AD889C740
                                      Function 00007FFD9B88ADD8 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 015559ebc49941f059002375a52357d66430cdf1a86b95b35032822612777714
                                      • Instruction ID: 381b35cee3ea52d3ab827f647ef130c20cb2d42d023bdb87c8ff5a18904dd6b7
                                      • Opcode Fuzzy Hash: 015559ebc49941f059002375a52357d66430cdf1a86b95b35032822612777714
                                      • Instruction Fuzzy Hash: D1D0A930B209084F8B0CA72C885892036E0EB6D202B9500A8D00EC32B1E92AD889C741
                                      Function 00007FFD9B887A65 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7f9907b868080dabbd52f7df44c0de3db9e5636a7b1d10ecdbe1b07a7b551836
                                      • Instruction ID: bf0cb21ad37a38736add17da323bddf1ca0a6e06189aa1ed189299c0fd17f1da
                                      • Opcode Fuzzy Hash: 7f9907b868080dabbd52f7df44c0de3db9e5636a7b1d10ecdbe1b07a7b551836
                                      • Instruction Fuzzy Hash: 63D02353E9F50402D775267D8CB304434C17E4D604BCF0095E048C02D3F4492552C146
                                      Function 00007FFD9B8829F5 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c952ed2051c690a40ba44b6e4fdb32175589b2da9b7354d9aa09500bb4d43f3
                                      • Instruction ID: f8f13e304902daad7dc654c29f658f7a6e47ec8902ff018cfa128475c8e40ade
                                      • Opcode Fuzzy Hash: 2c952ed2051c690a40ba44b6e4fdb32175589b2da9b7354d9aa09500bb4d43f3
                                      • Instruction Fuzzy Hash: 7FC01201F1A80E4BDD3026ED98914A872509FED120BD612B2C02480191D82D529B1682
                                      Function 00007FFD9B9E9980 Relevance: .0, Instructions: 14COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d075202b59aceb67ac44ac7080e4f6133a12d3e6b42f164213e7c47b6c2e7c1e
                                      • Instruction ID: c920fee89e6bae10cf69cc11006d5a17e587c023ff4876d13b54beb072f38f21
                                      • Opcode Fuzzy Hash: d075202b59aceb67ac44ac7080e4f6133a12d3e6b42f164213e7c47b6c2e7c1e
                                      • Instruction Fuzzy Hash: 06D0127587894DEFDB256F9894095FEB734FB40305F411656F42E82150EB3463248B82
                                      Function 00007FFD9B9E5B50 Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 381f56efed28000ca0f845e5a8dbbe25c5dca890fd37bdae5ee672fc293eef19
                                      • Instruction ID: 9b7ab27cb9c38351c4622a5511a6586e96207d4e45ca5d4a60ad70f464579208
                                      • Opcode Fuzzy Hash: 381f56efed28000ca0f845e5a8dbbe25c5dca890fd37bdae5ee672fc293eef19
                                      • Instruction Fuzzy Hash: C7C04C04E6690A01ED6832B90DA62E521806B58215FC90070EC08C51A1E98E57D94252
                                      Function 00007FFD9B882A03 Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f46052c3daa296ef21493576b9ae16afb89271206f8705a494a06fec8aaa54a2
                                      • Instruction ID: f27f4f69556bc562ad2fbc32eee49ca7f44f4ddc7847b3bc09ed8fa5c767223d
                                      • Opcode Fuzzy Hash: f46052c3daa296ef21493576b9ae16afb89271206f8705a494a06fec8aaa54a2
                                      • Instruction Fuzzy Hash: D3C09B11D5B40E4AD7253BE558925B873D0BB8D331FE24071D44444096946D11972142
                                      Function 00007FFD9B9E972F Relevance: .0, Instructions: 9COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 442423a0a8b3391a3fc31a18db83e6a38077d7323dd38277dcfda8dfd51c55e1
                                      • Instruction ID: 1273dd38ef7211fd300fa8d9c2e154166116563d47b365879caf6e8f19da79fd
                                      • Opcode Fuzzy Hash: 442423a0a8b3391a3fc31a18db83e6a38077d7323dd38277dcfda8dfd51c55e1
                                      • Instruction Fuzzy Hash: 0FC01210E3F15FB5F53072E8487A2BC67009F01300B460171D04E220B35D3C33859296
                                      Function 00007FFD9B882516 Relevance: .0, Instructions: 3COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d163e3cd6a2bac4dc0a35bbe4d545a1ccdf51fbdcbb39f4e83262912bce24c2d
                                      • Instruction ID: 13188028a8b51cd18b4c6ce54c38c99c0c956436566a6de2c100ac101cc6e2ef
                                      • Opcode Fuzzy Hash: d163e3cd6a2bac4dc0a35bbe4d545a1ccdf51fbdcbb39f4e83262912bce24c2d
                                      • Instruction Fuzzy Hash: B8A00201F1EB5E4BF13016D4513137941400B0C711F1B1971943D265F36C2CAE811291
                                      Function 00007FFD9B9F0741 Relevance: .0, Instructions: 1COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb2b82ae171060c725e07cb88ebd21ba0ee6f2ed61a88ae5a7d09304a6d4362a
                                      • Instruction ID: d71c6c7de1a5489b3b4d5df0be918917d6d855d83b0476832d145d593198d5f7
                                      • Opcode Fuzzy Hash: cb2b82ae171060c725e07cb88ebd21ba0ee6f2ed61a88ae5a7d09304a6d4362a
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 00007FFD9B965F7B Relevance: 4.4, Strings: 3, Instructions: 668COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829660530.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b960000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H$H$H
                                      • API String ID: 0-1989617792
                                      • Opcode ID: cee279b0457f6979c3aae4c9f617393b713514527a5c847a58462256052534d8
                                      • Instruction ID: ebfcf22126f1904d1909eedf7b5f6baaedb821c9150da10f566d464fda8d63eb
                                      • Opcode Fuzzy Hash: cee279b0457f6979c3aae4c9f617393b713514527a5c847a58462256052534d8
                                      • Instruction Fuzzy Hash: F532E571B29B894FE7B5DB5C88657AAB7D1EF99340F01857EC08DC32A2DE34A902C741
                                      Function 00007FFD9B9F0F4A Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 48_^
                                      • API String ID: 0-3313842602
                                      • Opcode ID: 9b92ad6469f194dd68cac81e34232f9f255be6d51c93c1dd1f169f0bfd3fc84f
                                      • Instruction ID: 334ad27f619287fe485c4a9982e4e466aeca66b29c2e42c7ff03d1db7532d875
                                      • Opcode Fuzzy Hash: 9b92ad6469f194dd68cac81e34232f9f255be6d51c93c1dd1f169f0bfd3fc84f
                                      • Instruction Fuzzy Hash: D251E147B0E2B65AE70A777DBD698E92B50CF4223C70941F3D1D98F0D7AC4C248B9298
                                      Function 00007FFD9B886078 Relevance: .6, Instructions: 561COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37199c94fa388efb21b57e494bc677302d956dc4b7dbabd68340b0063ec9b5a0
                                      • Instruction ID: 766f0e3efd24624e5d649ef0866b4b55f8f4c4132d613c41ee1a6dfcca9b88ad
                                      • Opcode Fuzzy Hash: 37199c94fa388efb21b57e494bc677302d956dc4b7dbabd68340b0063ec9b5a0
                                      • Instruction Fuzzy Hash: 1FF14D6151E7C60FD31F4B644CA20B47FA1EF57215B1A42FEC8DBCB0A7D928690B8792
                                      Function 00007FFD9B9F6000 Relevance: .4, Instructions: 352COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 184a8fbad57ab5797865cb33f23caafcc672aac8c773a46f30a6f4b9255983b1
                                      • Instruction ID: 2abc8fec0270dffec9b5351cb2c7fa4b5a25b9ecffe51c9c5262e9bfe0eeb195
                                      • Opcode Fuzzy Hash: 184a8fbad57ab5797865cb33f23caafcc672aac8c773a46f30a6f4b9255983b1
                                      • Instruction Fuzzy Hash: 08B11630B2E60E9BE73C8A9484615B87B90FF55324F25427DD49BC35E3EE29BE06D241
                                      Function 00007FFD9B9F413C Relevance: .3, Instructions: 283COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1830041216.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b9e0000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2fa199fa08ebb35b1ca05e6fd6e1e17b64fd2e1988d23ad834c380969c79ab80
                                      • Instruction ID: 12425f65b4bbcd6ba06a4996d09a6c45aab14b1ad2333559a8c0de266df0af3f
                                      • Opcode Fuzzy Hash: 2fa199fa08ebb35b1ca05e6fd6e1e17b64fd2e1988d23ad834c380969c79ab80
                                      • Instruction Fuzzy Hash: F781477615F2CC6FE72367A55C248E37FA8DF43275B0801AFE098C6063E5191A5AC362
                                      Function 00007FFD9B8888FA Relevance: 7.6, Strings: 6, Instructions: 104COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: N_^6$N_^<$N_^D$N_^E$N_^F$N_^P
                                      • API String ID: 0-1076853421
                                      • Opcode ID: 2409a0107f8c3ec75140d96bd46641158c09998ae414d8546861de410028c533
                                      • Instruction ID: 3ea2194e03dc559f0440aa28d42886743f6033897ea1d727c3f79ae87124b6f8
                                      • Opcode Fuzzy Hash: 2409a0107f8c3ec75140d96bd46641158c09998ae414d8546861de410028c533
                                      • Instruction Fuzzy Hash: 6931496370DA654BD3166B6CACB55D43B90DF8523470841F7C394CB047E918144B43C6
                                      Function 00007FFD9B880690 Relevance: 6.5, Strings: 5, Instructions: 216COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: O_^?$O_^T$O_^V$O_^X$O_^Z
                                      • API String ID: 0-450726227
                                      • Opcode ID: 63b361312fecc51c1b5a4915da4bf83ed3e24573e182687d624af9acb7bb22f2
                                      • Instruction ID: c44d1de4a46181c305d5022f48c9f15d94c08126b2d80f89a61ac7603a7560b6
                                      • Opcode Fuzzy Hash: 63b361312fecc51c1b5a4915da4bf83ed3e24573e182687d624af9acb7bb22f2
                                      • Instruction Fuzzy Hash: 0B512767B1D5BA8AE31B37BC7C255E82B40DF41739B0941F7D0AE8F0D7AC5820879295
                                      Function 00007FFD9B888725 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1829043677.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: N_^$$N_^%$N_^&$N_^/$N_^0
                                      • API String ID: 0-1605804609
                                      • Opcode ID: 175ca446f238e57399096140decc1724ea4348df71d1b7631420d95d45cf317b
                                      • Instruction ID: 8b5263e6de015987dadcffc83501577165a93188741b9987cc2470f6c21bad01
                                      • Opcode Fuzzy Hash: 175ca446f238e57399096140decc1724ea4348df71d1b7631420d95d45cf317b
                                      • Instruction Fuzzy Hash: AD510767B085768AD30A7BBD7C694E87B50DF44239B4805FBC2ED8B0C7ED28208643C6

                                      Executed Functions

                                      Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1986440984.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd9b890000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41